Versions Compared

Old Version 20

changes.mady.by.user Daria Samkova

Saved on

compared with

New Version 21

changes.mady.by.user Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Start an interactive shell session on the vault-0 pod.

    Code Block
    languagebash
    $ kubectl exec -it vault-0 -- /bin/sh

/ $

    image-20240802-170613.pngImage Added

    Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

  2. Enable the Kubernetes authentication method.

    Code Block
    languagebash
    $ vault auth enable kubernetes
    Code Block
    languagetext
    Success! Enabled kubernetes auth method at: kubernetes/

    Hashicorp Vault accepts a service token from any client in the Kubernetes cluster. During authentication, Hashicorp Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint.

  3. Configure the Kubernetes authentication method to use the location of the Kubernetes API.

    Note: For the best compatibility with recent Kubernetes versions, ensure you are using Hashicorp Vault v1.13.3 or greater.

    Code Block
    languagebash
    $ vault write auth/kubernetes/config \
      kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"

    Successful output from the command resembles this example:

    Code Block
    languagetext
    Success! Data written to: auth/kubernetes/config

    The environment variable KUBERNETES_PORT_443_TCP_ADDR is defined and references the internal network address of the Kubernetes host.

  4. For a client to read the secret data defined at hivemq/myenv/license, requires that the read capability be granted for the path hivemq/data/myenv/license. This is an example of a policy. A policy defines a set of capabilities.

  5. Write out the policy named hivemq that enables the read capability for secrets at path hivemq/data/myenv/license.

    Code Block
    languagebash
    $ vault policy write hivemq - <<EOF
path "hivemq/data/myenv/license" {
   capabilities = ["read"]
}
EOF

  6. Create a Kubernetes authentication role named hivemq.

    Code Block
    languagebash
    $ vault write auth/kubernetes/role/hivemq \
      bound_service_account_names=hivemq-hivemq-operator-hivemq \
      bound_service_account_namespaces=hivemq \
      policies=hivemq \
      ttl=24h

    Successful output from the command resembles this example:

    Code Block
    languagetext
    Success! Data written to: auth/kubernetes/role/hivemq

    The role connects the Kubernetes service account, hivemq-hivemq-operator-hivemq, and namespace, hivemq, with the Hashicorp Vault policy, hivemq. The tokens returned after authentication are valid for 24 hours.

  7. Lastly, exit the vault-0 pod.

    Code Block
    languagebash
    $ exit

Inject secrets into the pods

  1. If you do not have values.yaml file yet, you can get the latest version from the Helm chart repository and store it as a file, for example, values-hivemq.yaml:

    Code Block
    languagebash
    helm show values hivemq/hivemq-operator > values-hivemq.yaml

  2. Edit the values-hivemq.yaml file. Add annotations to the hivemq pods.

    Code Block
    languageyaml
    hivemq:
  # Annotations to add to the HiveMQ Pods
  podAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "hivemq"
    vault.hashicorp.com/agent-inject-status: 'update'
    vault.hashicorp.com/agent-inject-secret-hivemq.lic: "hivemq/data/myenv/license"
    vault.hashicorp.com/secret-volume-path-hivemq.lic: "/opt/hivemq/license/"
    vault.hashicorp.com/agent-inject-template-hivemq.lic: |
      {{- with secret \"hivemq/data/myenv/license\" -}}
      {{- $hivemq_broker_license := base64Decode .Data.data.hivemq_license_b64 -}}
      {{- $hivemq_broker_license -}}
      {{- end -}}

  3. (Re)install hivemq

    Code Block
    languagebash
    helm upgrade hivemq --install hivemq/hivemq-operator -n hivemq -f values-hivemq.yaml

  4. Get all the pods in the hivemq namespace.

    Code Block
    languagebash
    $ kubectl get pods --nnamespace hivemq
    Code Block
    languagetext
    NAME                                    READY   STATUS     RESTARTS   AGE
hivemq-599cb74d9c-s8hhm                 0/2     Init:0/1   0          23s
hivemq-69697d9598-l878s                 1/1     Running    0          20m
vault-0                                 1/1     Running    0          78m
vault-agent-injector-5945fb98b5-tpglz   1/1     Running    0          78m

    Wait until the re-deployed hivemq pod reports that it is Running and ready (2/2).

    This new pod now launches two containers. The application container, named hivemq, and the Hashicorp Vault Agent container, named vault-agent.

  5. Display the logs of the vault-agent container in the new hivemq pod.

    Code Block
    languagebash
    $ kubectl logs \
      $(kubectl get pod -l app=hivemq -o jsonpath="{.items[0].metadata.name}") \
      --container vault-agent

    Hashicorp Vault Agent manages the token lifecycle and the secret retrieval. The secret is rendered in the hivemq container at the path /opt/hivemq/license/.

  6. Display the secret written to the hivemq container.

    Code Block
    languagebash
    $ kubectl exec \
      $(kubectl get pod -l app=hivemq -o jsonpath="{.items[0].metadata.name}") \
      --container hivemq -- cat /opt/hivemq/license/hivemq.lic

    The base64-decoded secret data is present on the container (smile)

...