diff --git a/doc/source/security/kubernetes/configure-vault-using-the-cli.rst b/doc/source/security/kubernetes/configure-vault-using-the-cli.rst index 1e56144dd..e04b97d21 100644 --- a/doc/source/security/kubernetes/configure-vault-using-the-cli.rst +++ b/doc/source/security/kubernetes/configure-vault-using-the-cli.rst @@ -20,7 +20,8 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI. .. code-block:: none - $ kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*' + $ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root \ + -o jsonpath='{.data.strdata}' | base64 -d )" #. Log in to the Vault server container. @@ -34,7 +35,7 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI. .. code-block:: none - $ vault login + $ vault login -no-print #. Enable the Kubernetes Auth method. @@ -46,7 +47,7 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI. .. code-block:: none - $ vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + $ vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" #. Verify the Kubernetes Auth method. @@ -123,7 +124,7 @@ You can configure Vault by logging into a Vault server pod and using Vault CLI. .. code-block:: none - $ vault write auth/kubernetes/role/basic-secret-role bound_service_account_names=basic-secret bound_service_account_namespaces=default policies=basic-secret-policy ttl=24h + $ vault write auth/kubernetes/role/basic-secret-role bound_service_account_names=basic-secret bound_service_account_namespaces=test policies=basic-secret-policy ttl=24h #. Verify the policy. diff --git a/doc/source/security/kubernetes/configure-vault.rst b/doc/source/security/kubernetes/configure-vault.rst index 3e5f13452..bc6ca6487 100644 --- a/doc/source/security/kubernetes/configure-vault.rst +++ b/doc/source/security/kubernetes/configure-vault.rst @@ -26,11 +26,7 @@ The following steps use Vault's REST API and is run from controller-0. .. code-block:: none - $ ROOT_TOKEN=$(kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*') - - $ SA_CA_CERT=$(kubectl exec -n vault sva-vault-0 -- awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /var/run/secrets/kubernetes.io/serviceaccount/ca.crt) - - $ TOKEN_JWT=$(kubectl exec -n vault sva-vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) + $ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root -o jsonpath='{.data.strdata}' | base64 -d )" $ KUBERNETES_PORT_443_TCP_ADDR=$(kubectl exec -n vault sva-vault-0 -- sh -c 'echo $KUBERNETES_PORT_443_TCP_ADDR') @@ -38,7 +34,8 @@ The following steps use Vault's REST API and is run from controller-0. #. Enable the Kubernetes Auth method. - This allows Vault to use Kubernetes service accounts for authentication of Vault commands. + This allows Vault to use Kubernetes service accounts for authentication of + Vault commands. For more information, see: @@ -57,7 +54,7 @@ The following steps use Vault's REST API and is run from controller-0. .. code-block:: none - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"kubernetes_host": "'"https://$KUBERNETES_PORT_443_TCP_ADDR:443"'", "kubernetes_ca_cert":"'"$SA_CA_CERT"'", "token_reviewer_jwt":"'"$TOKEN_JWT"'"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/config + $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"kubernetes_host": "'"https://$KUBERNETES_PORT_443_TCP_ADDR:443"'"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/config #. Verify the Kubernetes Auth method. @@ -117,7 +114,7 @@ The following steps use Vault's REST API and is run from controller-0. .. code-block:: none - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "pvtest", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role + $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "test", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role #. Verify the role configuration. @@ -133,7 +130,7 @@ The following steps use Vault's REST API and is run from controller-0. .. code-block:: none - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"username":"pvtest","password":""}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld + $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"data":{"password": "", "username": "test"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld #. Verify the secret. diff --git a/doc/source/usertasks/kubernetes/vault-unaware.rst b/doc/source/usertasks/kubernetes/vault-unaware.rst index 8c139a99c..efe1635cb 100644 --- a/doc/source/usertasks/kubernetes/vault-unaware.rst +++ b/doc/source/usertasks/kubernetes/vault-unaware.rst @@ -32,13 +32,7 @@ pod can access these secrets as files. .. code-block:: none - $ ROOT_TOKEN=$(kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*') - - $ SA_CA_CERT=$(kubectl exec -n vault sva-vault-0 -- awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /var/run/secrets/kubernetes.io/serviceaccount/ca.crt) - - $ TOKEN_JWT=$(kubectl exec -n vault sva-vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) - - $ KUBERNETES_PORT_443_TCP_ADDR=$(kubectl exec -n vault sva-vault-0 -- sh -c 'echo $KUBERNETES_PORT_443_TCP_ADDR') + $ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root -o jsonpath='{.data.strdata}' | base64 -d )" $ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca.pem @@ -52,13 +46,13 @@ pod can access these secrets as files. .. code-block:: none - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "default", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role + $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "test", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role #. Create the secret. .. code-block:: none - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"username":"pvtest","password":"Li69nux*"}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld + $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"data":{"password": "", "username": "test"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld #. Verify the secret. @@ -68,19 +62,14 @@ pod can access these secrets as files. .. rubric:: |proc| -#. Copy the Vault certs to the default namespace. - .. code-block:: none - - $ kubectl get secret vault-server-tls --namespace=vault --export -o yaml | kubectl apply --namespace=default -f- - -#. Use the following vault-injector.yaml file to create a test namespace, an - example Vault-Unaware deployment, 'basic-secret', with vault annotations +#. Use the following ``helloworld.yaml`` file to create a test namespace, + an example Vault-Unaware deployment, 'basic-secret', with vault annotations for creating the Vault Agent Injector sidecar container: .. code-block:: yaml - cat <> vault-injector.yaml + cat <> helloworld.yaml apiVersion: v1 kind: Namespace metadata: @@ -101,17 +90,17 @@ pod can access these secrets as files. template: metadata: annotations: - vault.hashicorp.com/agent-inject: "true" - vault.hashicorp.com/tls-skip-verify: "true" - vault.hashicorp.com/agent-inject-secret-helloworld: "secret/data/basic-secret/helloworld" - vault.hashicorp.com/agent-inject-template-helloworld: | - {{- with secret "secret/data/basic-secret/helloworld" -}} - { - "username" : "{{ .Data.data.username }}", - "password" : "{{ .Data.data.password }}" - } - {{- end }} - vault.hashicorp.com/role: "basic-secret-role" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/tls-skip-verify: "true" + vault.hashicorp.com/agent-inject-secret-helloworld: "secret/data/basic-secret/helloworld" + vault.hashicorp.com/agent-inject-template-helloworld: | + {{- with secret "secret/data/basic-secret/helloworld" -}} + { + "username" : "{{ .Data.data.username }}", + "password" : "{{ .Data.data.password }}" + } + {{- end }} + vault.hashicorp.com/role: "basic-secret-role" labels: app: basic-secret spec: @@ -126,6 +115,7 @@ pod can access these secrets as files. name: basic-secret labels: app: basic-secret + namespace: test EOF #. Apply the application and verify the pod is running. @@ -138,7 +128,8 @@ pod can access these secrets as files. .. code-block:: none - $ kubectl exec -n pvtest basic-secret-55d6c9bb6f-4whbp -- cat /vault/secrets/helloworld + $ POD="$( kubectl get pods -n test | cut -d' ' -f1 | grep basic-secret )" + $ kubectl exec -n test $POD -- cat /vault/secrets/helloworld .. _vault-unaware-ul-jsf-dqm-4mb: