Versions Compared

Version Old Version 11 New Version 12
Changes made by

Daria Samkova

Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Copy the hivemq-license file to the vault-0 pod.

    Code Block
    languagebash
    $ kubectl cp hivemq.lic pod/vault-0:/tmp/

  2. Verify that the file is copied.

    Code Block
    languagebash
    $ kubectl exec -it vault-0 -- ls /tmp

  3. Start an interactive shell session on the vault-0 pod.

    Code Block
    languagebash
    $ kubectl exec -it vault-0 -- /bin/sh
/ $

    Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

  4. Enable kv-v2 secrets at the path hivemq.

    Code Block
    languagebash
    $ vault secrets enable -path=hivemq kv-v2
Success! Enabled the kv-v2 secrets engine at: hivemq/

  5. Create a secret at path hivemq/myenv/license with a hivemq_license_b64 key and base64-encoded /tmp/hivemq.lic file.

    Code Block
    languagebash
    $ cd /tmp
$ vault kv put hivemq/myenv/license hivemq_license_b64="$(base64 -w 0 hivemq.lic)"
====== Secret Path ======
hivemq/data/myenv/license

======= Metadata =======
Key                Value
---                -----
created_time       2024-02-21T17:34:39.261249639Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

  6. Verify that the secret is defined at the path internalhivemq/databasemyenv/configlicense.

    Code Block
    languagebash
    $ vault kv get hivemq/myenv/license
====== Secret Path ======
hivemq/data/myenv/license

======= Metadata =======
Key                Value
---                -----
created_time       2024-02-21T14:57:01.446984026Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

========= Data =========
Key                 Value
---                 -----
hivemq_license_b64  SCFNUSRbM10.......

    The secret is ready for the application.

  7. Lastly, exit the vault-0 pod.

    Code Block
    languagebash
    $ exit

...

  1. Start an interactive shell session on the vault-0 pod.

    Code Block
    languagebash
    $ kubectl exec -it vault-0 -- /bin/sh
/ $

    Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

  2. Enable the Kubernetes authentication method.

    Code Block
    languagebash
    $ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/

    Vault accepts a service token from any client in the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint.

  3. Configure the Kubernetes authentication method to use the location of the Kubernetes API.

    Note: For the best compatibility with recent Kubernetes versions, ensure you are using Vault v1.13.3 or greater.

    Code Block
    languagebash
    $ vault write auth/kubernetes/config \
      kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"

    Successful output from the command resembles this example:

    Code Block
    languagetext
    Success! Data written to: auth/kubernetes/config

    The environment variable KUBERNETES_PORT_443_TCP_ADDR is defined and references the internal network address of the Kubernetes host.

    For a client to read the secret data defined at hivemq/myenv/license, requires that the read capability be granted for the path hivemq/data/myenv/license. This is an example of a policy. A policy defines a set of capabilities.

  4. Write out the policy named hivemq that enables the read capability for secrets at path internalhivemq/data/databasemyenv/configlicense.

    Code Block
    languagebash
    $ vault policy write hivemq - <<EOF
path "internalhivemq/data/databasemyenv/configlicense" {
   capabilities = ["read"]
}
EOF

  5. Create a Kubernetes authentication role named hivemq.

    Code Block
    languagebash
    $ vault write auth/kubernetes/role/hivemq \
      bound_service_account_names=hivemq-hivemq-operator-hivemq \
      bound_service_account_namespaces=hivemq \
      policies=hivemq \
      ttl=24h

    Successful output from the command resembles this example:

    Code Block
    languagetext
    Success! Data written to: auth/kubernetes/role/hivemq

    The role connects the Kubernetes service account, hivemq-hivemq-operator-hivemq, and namespace, hivemq, with the Vault policy, hivemq. The tokens returned after authentication are valid for 24 hours.

  6. Lastly, exit the vault-0 pod.

    Code Block
    languagebash
    $ exit

...

  1. If you do not have values.yaml file yet, you can get the latest version from the Helm chart repository and store it as a file, for example, values-hivemq.yaml:

    Code Block
    languagebash
    helm show values hivemq/hivemq-operator > values-hivemq.yaml

  2. Edit the values-hivemq.yaml file. Add annotations to the hivemq pods.

    Code Block
    languageyaml
    hivemq:
  # Annotations to add to the HiveMQ Pods
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "hivemq"
    vault.hashicorp.com/agent-inject-status: 'update'
    vault.hashicorp.com/agent-inject-secret-hivemq.lic: "hivemq/data/myenv/license"
    vault.hashicorp.com/secret-volume-path-hivemq.lic: "/opt/hivemq/license/"
    vault.hashicorp.com/agent-inject-template-hivemq.lic: |
      {{- with secret \"hivemq/data/myenv/license\" -}}
      {{- $hivemq_broker_license := base64Decode .Data.data.hivemq_license_b64 -}}
      {{- $hivemq_broker_license -}}
      {{- end -}}

  3. (Re)install hivemq

    Code Block
    languagebash
    helm upgrade hivemq --install hivemq/hivemq-operator -n hivemq -f values-hivemq.yaml

  4. Get all the pods in the hivemq namespace.

    Code Block
    $ kubectl get pods -n hivemq
NAME                                    READY   STATUS     RESTARTS   AGE
hivemq-599cb74d9c-s8hhm                 0/2     Init:0/1   0          23s
hivemq-69697d9598-l878s                 1/1     Running    0          20m
vault-0                                 1/1     Running    0          78m
vault-agent-injector-5945fb98b5-tpglz   1/1     Running    0          78m

    Wait until the re-deployed hivemq pod reports that it is Running and ready (2/2).

    This new pod now launches two containers. The application container, named hivemq, and the Vault Agent container, named vault-agent.

  5. Display the logs of the vault-agent container in the new orgchart hivemq pod.

    Code Block
    languagebash
    $ kubectl logs \
      $(kubectl get pod -l app=hivemq -o jsonpath="{.items[0].metadata.name}") \
      --container vault-agent

    Vault Agent manages the token lifecycle and the secret retrieval. The secret is rendered in the hivemq container at the path /opt/hivemq/license/.

  6. Display the secret written to the hivemq container.

    Code Block
    languagebash
    $ kubectl exec \
      $(kubectl get pod -l app=hivemq -o jsonpath="{.items[0].metadata.name}") \
      --container hivemq -- cat /opt/hivemq/license/hivemq.lic

    The base64-decoded secret data is present on the container (smile)

...