# Tabla de Contenidos

1. [Introducción](#first-bullet)
2. [Configuración del Entorno](#second-bullet)
3. [Creación de Secretos Estáticos](#creación-de-secretos-estáticos)
   1. [Binarios (Base64 JKS + Password)](#binarios)
   2. [Secretos como Texto](#secretos-como-texto)
   3. [Claves de Criptografía](#crypto)
4. [Operaciones de Criptografía usando la Transit Secret Engine](#transit)

# Introducción <a class="anchor" id="first-bullet"></a>
El objetivo de este notebook es el de ilustrar algunas opciones de configuración de Vault, Vault Secret Operator y Vault Agent Injector, que permitan satisfacer los siguientes casos de uso:
1. Certificados de cliente, que ahora se almacenan en un Java KeyStore. En el yml de configuración del repositorio Git guardamos el base64 del JKS y la password del mismo cifrada.
2. Truststores, que ahora se almacenan en un Java KeyStore. En el yml de configuración del repositorio Git guardamos el base64 del JKS y la password del mismo cifrada.
3. Username/password utilizados en Basic HTTP Authentication para WS SOAP y servicios REST.
4. API Keys utilizadas también por clientes REST.
5. Username/password de las bases de datos de Oracle de cada entorno.
6. tpnName/user de las conexiones a Host de cada entorno.
7. Secretos de firma asociados a los clientes Oauth.
8. Claves privadas utilizadas para cifrado de recursos.


## Configuración del Entorno <a class="anchor" id="second-bullet"></a>

In [1]:
%env WORKDIR=/tmp/vault
%env VAULT_K8S_NAMESPACE=vault
%env VAULT_HELM_RELEASE_NAME=vault
%env VAULT_SERVICE_NAME=vault-internal 
%env K8S_CLUSTER_NAME=cluster.local 

env: WORKDIR=/tmp/vault
env: VAULT_K8S_NAMESPACE=vault
env: VAULT_HELM_RELEASE_NAME=vault
env: VAULT_SERVICE_NAME=vault-internal
env: K8S_CLUSTER_NAME=cluster.local


In [2]:
import os
from dotenv import load_dotenv

load_dotenv("/tmp/vault/config.env")

VAULT_TOKEN = os.getenv('VAULT_TOKEN')
VAULT_ADDR = os.getenv('VAULT_ADDR')
VAULT_CACERT = os.getenv('VAULT_CACERT')


## Creación de Secretos Estáticos <a class="anchor" id="creación-de-secretos-estáticos"></a> 

In [3]:
! vault secrets enable -path=static kv-v2

[0mSuccess! Enabled the kv-v2 secrets engine at: static/[0m


Creamos una engine para secretos estáticos de tipo KVv2

### Binarios (Base64 JKS + Password)<a class="anchor" id="binarios"></a> 

Usamos `keytool` para crear un certificado

In [4]:
%env PASSWORD=changeit

env: PASSWORD=changeit


In [5]:
%%bash
keytool -genkeypair \
  -alias myapp \
  -keyalg RSA \
  -keysize 2048 \
  -validity 365 \
  -keystore $WORKDIR/myapp-keystore-2.jks \
  -storepass $PASSWORD \
  -keypass $PASSWORD \
  -dname "CN=localhost, OU=Dev, O=MyCompany, L=City, S=State, C=US"

Generando par de claves RSA de 2.048 bits para certificado autofirmado (SHA384withRSA) con una validez de 365 días
	para: CN=localhost, OU=Dev, O=MyCompany, L=City, ST=State, C=US


Subimos el secreto a la engine. Para ello:
1. Creamos un path siguiendo la estructura `<engine_path>/subdirectory/secret`
2. Los secretos estáticos en Vault toman la forma key=value. En este caso tenemos dos keys `cert` y `password`
3. El certificado en sí es un objeto binario que para guardarlo en Vault se aconseja que se condifique en base64. Como [referencia](https://support.hashicorp.com/hc/en-us/articles/5332149468691-Storing-pfx-certs-and-binary-files-in-Vault-KV-secrets)
4. El password es información en texto plano

In [6]:
%%bash
DATA=$(cat $WORKDIR/myapp-keystore-2.jks | base64 | tr -d '\n')
vault kv put static/jks/myapp-keystore-2 cert=$DATA password=$PASSWORD \

static/data/jks/myapp-keystore-2

Key                Value
---                -----
created_time       2025-05-06T16:30:42.585547871Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1


Podemos leer la información de vuelta

In [7]:
! vault kv get -format=json static/jks/myapp-keystore-2 | jq -r .

[1;39m{
  [0m[1;34m"request_id"[0m[1;39m: [0m[0;32m"c2d1fd5b-df98-c5fd-e5b0-9654ccd19720"[0m[1;39m,
  [0m[1;34m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[1;34m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[1;34m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
    [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
      [0m[1;34m"cert"[0m[1;39m: [0m[0;32m"MIIKkgIBAzCCCjwGCSqGSIb3DQEHAaCCCi0EggopMIIKJTCCBawGCSqGSIb3DQEHAaCCBZ0EggWZMIIFlTCCBZEGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFKR+C/hnH8YbuGHujsQYH4TVIALxAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQKe6zwlzUwzt5/AbNbAPx1ASCBNBRKsnl9+BDxQwU2CkQMawBthFl9qJaGrTaqFBaMccr9Exr0bhnsyjNJUi0NTmVg6AqE5ydmG3gATDWTuEI/yuDVC5JsSD6gr8+OndBbPx9TA9/KU3rjUOy1mAW/jVIR9WqErKWo8WHJs+H+VWUZ+yZYmrY5NIemQ8gCOW0Gz5LAnZZckaFq+YCw15ugaZzqgoG7pDg1v73z8O7mcAMmDfxpIbTr9frYZndCzlkH6gIkar5lxM0Wn09jHwtKTYmKQEDEhBTB3dnKivebU+UBCKV2hHsk1aIYrirgyi7DDUA

Tenga en cuenta que el valor del certificado está codificado en base64, de forma que para su consumo se precisa de un paso de decoding previo. En la siguiente celda descargamos el certificado a un fichero y lo leemos utilizando la aplicación `keytool`

In [8]:
%%bash
vault kv get -format=json static/jks/myapp-keystore-2 | jq -r .data.data.cert | base64 --decode > $WORKDIR/myapp-keystore-2_read.jks

keytool -list -v -keystore $WORKDIR/myapp-keystore-2_read.jks -storepass $PASSWORD

Tipo de Almacén de Claves: PKCS12
Proveedor de Almacén de Claves: SUN

Su almacén de claves contiene 1 entrada

Nombre de Alias: myapp
Fecha de Creación: 6 may 2025
Tipo de Entrada: PrivateKeyEntry
Longitud de la Cadena de Certificado: 1
Certificado[1]:
Propietario: CN=localhost, OU=Dev, O=MyCompany, L=City, ST=State, C=US
Emisor: CN=localhost, OU=Dev, O=MyCompany, L=City, ST=State, C=US
Número de serie: f3baa7e4b1aa3280
Válido desde: Tue May 06 18:30:26 CEST 2025 hasta: Wed May 06 18:30:26 CEST 2026
Huellas digitales del certificado:
	 SHA1: D5:7F:E4:56:A0:FB:45:21:69:22:A3:27:F9:D1:A0:D9:B9:88:26:CE
	 SHA256: DB:60:1D:4F:D7:FF:A6:36:06:FD:10:52:74:87:4D:0C:16:54:9A:D2:F6:2C:A5:D9:55:C1:87:EB:D1:D9:71:5F
Nombre del algoritmo de firma: SHA384withRSA
Algoritmo de clave pública de asunto: Clave RSA de 2048 bits
Versión: 3

Extensiones: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D7 3F 02 7A 54 E9 5B 4C   09 75 4F DA 95 1F 3A 55  .?.zT.[L.uO...

