Overview
This guide will help you configure the Vault Secret Operator (VSO) to use AppRole authentication instead of the Kubernetes auth method. This setup involves creating the necessary Vault configurations and Kubernetes resources to sync secrets.
Prerequisites
- A running Vault instance.
- Kubernetes cluster with kubectl and helm installed.
- Vault Secret Operator installed in your Kubernetes cluster.
Step-by-Step Guide
Install Vault Secrets Operator
- Add HashiCorp Helm Repository and Update:
minikube-user@linux-kube-server:~$ helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
2. Create Vault Operator Values File: Create a file named vault-operator-values.yaml with the following content:
defaultVaultConnection:
enabled: true
address: <YOUR_VAULT_ADDR>
skipTLSVerify: false
3. Install Vault Secrets Operator:
minikube-user@linux-kube-server:~$ helm install vault-secrets-operator hashicorp/vault-secrets-operator \
--version 0.1.0 -n vault-secrets-operator-system \
--create-namespace --values vault-operator-values.yaml
Configure AppRole Authentication in Vault
- Enable AppRole Auth Method:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault auth enable -path=approle-k8s approle
Success! Enabled approle auth method at: approle-k8s/ -
Create an AppRole with the Necessary Policy:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault write auth/approle-k8s/role/vault-secrets-operator token_policies=hcp-root
Success! Data written to: auth/approle-k8s/role/vault-secrets-operator -
Retrieve the AppRole Role ID:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault read auth/approle-k8s/role/vault-secrets-operator/role-id
Key Value
--- -----
role_id fe36b-2f4f-d1f9-38a9-5c215e3b7 -
Create a Secret ID for the AppRole:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault write -f auth/approle-k8s/role/vault-secrets-operator/secret-id
Key Value
--- -----
secret_id b06fff-e94b-8a67-b989-3c6a1f6aee
secret_id_accessor a3fb07-ad06-415f-2683-f34ad89849
secret_id_num_uses 0
secret_id_ttl 0s
Configure Kubernetes Secrets
- Base64 Encode the Secret ID:
minikube-user@linux-kube-server:~$ echo -n '<your-secret-id>' | base64
eW9zZWZaWQ= -
Create a Kubernetes Secret file
vault-secret-id.yamlwith the Encoded Secret ID:apiVersion: v1
kind: Secret
metadata:
name: vault-approle-secret
type: Opaque
data:
id: <base64_encoded_secret_id> -
Apply the Secret to Kubernetes:
minikube-user@linux-kube-server:~$ kubectl apply -f vault-secret-id.yaml
secret/vault-approle-secret create -
Fetch approle secret-id from Kubernetes secret to ensure it was saved properly:
minikube-user@linux-kube-server:~$ kubectl get secret vault-approle-secret -o json | jq -r .data.id | base64 --decode
06e3e3a4-1065-91cc-84a3
Configure Vault Authentication in Kubernetes:
- Create VaultAuth Configuration
vault-auth-static.yaml:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
# namespace: app
spec:
# type of vault auth
method: appRole
# mount path for the approle auth engine
mount: approle-k8s
# namespace for HCP Vault
namespace: admin
# approle vault auth config
appRole:
roleId: 3f9fe36b-2f4f-d1f9-38a9-
secretRef: vault-approle-secret - Apply the VaultAuth Configuration:
minikube-user@linux-kube-server:~$ kubectl apply -f vault-auth-static.yaml
vaultauth.secrets.hashicorp.com/static-auth created
Configure Vault Authentication in Kubernetes
-
Enable KV Secrets Engine in Vault:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault secrets enable -path=vso-kvv2 kv-v2
Success! Enabled the kv-v2 secrets engine at: vso-kvv2/ - Create a Secret in Vault:
mahimasharma@mahimasharma-Q4P73QMXQ4 ~ % vault kv put vso-kvv2/webapp/config username="static-user-kvv2" password="static-password-kvv2"
======= Secret Path =======
vso-kvv2/data/webapp/config
======= Metadata =======
Key Value
--- -----
created_time 2024-08-02T08:11:45.658838259Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1 -
Create VaultStaticSecret Configuration
vault-kvv2-secret.yaml:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vault-kvv2-app
# namespace: app
spec:
type: kv-v2
# mount path
namespace: admin
mount: vso-kvv2
# path of the secret
path: webapp/config
# dest k8s secret
destination:
name: secretkvv2-vso
create: true
# static secret refresh interval
refreshAfter: 30s
# Name of the CRD to authenticate to Vault
vaultAuthRef: static-auth -
Apply the VaultStaticSecret Configuration:
minikube-user@linux-kube-server:~$ kubectl apply -f vault-kvv2-secret.yaml
vaultstaticsecret.secrets.hashicorp.com/vault-kvv2-app created
Verify the Setup
-
Check if the Kubernetes Secret is Created:
minikube-user@linux-kube-server:~$ kubectl get secrets
NAME TYPE DATA AGE
secretkvv2-vso Opaque 3 3m22s
vault-approle-secret Opaque 1 3h12m -
Verify that the Secret Data was readable:
minikube-user@linux-kube-server:~$ kubectl get secret secretkvv2-vso -o json | jq -r .data._raw | base64 --decode
{"data":{"password":"static-password-kvv2","username":"static-user-kvv2"},"metadata":{"created_time":"2024-08-02T11:04:02.708894036Z","custom_metadata":null,"deletion_time":"0001-01-01T00:00:00Z","destroyed":false,"version":3}}
Conclusion
By following these steps, you have successfully configured the Vault Secret Operator to use AppRole authentication instead of the Kubernetes auth method. This setup ensures that your secrets are securely synchronized from Vault to your Kubernetes cluster. If you encounter any issues, refer to the logs and ensure that all configurations are correctly applied.
For additional questions or support, please open a Support ticket.