Skip to content

alyvusal/bank-vaults

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
example
example
 
 
k8s
k8s
 
 
README.md
README.md
 
 
vault-ca.crt
vault-ca.crt
 
 

Repository files navigation

Bank-Vaults

Bank-Vaults provides tools that make using and operating Hashicorp Vault easier. It's a wrapper for the official Vault client with automatic token renewal and built-in Kubernetes support, dynamic database credential provider for Golang database/sql based clients. It has a CLI tool to automatically initialize, unseal, and configure Vault. It also provides a Kubernetes operator for provisioning, and a mutating webhook for injecting secrets.

back

Deploy a local Vault operator

Install

# Install the Bank-Vaults operator:
helm upgrade -i vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator \
  -n bank-vaults --create-namespace

# Create a Vault instance using the Vault custom resources. This will create a Kubernetes CustomResource called vault and a PersistentVolumeClaim for it:
# TODO: kustomization for custom namespace is not ready yet, check docs
# kubectl apply -k k8s/kustomize
#
# or Install to default namespace
kubectl apply -k https://github.com/bank-vaults/vault-operator/deploy/rbac?ref=v1.22.3

# create vault cluster from one of sample vault resoruces below
# https://github.com/bank-vaults/vault-operator/tree/main/deploy/examples
kubectl apply -n bank-vaults -f https://raw.githubusercontent.com/bank-vaults/vault-operator/v1.22.3/deploy/examples/cr-raft.yaml
kubectl get vaults.vault.banzaicloud.com

Test

kubectl port-forward vault-0 8200

export VAULT_ADDR=https://127.0.0.1:8200

kubectl get secret vault-tls -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/vault-ca.crt
export VAULT_CACERT=$PWD/vault-ca.crt
# or
export VAULT_SKIP_VERIFY=true

export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys -o jsonpath={.data.vault-root} | base64 --decode)

vault status
vault operator raft list-peers

Deploy the mutating webhook

The secret injection webhook of Bank-Vaults is a mutating webhook that bypasses the Kubernetes secrets mechanism and injects the secrets retrieved from Vault directly into the Pods. Specifically, the mutating admission webhook injects (in a very non-intrusive way) an executable into containers of Deployments and StatefulSets. This executable can request secrets from Vault through special environment variable definitions.

This will add alpine sidecar to deployment with command vault-env, it will decode secret for that container process only

kubectl create namespace vault-infra
kubectl label namespace vault-infra name=vault-infra

helm upgrade -i --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --namespace vault-infra
kubectl get pods --namespace vault-infra

Test

vault kv put secret/demosecret/aws AWS_SECRET_ACCESS_KEY=s3cr3t
kubectl apply -f example/app.yaml

# check logs
$ kubectl logs pods/bank-vault-test-fb678c8cc-sx4th
  alpine time=2024-11-24T19:17:28.872Z level=INFO msg="spawning process" app=vault-env entryp
  alpine s3cr3t
  alpine going to sleep...

# try decode secret yourself, but it will not show, because it is decoded for container process only via vault-secrets-webhook mutating webhook
$ echo $AWS_SECRET_ACCESS_KEY
vault:secret/data/demosecret/aws#AWS_SECRET_ACCESS_KEY

REFERENCE

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors