woose/90DaysOfDevOps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing and adding day39 brief steps

Browse Source
This commit is contained in:
MichaelCade 2023-07-21 10:09:09 +01:00
parent f669aaceae
commit 0ebcb9c1cb
5 changed files with 47 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

109
2023/day39.md
View File

@ -131,122 +131,67 @@ We must now exec into our vault-0 pod to enable the secret engine.
`kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh` `kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh`
We will now have to authenticate and login using `vault login` and provide the token we discovered with root_token in a previous step.
![](images/day39-7.png) ![](images/day39-7.png)
We will now run the following commands the first will enable the secret engine and the second will create secret at the path.
``` `vault secrets enable -path=secret kv-v2`
vault secrets enable -path=secret kv-v2
vault kv put secret/webapp/config username="static-user" password="static-password"
```
You can then verify with the following command `vault kv put secret/devwebapp/config username='giraffe' password='salsa'`
`vault kv get secret/webapp/config` `vault kv get secret/devwebapp/config`
So far we have used our root token this root user can peform any operation at any path and as you can expect best practices states that we dont or should not use this account other than initial setup and configuration.
You should still be in your vault-0 pod. We are going to enable the Kubernetes authentication method with the following command:
`vault auth enable kubernetes` `vault auth enable kubernetes`
***Vault accepts this service token from any client within the Kubernetes cluster. During authentication, Vault verifies that the service account token is valid by querying a configured Kubernetes endpoint.***
Next we need to configure the Kubernetes authentication method to use the location of the Kubernetes API.
``` ```
vault write auth/kubernetes/config \ vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
``` ```
## Creating a Vault Policy
For a client or application to access the secret data defined, at secret/webapp/config, requires that the read capability be granted for the path secret/data/webapp/config.
``` ```
vault policy write webapp - <<EOF vault policy write devwebapp - <<EOF
path "secret/data/webapp/config" { path "secret/data/devwebapp/config" {
capabilities = ["read"] capabilities = ["read"]
} }
EOF EOF
``` ```
Our Application shortly will be defined as webapp
With the following command we will create a kubernetes authentication role
``` ```
vault write auth/kubernetes/role/webapp \ vault write auth/kubernetes/role/devweb-app \
bound_service_account_names=vault \ bound_service_account_names=internal-app \
bound_service_account_namespaces=webapp \ bound_service_account_namespaces=default \
policies=webapp \ policies=devwebapp \
ttl=24h ttl=24h
``` ```
now `exit` from the vault-0 pod and back to the local machine. `exit`
## Deploying our Application `kubectl create ns webdevapp`
I am again going to be using the web app that is used in the HashiCorp tutorial mentioned earlier. `kubectl create sa internal-app -n devwebapp`
We will create a deployment yaml that looks like the following.
``` ```
cat > devwebapp.yaml <<EOF
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: Pod
metadata: metadata:
name: vault name: devwebapp
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
labels: labels:
app: webapp app: devwebapp
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "devweb-app"
vault.hashicorp.com/agent-inject-secret-credentials.txt: "secret/data/devwebapp/config"
spec: spec:
replicas: 1 serviceAccountName: internal-app
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
serviceAccountName: vault
containers: containers:
- name: app - name: devwebapp
image: hashieducation/simple-vault-client:latest image: jweissig/app:0.0.1
imagePullPolicy: Always EOF
env:
- name: VAULT_ADDR
value: 'http://vault.vault.svc.cluster.local:8200/'
- name: JWT_PATH
value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
- name: SERVICE_PORT
value: '8080'
``` ```
`kubectl create -f devwebapp.yaml -n devwebapp`
Create the webapp namespace `kubectl get pods -n devwebapp`
`kubectl create ns webapp` `kubectl exec --stdin=true --tty=true devwebapp -n devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt`
Our YAML consists of our simple web app and the service account.
`kubectl create -f deployment-01-webapp.yml -n webapp`
I also want to note that the helm chart for vault will deploy
You can check that the authentication has worked by checking pods in the webapp namespace, if they are not in a running state or not there at all then something is not right as this is communicating with vault to make sure that this service is running.
Once the pod is running, we need to port forward our webapp
Find the pod name and then port forward that.
```
kubectl get pods -n webapp
kubectl port-forward <PODNAME> -n webapp 8080:8080
```

6
2023/day39/cluster-keys.json
View File

@ -1,9 +1,9 @@
{ {
"unseal_keys_b64": [ "unseal_keys_b64": [
"qZiqjl0/r8zgnoCU8j9tdr5eN8W56rXb6xFpGmGumUs=" "s/zg7van3BR5U55FXJchQCZrA5IRA2mLAwVklF/lExM="
], ],
"unseal_keys_hex": [ "unseal_keys_hex": [
"a998aa8e5d3fafcce09e8094f23f6d76be5e37c5b9eab5dbeb11691a61ae994b" "b3fce0eef6a7dc1479539e455c972140266b03921103698b030564945fe51313"
], ],
"unseal_shares": 1, "unseal_shares": 1,
"unseal_threshold": 1, "unseal_threshold": 1,
@ -11,5 +11,5 @@
"recovery_keys_hex": [], "recovery_keys_hex": [],
"recovery_keys_shares": 0, "recovery_keys_shares": 0,
"recovery_keys_threshold": 0, "recovery_keys_threshold": 0,
"root_token": "hvs.SyXEwWlOzmBnQxe4xr6r337P" "root_token": "hvs.p1rm1RK7193dXelo4q3wSjDu"
} }

2
2023/day39/deployment-01-webapp.yml
View File

@ -3,13 +3,11 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: vault name: vault
namespace: webapp
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: webapp name: webapp
namespace: webapp
labels: labels:
app: webapp app: webapp
spec: spec:

16
2023/day39/devwebapp.yaml Normal file
View File

@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Pod
metadata:
name: devwebapp
labels:
app: devwebapp
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "devweb-app"
vault.hashicorp.com/agent-inject-secret-credentials.txt: "secret/data/devwebapp/config"
spec:
serviceAccountName: internal-app
containers:
- name: devwebapp
image: jweissig/app:0.0.1