Vault
HashiCorp Vault is a tool that provides secrets management, identity-based access, encrypting application data and auditing of secrets for applications, systems, and users.
Contents
Vault on Kubernetes using S3 Storage and KMS Auto-Unseal
This section will show how to set up and install HashiCorp Vault on Kubernetes using AWS S3 as the storage backend and AWS KMS to auto-unseal Vault.
Install Vault on Kubernetes
- NOTE: The following will only work using Helm v3.
We will use the official vault-helm Helm Chart by HashiCorp.
- Create a Kubernetes Secret to store your AWS access/secret keys:
$ kubectl create secret generic eks-creds \
--from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID?}" \
--from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY?}"
Make sure your vault-helm Helm Chart's values.yaml file has the following sections in it (add/update them if necessary):
server:
...
extraSecretEnvironmentVars:
- envName: AWS_ACCESS_KEY_ID
secretName: eks-creds
secretKey: AWS_ACCESS_KEY_ID
- envName: AWS_SECRET_ACCESS_KEY
secretName: eks-creds
secretKey: AWS_SECRET_ACCESS_KEY
...
ha:
enabled: true
replicas: 3
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "awskms" {
region = "us-west-2"
access_key = "UPDATE_ME"
secret_key = "UPDATE_ME"
kms_key_id = "UPDATE_ME"
}
storage "s3" {
region = "us-west-2"
access_key = "UPDATE_ME"
secret_key = "UPDATE_ME"
bucket = "UPDATE_ME"
}
...
- See: awskms and S3 Storage Backend for details.
- Install Vault on your Kubernetes cluster:
$ helm3 install vault --set "server.ha.enabled=true" -f values.yaml .
- Check on status of install:
$ helm3 ls NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION vault default 1 2020-04-08 13:44:52.471357974 -0700 PDT deployed vault-0.4.0 $ kubectl get pods -l app.kubernetes.io/name=vault NAME READY STATUS RESTARTS AGE vault-0 0/1 Running 0 1m23 vault-1 0/1 Running 0 1m23 vault-2 0/1 Running 0 1m23
The above Pods should all report as "READY 0/1". You must first initialize Vault and unseal each member.
Setup Vault
- Initialize Vault:
$ kubectl exec -ti vault-0 -- vault operator init Recovery Key 1: r/rhD/ur9mx8rQHAYO3RSF/Y2/ceu340CVyvurwf2XFD Recovery Key 2: A85k/b6N0LC5E2sXjBrq6FzrPmKa0//WWGEW3dQ56vry Recovery Key 3: DS61ElZPPJFh947Jn6WQbj6Ny0SQEHI5TCg0CMU/+q3h Recovery Key 4: gG3FYFWdum6D7z8hfG0H/S0Fq7NHmf369eV3ffQauQQM Recovery Key 5: e8utfn95qEftFOEa2+k3aLAFPmKxqWk+25fFz1eBx9qK Initial Root Token: s.AZ89jp5FafLGx2BPxc7OTT6G Success! Vault is initialized
- Unseal the Vault server with the key shares until the key threshold is met:
$ kubectl exec -ti vault-0 -- vault operator unseal # ... Unseal Key 1 $ kubectl exec -ti vault-0 -- vault operator unseal # ... Unseal Key 2 $ kubectl exec -ti vault-0 -- vault operator unseal # ... Unseal Key 3
- When all Vault server Pods are unsealed, they will report as
READY 1/1:
$ kubectl get pods -l app.kubernetes.io/name=vault NAME READY STATUS RESTARTS AGE vault-0 1/1 Running 0 1m54 vault-1 1/1 Running 0 1m54 vault-2 1/1 Running 0 1m54
Create a Secret
- Start an interactive shell session in the
vault-0Pod:
$ kubectl exec -it vault-0 /bin/sh / $
and run the rest of the commands in this section from within that Pod.