Otra posibilidad es replicando el patrón actual donde tanto el certificado como su correspondiente secreto se encuentran dentro de un fichero de configuración en formato yaml. Construyamos un ejemplo de consumo

In [12]:
%%bash
cat > ${WORKDIR}/config.yaml <<EOF
---
java:
  application:
    truststore:
      certificate_base64: |
        $(cat $WORKDIR/myapp-keystore-2.jks | base64 | tr -d '\n')
      password: $(echo -n $PASSWORD)

EOF


In [13]:
%%bash
# Subimos el fichero de configuración a Vault
vault kv put static/jks/config yaml=@$WORKDIR/config.yaml 



===== Secret Path =====
static/data/jks/config

Key                Value
---                -----
created_time       2025-05-06T16:31:57.842146728Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2


In [14]:
%%bash
# Leemos el secreto de vuelta
vault kv get -format=json static/jks/config | jq -r .data.data.yaml

---
java:
  application:
    truststore:
      certificate_base64: |
        MIIKkgIBAzCCCjwGCSqGSIb3DQEHAaCCCi0EggopMIIKJTCCBawGCSqGSIb3DQEHAaCCBZ0EggWZMIIFlTCCBZEGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFKR+C/hnH8YbuGHujsQYH4TVIALxAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQKe6zwlzUwzt5/AbNbAPx1ASCBNBRKsnl9+BDxQwU2CkQMawBthFl9qJaGrTaqFBaMccr9Exr0bhnsyjNJUi0NTmVg6AqE5ydmG3gATDWTuEI/yuDVC5JsSD6gr8+OndBbPx9TA9/KU3rjUOy1mAW/jVIR9WqErKWo8WHJs+H+VWUZ+yZYmrY5NIemQ8gCOW0Gz5LAnZZckaFq+YCw15ugaZzqgoG7pDg1v73z8O7mcAMmDfxpIbTr9frYZndCzlkH6gIkar5lxM0Wn09jHwtKTYmKQEDEhBTB3dnKivebU+UBCKV2hHsk1aIYrirgyi7DDUADev5jpUfhuT8MmKaFzZqw94iLsPTbOXirfyG3crAV0zntjo+ABmJMbEOYss3i6CZCQzfN3TPcxMH2zf3KRB8QbJA1kg7+ELIPw1fSwkqtYsyh5cNN+b7rbKOTIzMJYbUpz0sWx8D6GCOZD7gklC3jXnvu8r7J6ZoWKUurkbkxfuMxZ5UCTNsJerIsudC0Hg+sYMH2Tq76rN3FabxmkN1eGXAQBolijgrryYQSPkY06EtW9qw/xlZwvcGnEuu9HI46JcRwdWSVidHCunCfAUtoPpbPN3IeUK5qHiFrUqnNw5zTWBxyZtVPau3qnsvuESOgnIovLtRyJ01lx+4YMdvfcccAWH9TNMBeO7GOCaOyf8fgGY

### ¿Cómo consumimos este secreto desde una aplicación que corre en Kubernetes?

El primer paso es extender la política de acceso para incluir el path al secreto estático que contiene el keystore

In [15]:
%%bash
vault policy write devk8s - <<EOF
path "kvv2/*" {
  capabilities = ["read"]
}
path "database/creds/readonly" {
  capabilities = [ "read"]
}
# Para secretos de tipo kv-v2 podemos usar el path del secreto. En este caso damos acceso tanto a los datos como a los metadatos
path "static/+/jks/*" {
    capabilities = ["read"]
}
EOF

Success! Uploaded policy: devk8s


El siguiente paso es asegurarse de que la service account que usará el POD/Deployment esté asociada a la política del paso previo

In [16]:
%%bash

vault write auth/kubernetes/role/role \
    bound_service_account_names=default,usecase \
    bound_service_account_namespaces=test,usecase \
    policies=devk8s \
    ttl=10m

Success! Data written to: auth/kubernetes/role/role


Creamos un namespace en kubernetes denominado `usecase` donde se crearon los recursos que integraran con Vault

In [17]:
%%bash
kubectl create ns usecase
kubectl create serviceaccount usecase -n usecase

namespace/usecase created
serviceaccount/usecase created


Desplegamos un POD que haga uso de la sa que acabamos de crear

In [18]:
%%bash
cat > ${WORKDIR}/pod1_usecase.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: pod1
  namespace: usecase
spec:
  serviceAccountName: usecase
  containers:
  - name: pod1
    image: nginx
EOF

kubectl apply -f ${WORKDIR}/pod1_usecase.yaml
sleep 10
kubectl get pods -n usecase

pod/pod1 created
NAME   READY   STATUS    RESTARTS   AGE
pod1   1/1     Running   0          10s


In [None]:
# En una terminal ejecuta los siguientes comandos
kubectl exec -i -t pod1 -n usecase -- /bin/bash 

# ----------------------

# Instalar jq y curl
apt-get update
apt-get install -y jq curl default-jre


# Configuración de variables de entorno
export VAULT_ADDR=https://vault.vault.svc.cluster.local:8200
export TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
export VAULT_SKIP_VERIFY=true
export VAULT_K8S_MOUNT_POINT=auth/kubernetes
export SECRET_PATH=static/data/jks/myapp-keystore-2

# Autenticación contra Vault usando el token de la service account
export VAULT_TOKEN=$(curl -s -k --request POST --data '{"jwt": "'"$TOKEN"'", "role": "role" }' $VAULT_ADDR/v1/$VAULT_K8S_MOUNT_POINT/login | jq -r .auth.client_token)

# Uso del token de Vault para obtener el secreto
curl -s -k --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/$SECRET_PATH | jq -r .data.data > cert

# Obtenemos la parte del certificado y lo decodificamos
# y lo guardamos en un archivo keystore.jks
cat cert | jq -r .cert | base64 -d > keystore.jks

