Using HashiCorp Vault for storing secrets
HashiCorp Vault
Configure storage of secrets and access to them in a Yandex Managed Service for Kubernetes cluster using a Yandex Cloud Marketplace product called HashiCorp Vault with Key Management Service support.
This guide describes an example of mounting a secret from HashiCorp Vault using a Container Storage Interface
To enable access to a secret in a Managed Service for Kubernetes cluster using HashiCorp Vault:
- Prepare your cloud.
- Install HashiCorp Vault.
- Log in to HashiCorp Vault.
- Create a secret.
- Configure the Kubernetes authentication method.
- Install the SCI driver for a secret storage.
- Create the SecretProviderClass resource.
- Create a pod with a mounted secret.
If you no longer need the resources you created, delete them.
Prepare your cloud
-
Create a Kubernetes cluster and node group.
ManuallyUsing Terraform-
If you do not have a network yet, create one.
-
If you do not have any subnets yet, create them in the availability zones where your Kubernetes cluster and node group will be created.
-
- Service account with the
k8s.clusters.agent
andvpc.publicAdmin
roles for the folder where the Kubernetes cluster is created. This service account will be used to create the resources required for the Kubernetes cluster. - Service account with the container-registry.images.puller role. Nodes will pull the required Docker images from the registry on behalf of this account.
Tip
You can use the same service account to manage your Kubernetes cluster and its node groups.
- Service account with the
-
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Kubernetes cluster and a node group in any suitable configuration. When creating it, specify the security groups prepared earlier.
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it
. -
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the k8s-cluster.tf
cluster configuration file to the same working directory. The file describes:-
Kubernetes cluster.
-
Service account required to use the Managed Service for Kubernetes cluster and node group.
-
Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
In
k8s-cluster.tf
, specify:- Folder ID.
- Kubernetes version for the Kubernetes cluster and node groups.
- Kubernetes cluster CIDR.
- Name of the Managed Service for Kubernetes cluster service account.
-
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
-
-
Install kubectl
and configure it to work with the created cluster.
Install HashiCorp Vault
Install HashiCorp Vault using Helm and initialize the vault according to the guide. In the installation command, specify the hcv
namespace and add parameters to activate the Vault CSI provider
--namespace hcv \
--set "injector.enabled=false" \
--set "csi.enabled=true"
Log in to HashiCorp Vault
-
Run a session of the HashiCorp Vault interactive shell for the
hashicorp-vault-0
pod.kubectl exec -it hashicorp-vault-0 \ --namespace hcv \ -- /bin/sh
-
Print (unseal)
the storage.vault operator unseal
Enter one of the recovery keys (
Recovery Key
) obtained during storage initialization. -
Log in to HashiCorp Vault using the root token:
vault login
Enter the root token (
Initial Root Token
) obtained during storage initialization.
Create a secret
-
Enable the
kv
secret mechanism at thesecret
path:vault secrets enable -path=secret kv
-
Create a secret at the
secret/db-pass
path. Specify a password as a secret:vault kv put secret/db-pass password="12345678"
-
Make sure that the secret is available for reading at the
secret/db-pass
path:vault kv get secret/db-pass
Result:
====== Data ====== Key Value --- ----- password 12345678
Configure the Kubernetes authentication method
This method will allow you to log in using a token of a Kubernetes service account.
-
Enable the Kubernetes authentication method:
vault auth enable kubernetes
-
Configure authentication with Kubernetes API address:
vault write auth/kubernetes/config \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
The
KUBERNETES_PORT_443_TCP_ADDR
environment variable refers to the internal network address of the Kubernetes node. -
Create the
internal-app
policy that will allow the Kubernetes service account to read the previously created secret:vault policy write internal-app - <<EOF path "secret/db-pass" { capabilities = ["read"] } EOF
-
Create the
database
role that will link theinternal-app
policy to thewebapp-sa
Kubernetes service account (you will create it later):vault write auth/kubernetes/role/database \ bound_service_account_names=webapp-sa \ bound_service_account_namespaces=hcv \ policies=internal-app \ ttl=20m
Tokens returned after authentication will be valid for 20 minutes.
-
Exit HashiCorp Vault:
exit
Install the SCI driver for a secret storage
-
Add a Helm repository named
secrets-store-csi-driver
:helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
-
Install the SCI driver:
helm install csi secrets-store-csi-driver/secrets-store-csi-driver \ --namespace=hcv \ --set syncSecret.enabled=true
-
Make sure that the driver is running and ready:
kubectl get pods -n hcv -l "app=secrets-store-csi-driver"
Result:
NAME READY STATUS RESTARTS AGE csi-secrets-store-csi-driver-nbxcd 3/3 Running 0 4m28s
Create the SecretProviderClass resource
-
Create a file named
spc-vault-database.yaml
with settings to be transmitted to the CSI provider:spc-vault-database.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: vault-database spec: provider: vault parameters: vaultAddress: "http://hashicorp-vault.hcv:8200" roleName: "database" objects: | - objectName: "db-password" secretPath: "secret/db-pass" secretKey: "password"
-
Create the
SecretProviderClass
resource:kubectl apply -f spc-vault-database.yaml -n hcv
Create a pod with a mounted secret
-
Create a service account named
webapp-sa
in the Kubernetes cluster:kubectl create serviceaccount webapp-sa \ --namespace hcv
-
Create a file named
webapp-pod.yaml
containing thewebapp
pod configuration:spc-vault-database.yaml
kind: Pod apiVersion: v1 metadata: name: webapp spec: serviceAccountName: webapp-sa containers: - image: jweissig/app:0.0.1 name: webapp volumeMounts: - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true volumes: - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "vault-database"
-
Create the
webapp
pod:kubectl apply -f webapp-pod.yaml -n hcv
-
Make sure that the
webapp
pod is running and ready:kubectl get pod webapp -n hcv
Result:
NAME READY STATUS RESTARTS AGE webapp 1/1 Running 0 5m25s
-
Display the secret password recorded in the file system at the
/mnt/secrets-store/db-password
path:kubectl exec webapp -n hcv -- cat /mnt/secrets-store/db-password
Result:
12345678
Delete the resources you created
Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them.
-
In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.
-
Delete the
k8s-cluster.tf
configuration file. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the resources described in the
k8s-cluster.tf
configuration file will be deleted. -