Install Vault-CRD
The following part describes how to install Vault-CRD inside a Cluster with enabled RBAC.
First you have to specify which authentication method you would like to use for Vault-CRD to access Vault. There are two supported methods:
Static Vault Token
Create a file called policy.hcl with the following content:
This defines a new policy that has access to issue new Certificates in a testpki with role testrole and has read access to all secrets in the secret-mountpoint. To write this policy to HashiCorp Vault please run the following command:
The policy is now available in Vault and has the name testpolicy.
Now you can generate the Vault Token, that has this new testpolicy assigned:
Now the value of the token-key is the token, that is required to deploy Vault-CRD.
Deploy Vault-CRD
At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. Please change the values of them to your personal settings. e.g:
Please don't forget the /v1/ path at the end of the Kubernetes Vault Url
Now you can deploy the rbac file with the following command:
Kubernetes Service Account authentication
First please create a Service Account and a ClusterRoleBinding to the Service Account to generate a reviewer JWToken. Therefore please apply the following Kubernetes changes:
Now you can enable the Kubernetes authentication method and use the generated Service Account to configure the reviewer handling. This allows Vault to verify the JWToken used by Vault-CRD to authenticate.
If you work with a Mac please replace base64 -d with base64 -D
The last step is to generate a policy (please see the Static Vault Token example) and generate a vault role that binds the secret for the Service Account to the policy:
Deploy Vault-CRD
At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. By default Vault-CRD is configured to use Static Vault Tokens. Please replace the values with the following information:
Please don't forget the /v1/ path at the end of the Kubernetes Vault Url
Now you can deploy the rbac file with the following command:
Configuration of Vault-CRD
The following environment variables can be changed to configure Vault-CRD
Variable
Description
Default Value