- Enable
kv-v2secrets at the path internal:
/ $ vault secrets enable -path=internal kv-v2 Success! Enabled the kv-v2 secrets engine at: internal/
- Add a username and password secret at the path
internal/exampleapp/config:
/ $ vault kv put internal/database/config username="db-readonly-username" password="db-secret-password" Key Value --- ----- created_time 2020-04-13T23:27:50.503798447Z deletion_time n/a destroyed false version 1
- Verify that the secret is defined at the path
internal/database/config:
/ $ vault kv get internal/database/config ====== Metadata ====== Key Value --- ----- created_time 2020-04-13T23:27:50.503798447Z deletion_time n/a destroyed false version 1 ====== Data ====== Key Value --- ----- password db-secret-password username db-readonly-username
Make Kubernetes and Vault aware of each other
Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token.
- Enable the Kubernetes authentication method:
/ $ vault auth enable kubernetes Success! Enabled kubernetes auth method at: kubernetes/
Vault accepts this service token from any client within the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a configured Kubernetes endpoint.
- Configure the Kubernetes authentication method to use the service account token, the location of the Kubernetes host, and its certificate:
/ $ vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Success! Data written to: auth/kubernetes/config
The token_reviewer_jwt and kubernetes_ca_cert reference files written to the container by Kubernetes. The environment variable KUBERNETES_PORT_443_TCP_ADDR references the internal network address of the Kubernetes host. For a client to read the secret data defined in the previous step, at internal/database/config, requires that the read capability be granted for the path internal/data/database/config.
- Write out the policy named
internal-appthat enables the read capability for secrets at pathinternal/data/database/config:
/ $ vault policy write internal-app - <<EOH
path "internal/data/database/config" {
capabilities = ["read"]
}
EOH
Success! Uploaded policy: internal-app
- Create a Kubernetes authentication role named
internal-app:
/ $ vault write auth/kubernetes/role/internal-app \
bound_service_account_names=internal-app \
bound_service_account_namespaces=default \
policies=internal-app \
ttl=24h
Success! Data written to: auth/kubernetes/role/internal-app
The role connects the Kubernetes Service Account, internal-app, and Namespace, default, with the Vault policy, internal-app. The tokens returned after authentication are valid for 24 hours.
- Lastly, exit the
vault-0Pod:
/ $ exit $
Create Kubernetes Service Accounts for Vault
The Vault Kubernetes authentication role defined a Kubernetes Service Account named internal-app. This Service Account does not yet exist.
- Create a Vault authentication Service Account:
$ cat <<EOF | kubectl create -f - --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-auth namespace: default EOF
- Describe the above Vault authentication Service Account:
$ kubectl describe serviceaccount vault-auth Name: vault-auth Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: vault-auth-token-l8zcw Tokens: vault-auth-token-l8zcw Events: <none>
- Create a Service Account for our test
internal-app:
$ cat <<EOF | kubectl create -f - apiVersion: v1 kind: ServiceAccount metadata: name: internal-app EOF
NOTE: The name of the service account here aligns with the name assigned to the bound_service_account_names field when creating the internal-app role when configuring the Kubernetes authentication.
Secret Injection from sidecar to application
- Create a Deployment using a sample
orgchartapp:
$ cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: orgchart
labels:
app: vault-agent-injector-demo
spec:
selector:
matchLabels:
app: vault-agent-injector-demo
replicas: 1
template:
metadata:
annotations:
labels:
app: vault-agent-injector-demo
spec:
serviceAccountName: internal-app
containers:
- name: orgchart
image: jweissig/app:0.0.1
EOF
- The
spec.template.spec.serviceAccountNamedefines the service accountinternal-appto run this container under.
- Get all the Pods within the
defaultNamespace:
$ kubectl get pods NAME READY STATUS RESTARTS AGE orgchart-6757598f54-vfkff 1/1 Running 0 31m vault-0 1/1 Running 0 5d3h vault-1 1/1 Running 0 5d3h vault-2 1/1 Running 0 5d3h vault-agent-injector-5b4445f78c-76vvk 1/1 Running 0 5d3h
The Vault-Agent injector looks for Deployments that define specific annotations. None of these annotations exists within the current Deployment. This means that no Secrets are present on the orgchart container within the orgchart-6757598f54-vfkff Pod.