# Comprobación de la descarga
keytool -list -v -keystore keystore.jks -storepass $(cat cert | jq -r .password)


Este proceso puede realizarse:
* Directamente a nivel de aplicación haciendo uso de SDKs, con la consiguiente refactorización de la aplicación, por ejemplo con [Spring Cloud Vault](https://cloud.spring.io/spring-cloud-vault/reference/html/#_quick_start)
* Haciendo uso de VSO y sus capacidades de templating
* Haciendo uso de Vault Agent y sus capacidades de templating

En este caso, nos focalizamos en las dos últimas alternativas

### VSO con templating

Creamos un nuevo VaultAuth para permitir el acceso desde el namespace `usecase`

In [19]:
%%bash
cat > ${WORKDIR}/vaultauth_crd_usecase1.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  namespace: vault-secrets-operator
  name: vaultauth
spec:
  vaultConnectionRef: example
  allowedNamespaces: ["usecase"]
  method: kubernetes
  mount: kubernetes

  kubernetes:
    # role to use when authenticating to Vault
    role: role
    serviceAccount: usecase

EOF
kubectl apply -f ${WORKDIR}/vaultauth_crd_usecase1.yaml

vaultauth.secrets.hashicorp.com/vaultauth created


Creamos un nuevo `VaultStaticSecret` incluyendo el `transformation` attribute

In [29]:
%%bash

cat > ${WORKDIR}/vso_usecase1.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: myapp-keystore-2
  namespace: usecase
spec:
  vaultAuthRef: vault-secrets-operator/vaultauth
  mount: static
  type: kv-v2
  path: jks/myapp-keystore-2
  refreshAfter: 60s
  destination:
    create: true
    name: myapp-keystore-2
    transformation:
      excludes:
        - ".*"
      templates:
        cert:
          text: |
            {{-  printf "%s" (get .Secrets "cert") | b64dec -}}
        password:
          text: |
            {{- printf "%s" (get .Secrets "password") -}}
EOF

kubectl apply -f ${WORKDIR}/vso_usecase1.yaml

vaultstaticsecret.secrets.hashicorp.com/myapp-keystore-2 unchanged


Para el caso del fichero yaml, no hace falta que hagamos ninguna transformación

In [21]:
%%bash
## Support KVv1 and KVv2
cat > ${WORKDIR}/vso_usecase2.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: myapp-keystore-2
  namespace: usecase
spec:
  vaultAuthRef: vault-secrets-operator/vaultauth
  mount: static
  type: kv-v2
  path: jks/config
  refreshAfter: 60s
  destination:
    create: true
    name: config-yaml

EOF

kubectl apply -f ${WORKDIR}/vso_usecase2.yaml

vaultstaticsecret.secrets.hashicorp.com/myapp-keystore-2 created


Leemos el secreto de vuelta

In [22]:
%%bash
echo -n "$(kubectl get secret config-yaml -n usecase -o json | jq -r .data.yaml | base64 -d)"

---
java:
  application:
    truststore:
      certificate_base64: |
        MIIKkgIBAzCCCjwGCSqGSIb3DQEHAaCCCi0EggopMIIKJTCCBawGCSqGSIb3DQEHAaCCBZ0EggWZMIIFlTCCBZEGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFKR+C/hnH8YbuGHujsQYH4TVIALxAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQKe6zwlzUwzt5/AbNbAPx1ASCBNBRKsnl9+BDxQwU2CkQMawBthFl9qJaGrTaqFBaMccr9Exr0bhnsyjNJUi0NTmVg6AqE5ydmG3gATDWTuEI/yuDVC5JsSD6gr8+OndBbPx9TA9/KU3rjUOy1mAW/jVIR9WqErKWo8WHJs+H+VWUZ+yZYmrY5NIemQ8gCOW0Gz5LAnZZckaFq+YCw15ugaZzqgoG7pDg1v73z8O7mcAMmDfxpIbTr9frYZndCzlkH6gIkar5lxM0Wn09jHwtKTYmKQEDEhBTB3dnKivebU+UBCKV2hHsk1aIYrirgyi7DDUADev5jpUfhuT8MmKaFzZqw94iLsPTbOXirfyG3crAV0zntjo+ABmJMbEOYss3i6CZCQzfN3TPcxMH2zf3KRB8QbJA1kg7+ELIPw1fSwkqtYsyh5cNN+b7rbKOTIzMJYbUpz0sWx8D6GCOZD7gklC3jXnvu8r7J6ZoWKUurkbkxfuMxZ5UCTNsJerIsudC0Hg+sYMH2Tq76rN3FabxmkN1eGXAQBolijgrryYQSPkY06EtW9qw/xlZwvcGnEuu9HI46JcRwdWSVidHCunCfAUtoPpbPN3IeUK5qHiFrUqnNw5zTWBxyZtVPau3qnsvuESOgnIovLtRyJ01lx+4YMdvfcccAWH9TNMBeO7GOCaOyf8fgGY

Ahora desplegamos un POD donde montamos el secreto

In [26]:
%%bash
cat > ${WORKDIR}/vso__pod_usecase2.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: vso-myapp-keystore-2
  namespace: usecase
spec:
  containers:
  - name: vso-myapp-keystore-2
    image: redis
    volumeMounts:
    - name: keystore
      mountPath: "/etc/keystore"
      readOnly: true
  volumes:
  - name: keystore
    secret:
      secretName: myapp-keystore-2
      optional: true
EOF

kubectl apply -f ${WORKDIR}/vso__pod_usecase2.yaml
sleep 10



pod/vso-myapp-keystore-2 configured


In [30]:
%%bash
# Chequea secretos
# Podemos ver tres ficheros
# _raw: el json file con la información del secreto tal como la devuelve el backend de Vault
# cert: el certificado en formato jks
# password: la contraseña del keystore
kubectl exec vso-myapp-keystore-2 -n usecase  -- ls -l /etc/keystore
echo ""
echo "------"
kubectl exec vso-myapp-keystore-2 -n usecase -- cat /etc/keystore/cert
echo ""
kubectl exec vso-myapp-keystore-2 -n usecase -- cat /etc/keystore/password

total 0
lrwxrwxrwx. 1 root root 11 May  6 16:41 _raw -> ..data/_raw
lrwxrwxrwx. 1 root root 11 May  6 16:41 cert -> ..data/cert
lrwxrwxrwx. 1 root root 15 May  6 16:41 password -> ..data/password

