10.03.19

Using Hashicorp Vault on Kubernetes

By Gabriel Garrido
Using #HashicorpVault on Kubernetes

Introduction

In a previous article, we configured Vault with Consul on our cluster. Now, it’s time to go ahead and use it to provision secrets to our pods/applications. If you don’t remember the post or haven’t configured Vault yet, head to Getting Started with HashiCorp Vault on Kubernetes first.

In this article, we will create an example using mutual TLS and provision some secrets to our app. You can find the files used here in this repo.

Creating a Certificate for Our New Client

As you can see below, we need to enable kv version 1 on /secret for this to work. Then we create a secret and store it as a Kubernetes secret for an app. Note that the CA was created in the previous article and we rely on these certificates so we can keep building on that.

A Service Account for Kubernetes

In Kubernetes, a service account provides an identity for processes that run in a pod so that processes can contact the API server.

Vault Policy

Next, we need to set a read-only policy for our secrets as we don’t want any apps to be able to write or rewrite them.

Kubernetes Configuration

Set the environment variables to point to the running Minikube environment, enable the Kubernetes authentication method, and then validate it from a temporal pod.

Deployment and the Consul-Template Configuration

To check the volume mounts and secrets, we load the certificates we created initially and use them to fetch the secrets data from Vault.

This is where the magic happens. We’re able to fetch secrets thanks to the role and the token that will then be stored there.

And last but not least, we create a file—in the template provided—which our nginx container will render on the screen later using Consul Template.

Let’s Test It

The last step is to test all of the above. After the files are deployed to Kubernetes, we should see something like this:

Closing Notes

This post was heavily inspired by this doc page and was originally posted here. The main difference though is that we have mutual Transport Layer Security (TLS) on, so the only thing left would be to auto unseal our Vault. But we will leave that for a future article or as an exercise for you, the reader.

Errata

If you spot any errors or have any suggestions, please send us a message so it gets fixed quickly.

Also, you can check the source code and changes in the generated code and sources here.


Caylent provides a critical DevOps-as-a-Service function to high growth companies looking for expert support with Kubernetes, cloud security, cloud infrastructure, and CI/CD pipelines. Our managed and consulting services are a more cost-effective option than hiring in-house, and we scale as your team and company grow. Check out some of the use cases, learn how we work with clients, and read more about our DevOps-as-a-Service offering.