Inject license via Hashicorp Vault Agent Annotations | HiveMQ Platform Operator (new)

Vault Agent Sidecar Injector service leverages the sidecar container pattern and Kubernetes mutating admission webhook to intercept pods that define specific annotations and inject a Vault Agent container to manage these secrets.

This is beneficial because:

  • Applications remain Vault unaware as the secrets are stored on the file-system in their container.

  • Existing deployments require no change; as annotations can be patched.

  • Access to secrets can be enforced via Kubernetes service accounts and namespaces

In this tutorial, you setup Vault and this injector service with the Vault Helm chart. Then you will deploy several applications to demonstrate how this new injector service retrieves and writes these secrets for the applications to use.

Prerequisites

These instructions require the following tools on the local machine:

  • Kubernetes command-line interface (CLI)

  • Helm CLI

The kubectl context should be set to the Kubernetes cluster where the HiveMQ broker will be installed.

 Instructions

Install the Hashicorp Vault Helm Chart

  1. Add the HashiCorp Helm repository.

    helm repo add hashicorp https://helm.releases.hashicorp.com
  2. Update all the repositories to ensure helm is aware of the latest versions.

    helm repo update hashicorp
  3. Install the latest version of the Hashicorp Vault server running in development mode.
    Development mode: Running a Hashicorp Vault server in development is automatically initialized and unsealed. This is ideal in a learning environment but NOT recommended for a production environment.

    helm install vault hashicorp/vault --set "server.dev.enabled=true"

    The vault pod and vault Agent Injector pod are deployed in the default namespace.

  4. Display all the pods in the default namespace.

    The vault-0 pod runs a vault server in development mode. The vault-agent-injector pod performs the injection based on the annotations present or patched on a deployment.

  5. Wait until the vault-0 pod and vault-agent-injector pod are running and ready (1/1).

Set a secret in Hashicorp Vault

  1. Copy the hivemq-license file to the vault-0 pod.

  2. Verify that the file is copied.

  3. Start an interactive shell session on the vault-0 pod.

     

    image-20240802-143511.png

    Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

  4. Enable kv-v2 secrets at the path hivemq.

  5. Create a secret at path hivemq/test/license with a hivemq_license_b64 key and base64-encoded /tmp/hivemq4.lic file.

  6. Verify that the secret is defined at the path hivemq/test/license.

    The secret is ready for the application.

  7. Lastly, exit the vault-0 pod.

Configure Kubernetes authentication

Hashicorp Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token. This token is provided to each pod when it is created.

  1. Start an interactive shell session on the vault-0 pod.

     

    image-20240802-170613.png

    Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

  2. Enable the Kubernetes authentication method.

    Hashicorp Vault accepts a service token from any client in the Kubernetes cluster. During authentication, Hashicorp Vault verifies that the service account token is valid by querying a token review Kubernetes endpoint.

  3. Configure the Kubernetes authentication method to use the location of the Kubernetes API.

    Note: For the best compatibility with recent Kubernetes versions, ensure you are using Hashicorp Vault v1.13.3 or greater.

    Successful output from the command resembles this example:

    The environment variable KUBERNETES_PORT_443_TCP_ADDR is defined and references the internal network address of the Kubernetes host.

  4. For a client to read the secret data defined at hivemq/test/license, requires that the read capability be granted for the path hivemq/data/test/license. A policy defines a set of capabilities.

  5. Write out the policy named hivemq that enables the read capability for secrets at path hivemq/data/test/license.

  6. Create a Kubernetes authentication role named hivemq.

    Successful output from the command resembles this example:

    The role connects the Kubernetes service account, hivemq-platform-pod-broker, and namespace, hivemq, with the Hashicorp Vault policy, hivemq. The tokens returned after authentication are valid for 24 hours.

  7. Lastly, exit the vault-0 pod.

Inject secrets into the pods

  1. If you do not have values.yaml file yet, you can get the latest version from the Helm chart repository and store it as a file:

  2. Edit the values-hivemq-platform-with-annotations.yaml file. Add annotations to the HiveMQ Pods.

  3. (Re)install hivemq

  4. Get all the pods in the hivemq namespace.

    Wait until the re-deployed hivemq pod reports that it is Running and ready (2/2).

    This new pod now launches two containers. The application container, named hivemq, and the Hashicorp Vault Agent container, named vault-agent.

  5. Display the logs of the vault-agent container in the new hivemq pod.

    Hashicorp Vault Agent manages the token lifecycle and the secret retrieval. The secret is rendered in the hivemq container at the path /opt/hivemq/license/.

  6. Display the secret written to the hivemq container.

    The base64-decoded secret data is present on the container

 Related articles

Mange secrets by injecting a Vault Agent container | Vault | HashiCorp Developer