------
0�
�0�
��H��
-�
)0�
�����0��0��*�H��
	 0	`�He*)��\��;y��l����Q*����C��)1��e��Z�ڨPZ1�+�LkѸg�(�%H�59���*���m�0�N�+�T.I� ���>:wAl�}L)M�C��`�5HGժ���Ň&χ�U�g�bj�����>KvYrF����^n��s�
7�����L��%�ԧ=,[�`�d>��P��y���'�hX�.�F����ŞT	3l%�Ȳ�B�x>���:��w��Cuxe�@%�8+�&H�ӡ-[ڰ�Y���K��r8��ՒV'G
e~�k�͂O�PN[�Q�w�,�͑�O�	�L�<�_ Y=�+ң�0:WgH3a�"yX='lܶ@��س����[�*��}#��I�f���Q�����j�'h�PB��z�E:��TGd���:�\�Lī���F���;(����?�Ḛ�!��s �xGM��L�fwS����Ї�{u�<�`�<��|0ض�I����Iz�r��-N=�0��^X�r@;i�Ffb	��@S�����6���*�,�[`Q�o�Ma򾄫��J�/�C�X<�3���&��<�6{�`��\l�!�#׼��|�����G��|l�y�Ŷ�Tx��_��� � ��ťN��%=�@�;m���+�,#q�@��pJ�/_I#�'��ћ��3� �+$�A����ے�;]u����*�$�I(0h�0�"��b�m$]}��1e_w�X�jd�ψy;����΀�q�4�S(���Uvvq�6R���T����z�T0���
	

### Vault Agent con templating

In [31]:
%%bash
cat > $WORKDIR/agent-myapp-keystore-1.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: agent-myapp-keystore-1
  namespace: usecase
  labels:
    app: agent-myapp-keystore-1
spec:
  selector:
    matchLabels:
      app: agent-myapp-keystore-1
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/role: 'role'
        vault.hashicorp.com/tls-skip-verify: 'true' # Untrusted cert used here
        vault.hashicorp.com/agent-inject-template-keystore.jks: |
          {{- with secret "static/data/jks/myapp-keystore-2" -}}
            {{ base64Decode .Data.data.cert }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-template-password: |
          {{- with secret "static/data/jks/myapp-keystore-2" -}}
            {{ .Data.data.password }}
          {{- end -}}
      labels:
        app: agent-myapp-keystore-1
    spec:
      serviceAccountName: usecase
      containers:
      - name: agent-myapp-keystore-1
        image: nginx
EOF

Desplegamos el POD

In [33]:
! kubectl apply --filename $WORKDIR/agent-myapp-keystore-1.yaml

deployment.apps/agent-myapp-keystore-1 created


Vault Agent Inject despliega un init container así como un sidecar container. El init container se encarga de descargar el secreto y el sidecar lo inyecta en el contenedor principal.
> The `init` container will prepopulate the shared memory volume with the requested secrets prior to the other containers starting. The `sidecar` container will continue to authenticate and render secrets to the same location as the pod runs. Using annotations, the initialization and sidecar containers may be disabled.

Chequeamos los logs del init container

In [34]:
%%bash 
sleep 10
kubectl logs -n usecase\
    $(kubectl get pod -n usecase -l app=agent-myapp-keystore-1 -o jsonpath="{.items[0].metadata.name}") \
    --container vault-agent

==> Note: Vault Agent version does not match Vault server version. Vault Agent version: 1.19.0, Vault server version: 1.18.3+ent
==> Vault Agent started! Log data will stream in below:

2025-05-06T16:45:02.354Z [INFO]  agent.sink.file: creating file sink
2025-05-06T16:45:02.354Z [INFO]  agent.sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r----- owner=100 group=1000
==> Vault Agent configuration:

           Api Address 1: http://bufconn
                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.19.0, built 2025-03-04T12:36:40Z
             Version Sha: 7eeafb6160d60ede73c1d95566b0c8ea54f3cb5a

2025-05-06T16:45:02.354Z [INFO]  agent.exec.server: starting exec server
2025-05-06T16:45:02.354Z [INFO]  agent.exec.server: no env templates or exec config, exiting
2025-05-06T16:45:02.354Z [INFO]  agent.template.server: starting template server
2025-05-06T16:45:02.354Z [INFO]  agent: (runner) creating new runner (dry: false, on

Verificamos que las dos keys presentes en el secreto se han renderizado en sus respectivos ficheros dentro del path `/vault/secrets`

In [35]:
%%bash
kubectl exec -n usecase\
    $(kubectl get pod -n usecase -l app=agent-myapp-keystore-1 -o jsonpath="{.items[0].metadata.name}") \
    --container agent-myapp-keystore-1 -- ls /vault/secrets

keystore.jks
password


keysotre.jks contiene el certificado en formato jks (binario)

In [36]:
%%bash
kubectl exec -n usecase\
    $(kubectl get pod -n usecase -l app=agent-myapp-keystore-1 -o jsonpath="{.items[0].metadata.name}") \
    --container agent-myapp-keystore-1 -- cat /vault/secrets/keystore.jks

0�
�0�
��H��
-�
)0�
�����0��0��*�H��
	 0	`�He*)��\��;y��l����Q*����C��)1��e��Z�ڨPZ1�+�LkѸg�(�%H�59���*���m�0�N�+�T.I� ���>:wAl�}L)M�C��`�5HGժ���Ň&χ�U�g�bj�����>KvYrF����^n��s�
7�����L��%�ԧ=,[�`�d>��P��y���'�hX�.�F����ŞT	3l%�Ȳ�B�x>���:��w��Cuxe�@%�8+�&H�ӡ-[ڰ�Y���K��r8��ՒV'G
e~�k�͂O�PN[�Q�w�,�͑�O�	�L�<�_ Y=�+ң�0:WgH3a�"yX='lܶ@��س����[�*��}#��I�f���Q�����j�'h�PB��z�E:��TGd���:�\�Lī���F���;(����?�Ḛ�!��s �xGM��L�fwS����Ї�{u�<�`�<��|0ض�I����Iz�r��-N=�0��^X�r@;i�Ffb	��@S�����6���*�,�[`Q�o�Ma򾄫��J�/�C�X<�3���&��<�6{�`��\l�!�#׼��|�����G��|l�y�Ŷ�Tx��_��� � ��ťN��%=�@�;m���+�,#q�@��pJ�/_I#�'��ћ��3� �+$�A����ے�;]u����*�$�I(0h�0�"��b�m$]}��1e_w�X�jd�ψy;����΀�q�4�S(���Uvvq�6R���T����z�T0���
	1r���KVM�S���`�^�=�fw�� Dt�c��۠WY,���M�qJ�*#�YjH�]�v�ߘ%6m�Ʀ�y�߸T�fK;=1>0	*�H��
0+����?�6��W	*�H��0�q	*�H��
	3 0	`�He*)�Ks�G�G�������适�+5���!�t�\c��]��l�Ѫ�
���+����N=���BG"

password contiene el password del certificado, en este caso en texto plano

In [37]:
%%bash
kubectl exec -n usecase\
    $(kubectl get pod -n usecase -l app=agent-myapp-keystore-1 -o jsonpath="{.items[0].metadata.name}") \
    --container agent-myapp-keystore-1 -- cat /vault/secrets/password

changeit

### Secretos como Texto <a class="anchor" id="secretos-como-texto"></a>

In [38]:
%%bash
# API keys (usamos https://codepen.io/corenominal/pen/rxOmMJ para la generación de una API key de ejemplo )
API_KEY="0796af05-5a14-4aa3-9494-24652f3f3e92"

# Guardamos la API key dentro del secreto static/api/key-1
# En este caso no es necesario el uso de base64 ya que el valor es un string
# y no un binario
vault kv put static/api/key-1 key=$API_KEY

==== Secret Path ====
static/data/api/key-1

Key                Value
---                -----
created_time       2025-05-06T16:45:48.492847429Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1


In [39]:
# Leemos el secreto de vuelta
# Los metadatos incorporan la versión del secreto y fecha de creación
! vault kv get -format=json static/api/key-1 | jq -r .

[1;39m{
  [0m[1;34m"request_id"[0m[1;39m: [0m[0;32m"30c3ea77-60f1-747c-88ab-6c59fd581c15"[0m[1;39m,
  [0m[1;34m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[1;34m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[1;34m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
    [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
      [0m[1;34m"key"[0m[1;39m: [0m[0;32m"0796af05-5a14-4aa3-9494-24652f3f3e92"[0m[1;39m
    [1;39m}[0m[1;39m,
    [0m[1;34m"metadata"[0m[1;39m: [0m[1;39m{
      [0m[1;34m"created_time"[0m[1;39m: [0m[0;32m"2025-05-06T16:45:48.492847429Z"[0m[1;39m,
      [0m[1;34m"custom_metadata"[0m[1;39m: [0m[0;90mnull[0m[1;39m,
      [0m[1;34m"deletion_time"[0m[1;39m: [0m[0;32m""[0m[1;39m,
      [0m[1;34m"destroyed"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
      [0m[1;34m"version"[0m[1;39m: [0m[0;39m1[0m[1;39m
    [1;39m}[0m[1;39m
  [1;39m}[0m[1;39m,
[1;39

In [40]:
# Podemos obtener más metadatos de vuelta usando  la opción `metadata`
# Que permite ver no sólo cuando se creo el secreto sino también la fecha de última modificación, creación por versiones, número de versiones, estado de softdelete, etc
! vault kv metadata get -format=json static/api/key-1 | jq -r .

[1;39m{
  [0m[1;34m"request_id"[0m[1;39m: [0m[0;32m"f99f831b-e7f7-bba1-fd8a-8b1941e654a1"[0m[1;39m,
  [0m[1;34m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[1;34m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[1;34m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
    [0m[1;34m"cas_required"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
    [0m[1;34m"created_time"[0m[1;39m: [0m[0;32m"2025-05-06T16:45:48.492847429Z"[0m[1;39m,
    [0m[1;34m"current_version"[0m[1;39m: [0m[0;39m1[0m[1;39m,
    [0m[1;34m"custom_metadata"[0m[1;39m: [0m[0;90mnull[0m[1;39m,
    [0m[1;34m"delete_version_after"[0m[1;39m: [0m[0;32m"0s"[0m[1;39m,
    [0m[1;34m"max_versions"[0m[1;39m: [0m[0;39m0[0m[1;39m,
    [0m[1;34m"oldest_version"[0m[1;39m: [0m[0;39m0[0m[1;39m,
    [0m[1;34m"updated_time"[0m[1;39m: [0m[0;32m"2025-05-06T16:45:48.492847429Z"[0m[1;39m,
    [0m[1;34m"versions"[

In [41]:
# Añadimos custom metadata al secreto
! vault kv metadata put -custom-metadata=env="dev" -custom-metadata=owner="devops" \
    -custom-metadata=team="devops" \
    -custom-metadata=app="myapp" \
    -custom-metadata=version="1.0" \
    -custom-metadata=description="API key for myapp" \
    static/api/key-1

[0mSuccess! Data written to: static/metadata/api/key-1[0m


In [42]:
! vault kv metadata get -format=json static/api/key-1 | jq -r .

[1;39m{
  [0m[1;34m"request_id"[0m[1;39m: [0m[0;32m"8aa2b447-327f-95eb-98b9-6c25def7bf07"[0m[1;39m,
  [0m[1;34m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[1;34m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[1;34m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
    [0m[1;34m"cas_required"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
    [0m[1;34m"created_time"[0m[1;39m: [0m[0;32m"2025-05-06T16:45:48.492847429Z"[0m[1;39m,
    [0m[1;34m"current_version"[0m[1;39m: [0m[0;39m1[0m[1;39m,
    [0m[1;34m"custom_metadata"[0m[1;39m: [0m[1;39m{
      [0m[1;34m"app"[0m[1;39m: [0m[0;32m"myapp"[0m[1;39m,
      [0m[1;34m"description"[0m[1;39m: [0m[0;32m"API key for myapp"[0m[1;39m,
      [0m[1;34m"env"[0m[1;39m: [0m[0;32m"dev"[0m[1;39m,
      [0m[1;34m"owner"[0m[1;39m: [0m[0;32m"devops"[0m[1;39m,
      [0m[1;34m"team"[0m[1;39m: [0m[0;32m"devops"[0m[1;39m,
 

Para montar el secreto en el POD usaremos tanto VSO como Vault Agent Injector. Los pasos a seguir serán similares al caso previo:
* Crear una política que de permisos de lectura al path del secreto (tanto datos como metadatos)
* Asociar policy a un K8S Auth Role. Este role asociará la SA de Kubernetes al role.
* VSO:
  * Creación de CRD para sincronizar el secreto a secreto de kubernetes.
  * Creación de POD y montamos el secreto como variable de entorno
* Vault Agent Injector
  * Creación de POD con anotaciones para montar el secreto como fichero.

In [43]:
%%bash
vault policy write api-key-policy - <<EOF
# Para secretos de tipo kv-v2 podemos usar el path del secreto. En este caso damos acceso tanto a los datos como a los metadatos
path "static/+/api/*" {
    capabilities = ["read"]
}
EOF

Success! Uploaded policy: api-key-policy


In [44]:
%%bash
# Creamos un role para el acceso a la API
vault write auth/kubernetes/role/apirole \
    bound_service_account_names=apisa \
    bound_service_account_namespaces=usecase \
    policies=api-key-policy \
    ttl=10m

Success! Data written to: auth/kubernetes/role/apirole


In [45]:
%%bash
# Creamos el service account
kubectl create serviceaccount apisa -n usecase

serviceaccount/apisa created


In [46]:
%%bash
# Creamos el VaultAuth CRD para dar acceso a la API key usando la apisa service account
cat > ${WORKDIR}/vaultauth_api_crd.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  namespace: vault-secrets-operator
  name: apirole
spec:
  vaultConnectionRef: example
  allowedNamespaces: ["usecase"]
  method: kubernetes
  mount: kubernetes

  kubernetes:
    # role to use when authenticating to Vault
    role: apirole
    serviceAccount: apisa

