Wednesday, 14 October 2015

Vaultconf - managing vault logins for your kubernetes applications

In my last post I gave an overview of how you can use vault and kubernetes together. In this post I want to show how to use vaultconf to configure credentials for your kubernetes applications so they can read secrets from vault.

 

Before you start you will need:

  • Vault v0.3
  • A kubernetes cluster, with local configuration allowing you to talk to the API
  • Docker

 

Configuration documents

vaultconf is designed to allow you to reconcile users and policies between configuration files and vault. Lets look at how to set these up:

 

Policy configuration

Policies set out rules for what can be accessed in vault. Policies should all be contained in a policies folder, whose structure should look like this (replacing the names with whatever you like):
  • policies
    • mynamespace1
      • policy1.yaml
      • policy2.yaml
    • mynamespace2
      • policy3.yaml
Please see the vaultconf test/resources folder for examples of vault policies in yaml.

 

User configuration

Users should be contained in a users.yaml file. It defines which users you want in which namespaces, and what policies those users should have. Again you will find an example in the github repo.

 

Vault server

If you haven't got a vault server setup you can start one easily by running:
$ vault server -dev

 

Vault setup

Before you are able to use vaultconf you will first need some things setup in vault:
  • Set your VAULT_ADDR and authenticate yourself. If using the dev vault server simply do:
    • $ export VAULT_ADDR=http://127.0.0.1:8200
  • Enable the userpass auth backend:
    • $ vault auth-enable userpass
  • Create a user for yourself with root access:
    • $ vault write auth/userpass/users/myusername password=mypassword policies=root

 

Kubernetes setup

Before using vaultconf ensure your kubernetes context is set to use the cluster you want the username and password secrets adding to. You will also need to ensure any namespaces are already created within this cluster.

 

Creating policies

The following command will add your policies to vault. Note the --net=host is only needed if you're connecting to a vault server running on your local machine.

$ docker run --net=host -v test/resources/policies:/policies quay.io/timgent/vaultconf:v0.1 policies -c /policies -u myusername -p mypassword -a http://localhost:8200

You should now be able to see your policies in vault:
$ vault policies
dev_myproject_reader
dev_myproject_writer
uat_anotherproject_apolicy
uat_myproject_reader
uat_myproject_writer
root

 

Creating users

IMPORTANT NOTE!
vaultconf will add kubernetes secrets for the vault usernames and passwords on whichever kubernetes cluster your .kube/config file is currently set to use.
 
$ docker run --net=host -v ~/.kube:/root/.kube -v ~/WORK/vaultconf/test/resources/users:/users quay.io/timgent/vaultconf:v0.1 users -c /users/users.yaml -u myusername -p mypassword -a http://localhost:8200

You should now be able to see the secrets in kubernetes:

kubectl --namespace=dev-myproject get secrets
NAME            TYPE      DATA
mrread-vault    Opaque    1
mrwrite-vault   Opaque    1

Using the things you've created

Your applications can now mount in these secrets to gain their credentials for accessing vault. The file will look something like:
{"username":"myNamespace_testUser","password":"testPassword","method":"userpass"}

I hope to follow up with an example of how the vault-sidekick container can then use these credentials to talk to vault and make secrets available to your applications.

2 comments:

  1. I'd really benefit a great deal from that second write-up about using vault-sidekick. Any chances of seeing that post soon?

    ReplyDelete
    Replies
    1. Not immediately as we've had to take a different approach on my current project so I've not used it. However the docs should be in pretty good shape:
      Vault Sidekick

      Please do raise issues on the repo if anything isn't clear or you're having trouble.

      You might also be interested in a less sophisticated approach that can sometimes be suitable, using Amazon S3 and KMS.
      s3secrets

      Delete