- Verify that no secrets are written to the
orgchartcontainer in theorgchart-6757598f54-vfkffPod:
$ kubectl exec orgchart-6757598f54-vfkff --container orgchart -- ls /vault/secrets ls: /vault/secrets: No such file or directory command terminated with exit code 1
The Deployment is running the Pod with the internal-app Kubernetes Service Account in the default Namespace. The Vault Agent injector only modifies a deployment if it contains a very specific set of annotations. An existing deployment may have its definition patched to include the necessary annotations.
- Create a Deployment patch file:
$ cat << EOF > inject_secrets.yaml
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "internal-app"
vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"
EOF
These annotations define a partial structure of the deployment schema and are prefixed with vault.hashicorp.com.
-
agent-injectenables the Vault Agent injector service -
roleis the Vault Kubernetes authentication role -
roleis also the Vault role created that maps back to the Kubernetes Service Account -
agent-inject-secret-FILEPATHprefixes the path of the file,database-config.txt, written to/vault/secrets. The value is the path to the secret defined in Vault.
- Patch the orgchart deployment defined in the
inject_secrets.yamlmanifest created above:
$ kubectl patch deployment orgchart --patch "$(cat inject-secrets.yml)" deployment.apps/orgchart patched
This new Pod now launches two containers. The application container, named orgchart, and the Vault Agent container, named vault-agent.
$ kubectl get pods NAME READY STATUS RESTARTS AGE orgchart-6757598f54-vfkff 2/2 Running 0 31m ...
- View the logs of the
vault-agentcontainer in theorgchart-Pod:
$ kubectl logs orgchart-6757598f54-vfkff --container vault-agent
==> Vault server started! Log data will stream in below:
==> Vault agent configuration:
Cgo: disabled
Log Level: info
Version: Vault v1.3.2
2020-04-14T00:11:00.195Z [INFO] sink.file: creating file sink
2020-04-14T00:11:00.195Z [INFO] sink.file: file sink configured: path=/home/vault/.token mode=-rw-r-----
2020-04-14T00:11:00.196Z [INFO] template.server: starting template server
2020/04/14 00:11:00.196068 [INFO] (runner) creating new runner (dry: false, once: false)
2020/04/14 00:11:00.196374 [INFO] (runner) creating watcher
2020-04-14T00:11:00.196Z [INFO] auth.handler: starting auth handler
2020-04-14T00:11:00.196Z [INFO] auth.handler: authenticating
2020-04-14T00:11:00.197Z [INFO] sink.server: starting sink server
2020-04-14T00:11:00.313Z [INFO] auth.handler: authentication successful, sending token to sinks
2020-04-14T00:11:00.313Z [INFO] auth.handler: starting renewal process
2020-04-14T00:11:00.313Z [INFO] sink.file: token written: path=/home/vault/.token
2020-04-14T00:11:00.313Z [INFO] template.server: template server received new token
2020/04/14 00:11:00.313503 [INFO] (runner) stopping
2020/04/14 00:11:00.313548 [INFO] (runner) creating new runner (dry: false, once: false)
2020/04/14 00:11:00.313648 [INFO] (runner) creating watcher
2020/04/14 00:11:00.313701 [INFO] (runner) starting
2020-04-14T00:11:00.406Z [INFO] auth.handler: renewed auth token
- View the secret written to the
orgchartcontainer:
$ kubectl exec orgchart-6757598f54-vfkff --container orgchart -- cat /vault/secrets/database-config.txt data: map[password:db-secret-password username:db-readonly-username] metadata: map[created_time:2020-04-13T23:27:50.503798447Z deletion_time: destroyed:false version:1]
The secret is successfully present in the container.