EOF
kubectl apply -f ${WORKDIR}/vaultauth_api_crd.yaml

vaultauth.secrets.hashicorp.com/apirole created


In [47]:
%%bash
## Support KVv1 and KVv2
cat > ${WORKDIR}/static_secret_api.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  namespace: usecase
  name: api-key-1
spec:
  vaultAuthRef: vault-secrets-operator/apirole # Usamos el VaultAuth objeto creado antes
  mount: static
  type: kv-v2
  path: api/key-1
  refreshAfter: 60s
  destination:
    create: true
    name: api-key-1
EOF

kubectl apply -f ${WORKDIR}/static_secret_api.yaml

vaultstaticsecret.secrets.hashicorp.com/api-key-1 created


In [48]:
%%bash
cat > ${WORKDIR}/apipod.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: apipod
  namespace: usecase
spec:
  # Usamos la apisa service account
  serviceAccountName: apisa
  containers:
  - name: apipod
    image: nginx
    env:
    - name: API_KEY
      valueFrom:
        secretKeyRef:
          name: api-key-1
          key: key
EOF

kubectl apply -f ${WORKDIR}/apipod.yaml
sleep 10



pod/apipod created


In [49]:
%%bash
# Verificamos que el secreto se ha inyectado correctamente como variable de entorno 
kubectl exec -n usecase apipod -- env | grep API_KEY

API_KEY=0796af05-5a14-4aa3-9494-24652f3f3e92


El ejercicio equivalente con Vault Agent inyector podría realizarse de la siguiente forma

In [50]:
%%bash
cat > $WORKDIR/agent-api-key-1.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: agent-api-key-1
  namespace: usecase
  labels:
    app: agent-api-key-1
spec:
  selector:
    matchLabels:
      app: agent-api-key-1
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/role: 'apirole'
        vault.hashicorp.com/tls-skip-verify: 'true' # Untrusted cert used here
        # Seleccionamos el secreto de la API key
        vault.hashicorp.com/agent-inject-secret-api-key: "static/data/api/key-1"
        # Renderizamos exclusivamente el valor de la API key
        vault.hashicorp.com/agent-inject-template-api-key: |
          {{- with secret "static/data/api/key-1" -}}
            {{ .Data.data.key }}
          {{- end -}}
      labels:
        app: agent-api-key-1
    spec:
      serviceAccountName: apisa
      containers:
      - name: agent-api-key-1
        image: nginx
EOF

In [51]:
! kubectl apply --filename $WORKDIR/agent-api-key-1.yaml

deployment.apps/agent-api-key-1 created


In [52]:
%%bash
# Esperamos a que el pod esté en estado Running
sleep 10
# Verificamos que la inyección del secreto ha funcionado
kubectl exec -n usecase\
    $(kubectl get pod -n usecase -l app=agent-api-key-1 -o jsonpath="{.items[0].metadata.name}") \
    --container agent-api-key-1 -- cat /vault/secrets/api-key

0796af05-5a14-4aa3-9494-24652f3f3e92

# Almacenando claves de criptografía <a class="anchor" id="crypto"></a>

In [53]:
%%bash
# Generamos un par de claves RSA
# Clave privada
openssl genrsa -out $WORKDIR/private.pem 2048
# Clave pública
openssl rsa -in $WORKDIR/private.pem -pubout -out $WORKDIR/public.pem

writing RSA key


In [54]:
%%bash
# Guardamos las claves privada y pública en Vault
vault kv put static/oauth/client-1 \
    private_key="$(cat $WORKDIR/private.pem)" \
    public_key="$(cat $WORKDIR/public.pem)"

static/data/oauth/client-1

Key                Value
---                -----
created_time       2025-05-06T16:50:00.556179768Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1


In [55]:
# Leemos el secreto de vuelta
! vault kv get -format=json static/oauth/client-1 | jq -r .


[1;39m{
  [0m[1;34m"request_id"[0m[1;39m: [0m[0;32m"749e2a40-67fb-1882-3f94-7033861b2fbc"[0m[1;39m,
  [0m[1;34m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[1;34m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[1;34m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
    [0m[1;34m"data"[0m[1;39m: [0m[1;39m{
      [0m[1;34m"private_key"[0m[1;39m: [0m[0;32m"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN9Bq523OAj9Mj\nUFXhUHXo+Qq4mi8jTAsWOQUWxy2qnxKlhtLfN6vvjKcON9vRYxz8CB9EpAzmRVY9\n+WWAKWIvAtIqqI+oxwZ2ZNb96uA21lULFiigvfoQTzwAt81DbSIx4xS372tMgAMb\n2Fgyl5kthGfE932PIScOxMFy0u++zS+TlsMJPLPupqPMe7hoRzi5yXtLXSOSGA78\nlMOd/0lizAytxqkVqWzZLS5U9ykmMknk63qeawhI4vzrfTIQkhlGH4mFHBK9FuiA\nb25q58HKFRF2R4PzpGrvhXRophsUuYgdmKrtAOsPiLC08u0oW0b1JvwS1WNZ/jx5\nokFklYVVAgMBAAECggEAPYZgvYj7Vjqg/nmvTiH1N2W+eCtHTaoX3cmm5YkW8VOY\nBG7ka957tJI2DZ9OQZz0Oa5LePvxBpFMFDN+yOyT8itLkYbNc8QRAClbuH

In [56]:
%%bash
# Creamos una policy para el acceso a los secretos de OAuth
vault policy write oauth-policy - <<EOF 
# Para secretos de tipo kv-v2 podemos usar el path del secreto. En este caso damos acceso tanto a los datos como a los metadatos
path "static/+/oauth/*" {
    capabilities = ["read"]
}
EOF

Success! Uploaded policy: oauth-policy


In [57]:
%%bash
# Creamos el role para el acceso a los secretos
vault write auth/kubernetes/role/oauth-role \
    bound_service_account_names=oauthsa \
    bound_service_account_namespaces=usecase \
    policies=oauth-policy \
    ttl=10m

Success! Data written to: auth/kubernetes/role/oauth-role


In [58]:
# Creamos el service account
! kubectl create serviceaccount oauthsa -n usecase

serviceaccount/oauthsa created


### VSO

VaultAuth para el role oauth-role y service account oauthsa

In [59]:
%%bash
# Creamos el VaultAuth CRD para dar acceso a la API key usando la apisa service account
cat > ${WORKDIR}/vaultauth_oauth_crd.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  namespace: vault-secrets-operator
  name: oauth-role
spec:
  vaultConnectionRef: example
  allowedNamespaces: ["usecase"]
  method: kubernetes
  mount: kubernetes

  kubernetes:
    # role to use when authenticating to Vault
    role: oauth-role
    serviceAccount: oauthsa

