Vault-CRD
Github
Search…
Introduction
How does Vault-CRD work?
Supported Secret Types
Change Detection
Install Vault-CRD
Self Signed Certificates
Enable Admission Webhook
Powered By GitBook
Install Vault-CRD
The following part describes how to install Vault-CRD inside a Cluster with enabled RBAC.
First you have to specify which authentication method you would like to use for Vault-CRD to access Vault. There are two supported methods:
    1.
    Static Vault Token generated in Vault
    2.
    Kubernetes Service Account Authentication

Static Vault Token

Create a file called policy.hcl with the following content:
1
path "testpki/issue/testrole" {
2
capabilities = ["create", "read", "update"]
3
}
4
5
path "secret/*" {
6
capabilities = ["read"]
7
}
Copied!
This defines a new policy that has access to issue new Certificates in a testpki with role testrole and has read access to all secrets in the secret-mountpoint. To write this policy to HashiCorp Vault please run the following command:
1
$ vault write sys/policy/testpolicy [email protected]
Copied!
The policy is now available in Vault and has the name testpolicy.
Now you can generate the Vault Token, that has this new testpolicy assigned:
1
$ vault token create -policy=testpolicy -display-name=testtoken
2
Key Value
3
--- -----
4
token 7b021d51-c4e8-5b28-e944-5dceb1ec5191
5
token_accessor 540957b0-0340-2c06-1546-7c28e682983f
6
token_duration 768h
7
token_renewable true
8
token_policies [default testpolicy]
Copied!
Now the value of the token-key is the token, that is required to deploy Vault-CRD.

Deploy Vault-CRD

At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. Please change the values of them to your personal settings. e.g:
1
- name: KUBERNETES_VAULT_URL
2
value: "http://localhost:8080/v1/"
3
- name: KUBERNETES_VAULT_TOKEN
4
value: "7b021d51-c4e8-5b28-e944-5dceb1ec5191"
Copied!
Please don't forget the /v1/ path at the end of the Kubernetes Vault Url
Now you can deploy the rbac file with the following command:
1
$ kubectl apply -f https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml
Copied!

Kubernetes Service Account authentication

First please create a Service Account and a ClusterRoleBinding to the Service Account to generate a reviewer JWToken. Therefore please apply the following Kubernetes changes:
1
kubectl create serviceaccount vault-auth
2
3
cat <<EOF | kubectl apply -f -
4
apiVersion: rbac.authorization.k8s.io/v1beta1
5
kind: ClusterRoleBinding
6
metadata:
7
name: role-tokenreview-binding
8
namespace: default
9
roleRef:
10
apiGroup: rbac.authorization.k8s.io
11
kind: ClusterRole
12
name: system:auth-delegator
13
subjects:
14
- kind: ServiceAccount
15
name: vault-auth
16
namespace: default
17
EOF
Copied!
Now you can enable the Kubernetes authentication method and use the generated Service Account to configure the reviewer handling. This allows Vault to verify the JWToken used by Vault-CRD to authenticate.
If you work with a Mac please replace base64 -d with base64 -D
1
$ vault auth enable kubernetes
2
3
$ vaultSecretName=$(kubectl get serviceaccount vault-auth -o json | jq '.secrets[0].name' -r)
4
$ kubectl get secret $vaultSecretName -o json | jq '.data["ca.crt"]' -r | base64 -d > ca.crt
5
$ vault write auth/kubernetes/config \
6
token_reviewer_jwt="$(kubectl get secret $vaultSecretName -o json | jq .data.token -r | base64 -d)" \
7
kubernetes_host=https://127.0.0.1 \
8
kubernetes_ca_cert=@ca.crt
Copied!
The last step is to generate a policy (please see the Static Vault Token example) and generate a vault role that binds the secret for the Service Account to the policy:
1
vault write auth/kubernetes/role/vault-auth \
2
bound_service_account_names=vault-crd-serviceaccount \
3
bound_service_account_namespaces=vault-crd \
4
policies=testpolicy \
5
ttl=1h
Copied!

Deploy Vault-CRD

At the end of the deploy/rbac.yaml-file is the Deployment of Vault-CRD with two environment variables. By default Vault-CRD is configured to use Static Vault Tokens. Please replace the values with the following information:
1
- name: KUBERNETES_VAULT_URL
2
value: "http://localhost:8080/v1/"
3
- name: KUBERNETES_VAULT_ROLE
4
value: "vault-auth"
5
- name: KUBERNETES_VAULT_AUTH
6
value: "serviceAccount"
Copied!
Please don't forget the /v1/ path at the end of the Kubernetes Vault Url
Now you can deploy the rbac file with the following command:
1
$ kubectl apply -f https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml
Copied!

Configuration of Vault-CRD

The following environment variables can be changed to configure Vault-CRD
Variable
Description
Default Value
KUBERNETES_VAULT_URL
Please specify here the URL to your Vault installation. Don't forget to set the /v1/ path
KUBERNETES_VAULT_TOKEN
Token with access to the resources that Vault-CRD shares from Vault to Kubernetes.
KUBERNETES_VAULT_ROLE
If you use the Service Account approach for Vault authentication please specify here the Vault role. In the example above it's vault-auth.
KUBERNETES_VAULT_AUTH
Specifies the used authentication method the following values are allowed: token | serviceAccount
token
KUBERNETES_VAULT_PATH
Please specify here the Vault auth path to be used.
kubernetes
KUBERNETES_INTERVAL
Specifies the refresh interval in seconds. In this interval Vault-CRD will check if something has changed in Vault that must be updated in Kubernetes.
60
KUBERNETES_JKS_DEFAULT_ALIAS
Specifies the default alias, where the certificate will be placed in a Java Key Store. Can be overwritten by specifying one in the JKS Configuration.
main
KUBERNETES_JKS_DEFAULT_PASSWORD
Default Password that encrypts the Java Key Store. Can be overwritten by specifying one in the JKS Configuration.
changeit
KUBERNETES_JKS_DEFAULT_SECRET_KEY_NAME
Specifies the default key name inside the generated secret where the keystore is placed. Can be overwritten by specifying one in the JKS Configuration.
key.jks
Previous
Change Detection
Next
Self Signed Certificates
Last modified 2yr ago
Copy link
Contents
Static Vault Token
Kubernetes Service Account authentication
Configuration of Vault-CRD