mirrors/90DaysOfDevOps
1
0
Fork 0
mirror of https://github.com/MichaelCade/90DaysOfDevOps.git synced 2024-12-22 22:23:14 +07:00
Code Issues Packages Projects Releases Wiki Activity

completed day 39 - secrets management

Browse Source
This commit is contained in:
MichaelCade 2023-07-21 10:37:01 +01:00
parent 0ebcb9c1cb
commit 9eaf9c82fa
5 changed files with 46 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2023.md
View File

@ -90,7 +90,7 @@ Or contact us via Twitter, my handle is [@MichaelCade1](https://twitter.com/Mich
- [✔️] 🕵 36 > [Securing Secrets with HashiCorp Vault](2023/day36.md) - [✔️] 🕵 36 > [Securing Secrets with HashiCorp Vault](2023/day36.md)
- [✔️] 🕵 37 > [Working with HashiCorp Vault's Secrets Engines](2023/day37.md) - [✔️] 🕵 37 > [Working with HashiCorp Vault's Secrets Engines](2023/day37.md)
- [✔️] 🕵 38 > [Increase the Security Posture of Your Organization with Dynamic Credentials](2023/day38.md) - [✔️] 🕵 38 > [Increase the Security Posture of Your Organization with Dynamic Credentials](2023/day38.md)
- [] 🕵 39 > [](2023/day39.md) - [✔️] 🕵 39 > [Getting Hands-On with HashiCorp Vault](2023/day39.md)
- [] 🕵 40 > [](2023/day40.md) - [] 🕵 40 > [](2023/day40.md)
- [] 🕵 41 > [](2023/day41.md) - [] 🕵 41 > [](2023/day41.md)

48
2023/day39.md
View File

@ -136,17 +136,35 @@ We must now exec into our vault-0 pod to enable the secret engine.
`vault secrets enable -path=secret kv-v2` `vault secrets enable -path=secret kv-v2`
## Creating a new secret for our app
`vault kv put secret/devwebapp/config username='giraffe' password='salsa'` As a simple test we want to create an application in its own namespace within our Kubernetes cluster to then communicate with vault in its own namespace.
This is one thing that is not defined in the tutorial linked, and I wanted to provide a bit more real life use case because yes the default namespace can be used but that doesn't mean it should be.
`vault kv put secret/devwebapp/config username='90DaysOfDevOps' password='90DaysOfDevOps'`
We can confirm what we have just created with the following command:
`vault kv get secret/devwebapp/config` `vault kv get secret/devwebapp/config`
You can see the above commands ran in my terminal below.
![](images/day39-8.png)
Next we need to enable the Kubernetes authentication method.
`vault auth enable kubernetes` `vault auth enable kubernetes`
Configure the Kubernetes authentication method to use the location of the Kubernetes API.
``` ```
vault write auth/kubernetes/config \ vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
``` ```
We can now create our policy named devwebapp that enables the read capability for secrets at path secret/data/devwebapp/config
``` ```
vault policy write devwebapp - <<EOF vault policy write devwebapp - <<EOF
path "secret/data/devwebapp/config" { path "secret/data/devwebapp/config" {
@ -155,20 +173,33 @@ path "secret/data/devwebapp/config" {
EOF EOF
``` ```
Create a Kubernetes authentication role named devweb-app, this has been taken from the tutorial from Hashicorp but notice that we define a namespace other than default.
``` ```
vault write auth/kubernetes/role/devweb-app \ vault write auth/kubernetes/role/devweb-app \
bound_service_account_names=internal-app \ bound_service_account_names=internal-app \
bound_service_account_namespaces=default \ bound_service_account_namespaces=webdevapp \
policies=devwebapp \ policies=devwebapp \
ttl=24h ttl=24h
``` ```
Now we can exit our vault-0 pod.
`exit` `exit`
`kubectl create ns webdevapp` ## Deploying our Application
As mentioned now back into our Kubernetes cluster, it is time to create and deploy our application to complete this demo.
Firstly, create the application namespace with
`kubectl create ns devwebapp`
We will now create our serviceaccount.
`kubectl create sa internal-app -n devwebapp` `kubectl create sa internal-app -n devwebapp`
Now for our application, we will create the following yaml file and you will find this in the day39 folder.
``` ```
cat > devwebapp.yaml <<EOF cat > devwebapp.yaml <<EOF
--- ---
@ -189,9 +220,20 @@ spec:
image: jweissig/app:0.0.1 image: jweissig/app:0.0.1
EOF EOF
``` ```
We will be deploying this to our newly created namespace with the following command.
`kubectl create -f devwebapp.yaml -n devwebapp` `kubectl create -f devwebapp.yaml -n devwebapp`
Check the status of the pods.
`kubectl get pods -n devwebapp` `kubectl get pods -n devwebapp`
Finally we can confirm that we have the correct credentials stored in our app.
`kubectl exec --stdin=true --tty=true devwebapp -n devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt` `kubectl exec --stdin=true --tty=true devwebapp -n devwebapp -c devwebapp -- cat /vault/secrets/credentials.txt`
Confirmation of this can be seen below, but hopefully you are seeing the same output as I have got below.
![](images/day39-9.png)
See you on [Day 40](day40.md)

34
2023/day39/deployment-01-webapp.yml
View File

@ -1,34 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
labels:
app: webapp
spec:
replicas: 1
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
serviceAccountName: vault
containers:
- name: app
image: hashieducation/simple-vault-client:latest
imagePullPolicy: Always
env:
- name: VAULT_ADDR
value: 'http://vault.vault.svc.cluster.local:8200/'
- name: JWT_PATH
value: '/var/run/secrets/kubernetes.io/serviceaccount/token'
- name: SERVICE_PORT
value: '8080'

BIN
2023/images/day39-8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 KiB

BIN
2023/images/day39-9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 433 KiB