EOF
kubectl apply -f ${WORKDIR}/vaultauth_oauth_crd.yaml

vaultauth.secrets.hashicorp.com/oauth-role created


Sincronizamos el secreto usando el VaultAuth previo

In [60]:
%%bash

cat > ${WORKDIR}/oauth_secret.yaml <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  namespace: usecase
  name: oauth
spec:
  vaultAuthRef: vault-secrets-operator/oauth-role
  mount: static
  type: kv-v2
  # Usamos el path del secreto
  path: oauth/client-1
  destination:
    create: true
    name: oauth
EOF

kubectl apply -f ${WORKDIR}/oauth_secret.yaml


vaultstaticsecret.secrets.hashicorp.com/oauth created


Montamos los secretos en un POD

In [61]:
%%bash
cat > ${WORKDIR}/pod_oauth.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: pod-oauth
  namespace: usecase
spec:
  containers:
  - name: pod-oauth
    image: redis
    volumeMounts:
    - name: pod-oauth
      mountPath: "/etc/oauth"
      readOnly: true
  volumes:
  - name: pod-oauth
    secret:
      secretName: oauth
      optional: true
EOF

# Despliega el POD
kubectl apply -f ${WORKDIR}/pod_oauth.yaml

pod/pod-oauth created


Chequeamos el secreto

In [62]:
%%bash
# Espera a que despliegue
sleep 10 
# Chequea secretos
kubectl exec pod-oauth -n usecase  -- ls /etc/oauth/
echo ""
echo "------"
kubectl exec pod-oauth -n usecase -- cat /etc/oauth/private_key
echo "------"
kubectl exec pod-oauth -n usecase -- cat /etc/oauth/public_key

_raw
private_key
public_key

------
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN9Bq523OAj9Mj
UFXhUHXo+Qq4mi8jTAsWOQUWxy2qnxKlhtLfN6vvjKcON9vRYxz8CB9EpAzmRVY9
+WWAKWIvAtIqqI+oxwZ2ZNb96uA21lULFiigvfoQTzwAt81DbSIx4xS372tMgAMb
2Fgyl5kthGfE932PIScOxMFy0u++zS+TlsMJPLPupqPMe7hoRzi5yXtLXSOSGA78
lMOd/0lizAytxqkVqWzZLS5U9ykmMknk63qeawhI4vzrfTIQkhlGH4mFHBK9FuiA
b25q58HKFRF2R4PzpGrvhXRophsUuYgdmKrtAOsPiLC08u0oW0b1JvwS1WNZ/jx5
okFklYVVAgMBAAECggEAPYZgvYj7Vjqg/nmvTiH1N2W+eCtHTaoX3cmm5YkW8VOY
BG7ka957tJI2DZ9OQZz0Oa5LePvxBpFMFDN+yOyT8itLkYbNc8QRAClbuHsEBB2/
RhKWjH50R48EA8rkvPHLN0/5DoGtcisDwru8jVCQZ/KX9VVh4vIqctUAXUb6a+ri
xRYkOyXN5svDur3OL7RjqXpYgY/8sPz6fDXR4LrsE+kSDc3f258V38EfU9qqD5pN
2oF+pwFs5wGn4HECY+WcHBYRvtLKByCBaSp/Z+BARngi6hXf0dVeJDlTl/kPq+TY
gwfdFD4tigU6d9KiPjBhAqlRrs0zhUy2MKvbEo79uQKBgQDqhK0T4T0N/7GYleIj
IfRyrm3E/NjhxGDjy7RD29l8mBJc2s4D3ptw9TQpll03CmFjCoZ6Qz9nWK6RZm/G
yAWVrl0zZ8s9ySw6L6jCqNIlXStx9o+Wd91pLntWawMbFvCXhbbodkIA6e1iJiFG
2V7mtiDIu3EOttutxjoZgcuF5w

### Vault Agent

In [63]:
%%bash
cat > $WORKDIR/agent-oauth-1.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth-client
  namespace: usecase
  labels:
    app: oauth-client
spec:
  selector:
    matchLabels:
      app: oauth-client
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/role: "oauth-role"
        vault.hashicorp.com/tls-skip-verify: 'true' # Untrusted cert used here
        vault.hashicorp.com/agent-inject-template-private-key: |
          {{- with secret "static/data/oauth/client-1" -}}
          {{ .Data.data.private_key }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-template-public-key: |
          {{- with secret "static/data/oauth/client-1" -}}
          {{ .Data.data.public_key }}
          {{- end -}}
      labels:
        app: oauth-client
    spec:
      serviceAccountName: oauthsa
      containers:
      - name: oauth-client
        image: nginx
EOF

In [64]:
%%bash
kubectl apply --filename $WORKDIR/agent-oauth-1.yaml
sleep 10

deployment.apps/oauth-client created


In [65]:
%%bash
kubectl exec -n usecase \
    $(kubectl get pod -n usecase -l app=oauth-client -o jsonpath="{.items[0].metadata.name}") \
    -- cat /vault/secrets/private-key

kubectl exec -n usecase \
    $(kubectl get pod -n usecase -l app=oauth-client -o jsonpath="{.items[0].metadata.name}") \
    -- cat /vault/secrets/public-key

Defaulted container "oauth-client" out of: oauth-client, vault-agent, vault-agent-init (init)


-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN9Bq523OAj9Mj
UFXhUHXo+Qq4mi8jTAsWOQUWxy2qnxKlhtLfN6vvjKcON9vRYxz8CB9EpAzmRVY9
+WWAKWIvAtIqqI+oxwZ2ZNb96uA21lULFiigvfoQTzwAt81DbSIx4xS372tMgAMb
2Fgyl5kthGfE932PIScOxMFy0u++zS+TlsMJPLPupqPMe7hoRzi5yXtLXSOSGA78
lMOd/0lizAytxqkVqWzZLS5U9ykmMknk63qeawhI4vzrfTIQkhlGH4mFHBK9FuiA
b25q58HKFRF2R4PzpGrvhXRophsUuYgdmKrtAOsPiLC08u0oW0b1JvwS1WNZ/jx5
okFklYVVAgMBAAECggEAPYZgvYj7Vjqg/nmvTiH1N2W+eCtHTaoX3cmm5YkW8VOY
BG7ka957tJI2DZ9OQZz0Oa5LePvxBpFMFDN+yOyT8itLkYbNc8QRAClbuHsEBB2/
RhKWjH50R48EA8rkvPHLN0/5DoGtcisDwru8jVCQZ/KX9VVh4vIqctUAXUb6a+ri
xRYkOyXN5svDur3OL7RjqXpYgY/8sPz6fDXR4LrsE+kSDc3f258V38EfU9qqD5pN
2oF+pwFs5wGn4HECY+WcHBYRvtLKByCBaSp/Z+BARngi6hXf0dVeJDlTl/kPq+TY
gwfdFD4tigU6d9KiPjBhAqlRrs0zhUy2MKvbEo79uQKBgQDqhK0T4T0N/7GYleIj
IfRyrm3E/NjhxGDjy7RD29l8mBJc2s4D3ptw9TQpll03CmFjCoZ6Qz9nWK6RZm/G
yAWVrl0zZ8s9ySw6L6jCqNIlXStx9o+Wd91pLntWawMbFvCXhbbodkIA6e1iJiFG
2V7mtiDIu3EOttutxjoZgcuF5wKBgQDg0ZnguSQC+UPv2hS4RbArg92bvNg6J4

