pub/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-07-28 00:51:41 +07:00
parent c3ba7baa48
commit b38288eba7
8 changed files with 45 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
README.md
View File

@@ -11,7 +11,9 @@
### 1. запуск vault в докере
1. docker compose up -d
1. `./start.sh`
2. `export VAULT_ADDR=https://vault.domain.com`
3. `vault login`
### 2. запуск heml-чарта
@@ -21,10 +23,11 @@
### 3. подключение из куба в vault
1. `vault auth enable kubernetes`
2. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
3. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
4. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
5. прописываем конфиг соединения
2. подсмотреть имя у VAULT_HELM_SECRET_NAME=vault-token-xxxxx
3. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
4. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
5. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
6. прописываем конфиг соединения
```bash
vault write auth/kubernetes/config \
@@ -34,17 +37,17 @@ vault write auth/kubernetes/config \
issuer="https://kubernetes.default.svc.cluster.local"
```
6. добавляем полиси доступа
7. добавляем полиси доступа
```bash
vault policy write vault-test - <<EOF
path "secret/data/vault-test/config" {
path "kv/secret/data/vault-test/config" {
capabilities = ["read"]
}
EOF
```
7. формируем роль доступа с куба в вольт
8. формируем роль доступа с куба в вольт
```bash
vault write auth/kubernetes/role/vault-test \
@@ -56,7 +59,6 @@ vault write auth/kubernetes/role/vault-test \
### 4. Запуск тестового деплоя
1. `vault login root`
2. `vault kv put secret/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
3. `vault kv get -format=json secret/vault-test/config | jq ".data.data"`
4. `k apply -f vault-test.yaml`
1. `vault kv put kv/secret/data/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
2. `vault kv get -format=json kv/secret/data/vault-test/config | jq ".data.data"`
3. `k apply -f vault-test.yaml`