pub/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-07-28 02:09:34 +07:00
parent 8ccd67c6a3
commit 2fe99c9696
2 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -19,11 +19,24 @@
1. прописываем в переменных адрес vault-сервера 1. прописываем в переменных адрес vault-сервера
2. запускаем чарт `helm upgrade --install --create-namespace -n vault vault helm/vault` 2. запускаем чарт `helm upgrade --install --create-namespace -n vault vault helm/vault`
3. если у вас версия куба 1.24 и выше, то создаем токен руками
```bash
cat > vault-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: vault-token-g955r
annotations:
kubernetes.io/service-account.name: vault
type: kubernetes.io/service-account-token
EOF
```
### 3. подключение из куба в vault ### 3. подключение из куба в vault
1. `vault auth enable kubernetes` 1. `vault auth enable kubernetes`
2. подсмотреть имя у VAULT_HELM_SECRET_NAME=vault-token-xxxxx 2. подсмотреть имя у VAULT_HELM_SECRET_NAME=vault-token-xxxxx в кубе
3. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)` 3. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
4. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)` 4. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
5. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')` 5. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
@@ -41,7 +54,7 @@ vault write auth/kubernetes/config \
```bash ```bash
vault policy write vault-test - <<EOF vault policy write vault-test - <<EOF
path "kv/secret/data/vault-test/config" { path "kv/data/secret/vault-test" {
capabilities = ["read"] capabilities = ["read"]
} }
EOF EOF
@@ -59,6 +72,6 @@ vault write auth/kubernetes/role/vault-test \
### 4. Запуск тестового деплоя ### 4. Запуск тестового деплоя
1. `vault kv put kv/secret/data/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'` 1. `vault kv put kv/secret/vault-test username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
2. `vault kv get -format=json kv/secret/data/vault-test/config | jq ".data.data"` 2. `vault kv get -format=json kv/secret/vault-test | jq ".data.data"`
3. `k apply -f vault-test.yaml` 3. `k apply -f k8s/vault-test.yaml`

6
k8s/vault-test.yaml
View File

@@ -30,9 +30,9 @@ spec:
annotations: annotations:
vault.hashicorp.com/agent-inject: 'true' vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'vault-test' vault.hashicorp.com/role: 'vault-test'
vault.hashicorp.com/agent-inject-secret-credentials.txt: 'kv/secret/data/vault-test/config' vault.hashicorp.com/agent-inject-secret-credentials: 'kv/secret/vault-test'
vault.hashicorp.com/agent-inject-template-credentials.txt: | vault.hashicorp.com/agent-inject-template-credentials: |
{{- with secret "kv/secret/data/vault-test/config" -}} {{- with secret "kv/secret/vault-test" -}}
postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }} postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }}
{{- end -}} {{- end -}}
spec: spec: