> For the complete documentation index, see [llms.txt](https://vault.koudingspawn.de/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://vault.koudingspawn.de/install-vault-crd.md).

# Install Vault-CRD

The following part describes how to install Vault-CRD inside a Cluster with enabled RBAC.

First you have to specify which authentication method you would like to use for Vault-CRD to access Vault. There are two supported methods:

1. [Static Vault Token generated in Vault](/install-vault-crd.md#static-vault-token)
2. [Kubernetes Service Account Authentication](/install-vault-crd.md#kubernetes-service-account-authentication)

### Static Vault Token

Create a file called policy.hcl with the following content:

```
path "testpki/issue/testrole" {
  capabilities = ["create", "read", "update"]
}

path "secret/*" {
  capabilities = ["read"]
}
```

This defines a new policy that has access to issue new Certificates in a testpki with role testrole and has read access to all secrets in the secret-mountpoint. To write this policy to HashiCorp Vault please run the following command:

```
$ vault write sys/policy/testpolicy policy=@policy.hcl
```

The policy is now available in Vault and has the name testpolicy.

Now you can generate the Vault Token, that has this new testpolicy assigned:

```
$ vault token create -policy=testpolicy -display-name=testtoken
Key                Value
---                -----
token              7b021d51-c4e8-5b28-e944-5dceb1ec5191
token_accessor     540957b0-0340-2c06-1546-7c28e682983f
token_duration     768h
token_renewable    true
token_policies     [default testpolicy]
```

Now the value of the token-key is the token, that is required to deploy Vault-CRD.

#### Deploy Vault-CRD

At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. Please change the values of them to your personal settings. e.g:

```yaml
        - name: KUBERNETES_VAULT_URL
          value: "http://localhost:8080/v1/"
        - name: KUBERNETES_VAULT_TOKEN
          value: "7b021d51-c4e8-5b28-e944-5dceb1ec5191"
```

{% hint style="warning" %}
Please don't forget the /v1/ path at the end of the Kubernetes Vault Url
{% endhint %}

Now you can deploy the rbac file with the following command:

```
$ kubectl apply -f https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml
```

### Kubernetes Service Account authentication

First please create a Service Account and a ClusterRoleBinding to the Service Account to generate a reviewer JWToken. Therefore please apply the following Kubernetes changes:

```bash
kubectl create serviceaccount vault-auth

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-auth
  namespace: default
EOF
```

Now you can enable the Kubernetes authentication method and use the generated Service Account to configure the reviewer handling. This allows Vault to verify the JWToken used by Vault-CRD to authenticate.

{% hint style="info" %}
If you work with a Mac please replace base64 -d with base64 -D
{% endhint %}

```bash
$ vault auth enable kubernetes

$ vaultSecretName=$(kubectl get serviceaccount vault-auth -o json | jq '.secrets[0].name' -r)
$ kubectl get secret $vaultSecretName -o json | jq '.data["ca.crt"]' -r | base64 -d > ca.crt
$ vault write auth/kubernetes/config \
    token_reviewer_jwt="$(kubectl get secret $vaultSecretName -o json | jq .data.token -r | base64 -d)" \
    kubernetes_host=https://127.0.0.1 \
    kubernetes_ca_cert=@ca.crt
```

The last step is to generate a policy (please see the Static Vault Token example) and generate a vault role that binds the secret for the Service Account to the policy:

```
vault write auth/kubernetes/role/vault-auth \
    bound_service_account_names=vault-crd-serviceaccount \
    bound_service_account_namespaces=vault-crd \
    policies=testpolicy \
    ttl=1h
```

#### Deploy Vault-CRD

At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. By default Vault-CRD is configured to use Static Vault Tokens. Please replace the values with the following information:

```yaml
        - name: KUBERNETES_VAULT_URL
          value: "http://localhost:8080/v1/"
        - name: KUBERNETES_VAULT_ROLE
          value: "vault-auth"
        - name: KUBERNETES_VAULT_AUTH
          value: "serviceAccount"
```

{% hint style="warning" %}
Please don't forget the /v1/ path at the end of the Kubernetes Vault Url
{% endhint %}

Now you can deploy the rbac file with the following command:

```
$ kubectl apply -f https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml
```

### Configuration of Vault-CRD

The following environment variables can be changed to configure Vault-CRD

| Variable                                     | Description                                                                                                                                                                                                               | Default Value |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| �KUBERNETES\_VAULT\_URL                      | Please specify here the URL to your Vault installation. Don't forget to set the /v1/ path                                                                                                                                 |               |
| �KUBERNETES\_VAULT\_TOKEN                    | Token with access to the resources that Vault-CRD shares from Vault to Kubernetes.                                                                                                                                        |               |
| KUBERNETES\_VAULT\_ROLE                      | If you use the Service Account approach for Vault authentication please specify here the Vault role. In the example above it's vault-auth.                                                                                |               |
| KUBERNETES\_VAULT\_AUTH                      | Specifies the used authentication method the following values are allowed: token \| serviceAccount                                                                                                                        | token         |
| KUBERNETES\_VAULT\_PATH                      | Please specify here the Vault auth path to be used.                                                                                                                                                                       | kubernetes    |
| �KUBERNETES\_INTERVAL                        | Specifies the refresh interval in **seconds**. In this interval Vault-CRD will check if something has changed in Vault that must be updated in Kubernetes.                                                                | 60            |
| KUBERNETES\_JKS\_DEFAULT\_ALIAS              | Specifies the default alias, where the certificate will be placed in a Java Key Store. Can be overwritten by specifying one in the [JKS Configuration](/supported-secret-types/secret-type-pkijks.md#jksconfiguration).   | main          |
| KUBERNETES\_JKS\_DEFAULT\_PASSWORD           | Default Password that encrypts the Java Key Store. Can be overwritten by specifying one in the [JKS Configuration](/supported-secret-types/secret-type-pkijks.md#jksconfiguration).                                       | changeit      |
| �KUBERNETES\_JKS\_DEFAULT\_SECRET\_KEY\_NAME | Specifies the default key name inside the generated secret where the keystore is placed. Can be overwritten by specifying one in the [JKS Configuration](/supported-secret-types/secret-type-pkijks.md#jksconfiguration). | key.jks       |
