Install Vault-CRD

The following part describes how to install Vault-CRD inside a Cluster with enabled RBAC.

First you have to specify which authentication method you would like to use for Vault-CRD to access Vault. There are two supported methods:

  1. Static Vault Token generated in Vault

  2. Kubernetes Service Account Authentication

Static Vault Token

Create a file called policy.hcl with the following content:

path "testpki/issue/testrole" {
  capabilities = ["create", "read", "update"]
}

path "secret/*" {
  capabilities = ["read"]
}

This defines a new policy that has access to issue new Certificates in a testpki with role testrole and has read access to all secrets in the secret-mountpoint. To write this policy to HashiCorp Vault please run the following command:

$ vault write sys/policy/testpolicy policy=@policy.hcl

The policy is now available in Vault and has the name testpolicy.

Now you can generate the Vault Token, that has this new testpolicy assigned:

$ vault token create -policy=testpolicy -display-name=testtoken
Key                Value
---                -----
token              7b021d51-c4e8-5b28-e944-5dceb1ec5191
token_accessor     540957b0-0340-2c06-1546-7c28e682983f
token_duration     768h
token_renewable    true
token_policies     [default testpolicy]

Now the value of the token-key is the token, that is required to deploy Vault-CRD.

Deploy Vault-CRD

At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. Please change the values of them to your personal settings. e.g:

        - name: KUBERNETES_VAULT_URL
          value: "http://localhost:8080/v1/"
        - name: KUBERNETES_VAULT_TOKEN
          value: "7b021d51-c4e8-5b28-e944-5dceb1ec5191"

Please don't forget the /v1/ path at the end of the Kubernetes Vault Url

Now you can deploy the rbac file with the following command:

$ kubectl apply -f https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml

Kubernetes Service Account authentication

First please create a Service Account and a ClusterRoleBinding to the Service Account to generate a reviewer JWToken. Therefore please apply the following Kubernetes changes:

kubectl create serviceaccount vault-auth

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-auth
  namespace: default
EOF

Now you can enable the Kubernetes authentication method and use the generated Service Account to configure the reviewer handling. This allows Vault to verify the JWToken used by Vault-CRD to authenticate.

If you work with a Mac please replace base64 -d with base64 -D

$ vault auth enable kubernetes

$ vaultSecretName=$(kubectl get serviceaccount vault-auth -o json | jq '.secrets[0].name' -r)
$ kubectl get secret $vaultSecretName -o json | jq '.data["ca.crt"]' -r | base64 -d > ca.crt
$ vault write auth/kubernetes/config \
    token_reviewer_jwt="$(kubectl get secret $vaultSecretName -o json | jq .data.token -r | base64 -d)" \
    kubernetes_host=https://127.0.0.1 \
    kubernetes_ca_cert=@ca.crt

The last step is to generate a policy (please see the Static Vault Token example) and generate a vault role that binds the secret for the Service Account to the policy:

vault write auth/kubernetes/role/vault-auth \
    bound_service_account_names=vault-crd-serviceaccount \
    bound_service_account_namespaces=vault-crd \
    policies=testpolicy \
    ttl=1h

Deploy Vault-CRD

At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. By default Vault-CRD is configured to use Static Vault Tokens. Please replace the values with the following information:

        - name: KUBERNETES_VAULT_URL
          value: "http://localhost:8080/v1/"
        - name: KUBERNETES_VAULT_ROLE
          value: "vault-auth"
        - name: KUBERNETES_VAULT_AUTH
          value: "serviceAccount"

Please don't forget the /v1/ path at the end of the Kubernetes Vault Url

Now you can deploy the rbac file with the following command:

$ kubectl apply -f https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml

Configuration of Vault-CRD

The following environment variables can be changed to configure Vault-CRD

PreviousChange DetectionNextSelf Signed Certificates

Last updated