helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault -n vault --create-namespace --set server.dev.enabled=true
- Enable kubernetes auth backend
vault auth enable kubernetes - Configure kubernetes endpoint
vault write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443”
helm install vault-secrets-operator hashicorp/vault-secrets-operator -n vault-secrets-operator-system \
--create-namespace --values vso-values.yaml
First, exec into the vault pod.
- Enable kvv2 secrets engine
vault secrets enable kv-v2 - Add secret for the fakeapp
vault kv put kv-v2/fakeapp/mysecret username=foo password=bar - Add policy to read the secret
vault policy write mysecret - << EOF path "kv-v2/data/fakeapp/mysecret" { capabilities = ["read"] } EOF
- Create a role to enable access to the secret
vault write auth/kubernetes/role/fakeapp \ bound_service_account_names=default \ bound_service_account_namespaces=fakeapp \ policies=default,mysecret \ audience=vault \ ttl=24h
-
Add bitnami helm repo
helm repo add bitnami https://charts.bitnami.com/bitnami -
Deploy postgres
helm install postgres bitnami/postgresql \ --set auth.database=fakeapp \ --create-namespace \ -n postgres -
Retrieve password for postgres user
kubectl get secret postgres-postgresql -n postgres \ -o jsonpath={.data.postgres-password} | base64 -d -
Login to
fakeappdatabase and paste passwordpsql -U postgres -d fakeapp -
Create user for Vault server
CREATE ROLE vault WITH SUPERUSER LOGIN ENCRYPTED PASSWORD 'vault';
- Enable database secrets engine
vault secrets enable database - Configure postgres connection
vault write database/config/fakeapp-pg-db \ plugin_name="postgresql-database-plugin" \ allowed_roles="fakeapp-role" \ connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql.postgres:5432/fakeapp" \ username="vault" \ password="vault" - Create database role
vault write database/roles/fakeapp-role \ db_name="fakeapp-pg-db" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl="1h" \ max_ttl="24h" - Test database credential
vault read database/creds/fakeapp-role - Create policy to read database creds for the "fakeapp"
vault policy write fakeapp-role - <<EOF path "database/creds/fakeapp-role" { capabilities = ["read"] } EOF - Assign policy to the kubernetes role
vault write auth/kubernetes/role/fakeapp \ bound_service_account_names=default \ bound_service_account_namespaces=fakeapp \ policies=default,mysecret,fakeapp-role \ audience=vault \ ttl=24h
- Create new namespace
kubectl create ns fakeapp - Apply VaultAuth
kubectl apply -f vault-auth.yaml - Apply VaultStaticSecret (only for kvv2 secrets)
kubectl apply -f kv-secret.yaml - Apply VaultDynamicSecret (only for dynamic database secrets)
kubectl apply -f database-creds.yaml - Deploy application
kubectl apply -f deployment.yaml