Defaulted container "oauth-client" out of: oauth-client, vault-agent, vault-agent-init (init)


-----END PRIVATE KEY----------BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfQaudtzgI/TI1BV4VB1
6PkKuJovI0wLFjkFFsctqp8SpYbS3zer74ynDjfb0WMc/AgfRKQM5kVWPfllgCli
LwLSKqiPqMcGdmTW/ergNtZVCxYooL36EE88ALfNQ20iMeMUt+9rTIADG9hYMpeZ
LYRnxPd9jyEnDsTBctLvvs0vk5bDCTyz7qajzHu4aEc4ucl7S10jkhgO/JTDnf9J
YswMrcapFals2S0uVPcpJjJJ5Ot6nmsISOL8630yEJIZRh+JhRwSvRbogG9uaufB
yhURdkeD86Rq74V0aKYbFLmIHZiq7QDrD4iwtPLtKFtG9Sb8EtVjWf48eaJBZJWF
VQIDAQAB
-----END PUBLIC KEY-----

# Operaciones de Criptografía usando la Transit Secret Engine <a class="anchor" id="transit"></a>

In [66]:
! vault secrets enable transit

[0mSuccess! Enabled the transit secrets engine at: transit/[0m


In [67]:
! vault write -f transit/keys/orders exportable=true

[0mKey                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                true
imported_key              false
keys                      map[1:1746550354]
latest_version            1
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      orders
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96[0m


### Encrypt/Decrypt

In [68]:
%%bash
# ENCRYPT
vault write transit/encrypt/orders plaintext=$(base64 <<< "4111 1111 1111 1111") -format=json | jq -r .data.ciphertext

export CIPHERTEXT=$(vault write transit/encrypt/orders plaintext=$(base64 <<< "4111 1111 1111 1111") -format=json | jq -r .data.ciphertext)

# DECRYPT
vault write transit/decrypt/orders ciphertext=$CIPHERTEXT -format=json | jq -r .data.plaintext | base64 -d

vault:v1:uOoj7zdGdOiBEGspifmhEUao1JFqSutc2xsslUqAfEafS5i7lYOR181EldD9uQVW
4111 1111 1111 1111


In [69]:
%%bash
# update encryption key
vault write -f transit/keys/orders/rotate 

Key                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                true
imported_key              false
keys                      map[1:1746550354 2:1746550388]
latest_version            2
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      orders
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96


In [70]:
%%bash
export CIPHERTEXT=$(vault write transit/encrypt/orders plaintext=$(base64 <<< "4111 1111 1111 1111") -format=json | jq -r .data.ciphertext)
echo $CIPHERTEXT
# DECRYPT
vault write transit/decrypt/orders ciphertext=$CIPHERTEXT -format=json | jq -r .data.plaintext | base64 -d

vault:v2:68649fVLphD70G/PNjR4qTagGWakhjSKpg9IdRhsKtOn5tpDBlVqKM9GfHB9//XD
4111 1111 1111 1111


In [71]:
%%bash
# update encryption key
vault write -f transit/keys/orders/rotate 

Key                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                true
imported_key              false
keys                      map[1:1746550354 2:1746550388 3:1746550406]
latest_version            3
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      orders
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96


In [72]:
%%bash
# Set minimum decryption version
vault write transit/keys/orders/config min_decryption_version=3 

Key                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                true
imported_key              false
keys                      map[3:1746550406]
latest_version            3
min_available_version     0
min_decryption_version    3
min_encryption_version    0
name                      orders
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96


Intentamos descifran un cyphertext creado usando la versión 2, como hemos definido la versión 3 como  la última a utilizar para desencriptar, la función nos devuelve un error

In [73]:
%%bash
# DECRYPT
export CIPHERTEXT="vault:v2:9WWxS1FxVF+pOmmCc5asxFYqDGJ4B+Cly2mMI2Rpi5MkUC9BuJPtmNduoMOucGAU"
vault write transit/decrypt/orders ciphertext=$CIPHERTEXT -format=json | jq -r .data.plaintext | base64 -d

Error writing data to transit/decrypt/orders: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/transit/decrypt/orders
Code: 400. Errors:

* ciphertext or signature version is disallowed by policy (too old)


### Signing

In [74]:
! vault write -f  transit/keys/signature type=rsa-4096

[0mKey                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                false
imported_key              false
keys                      map[1:map[certificate_chain: creation_time:2025-05-06T16:53:49.377697801Z name:rsa-4096 public_key:-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAybp2mMJX1qFcWwzcgY/1
dbIMoOsXZeWfY/qxCCrMU94cjaaVppj6ieWYUtICy0IUOekN2RTE1XdrOkx2A/Iq
pKxb0HwgP52YayyZILkdQG0XSkSGOYqibpENj4L7y+rSyDC4Li591fiQXM0R8B5q
cwRBEtcq+Zf2ioPausmgbvTdecdIQvx6wMqi3NXWPu1FKRGlJ3fWo2ZS70BJUb4l
218uXXEDIzNxmCgfTrVdfifBBNqwNeHdCnr+D2i2qbKGXCUYf/EysgxqWL6LoY1J
/fJTw3xc+6qfD6lTfAcbUMBj3wy1yRt5vaVrOglCXdSsQxmuCiOCCqAbYMlAYV26
qXpkO8bzRglbKbe6OKX43s3Wq88hILIG3BwCIY1dSatiSb0KgbeGra7h/9WAdZcf
NuNLUkdtTnmQKq9FQMdlpGTFmTitiPj9GYth5NPWW9BdYlCfZg+JLx1ZZ+iOF+oC
BvBHXzRlSY3YWKI/U1y+krQLpJBvE2741E2YUJsvk8u6cBze5lDpaQVMVsfDR3xA
RkOChQ

In [75]:
%%bash
INPUT=$(echo -n "un string no muy largo" | base64)
# Operación de firma
SIGNATURE=$(vault write -format=json transit/sign/signature input=$INPUT hash_algorithm=sha2-256 -format=json | jq -r .data.signature)
echo $SIGNATURE

# Verificación de firma
vault write transit/verify/signature input=$INPUT signature=$SIGNATURE  hash_algorithm=sha2-256

vault:v1:Yct4EQ34pnumtRP8+oXhul55LPZVvUWvIihEQs2iqGExMwre5J2SYop+mtLLyJPQc/37vIPkigOIGuw8us9XWS8ECyzVXVGCqGFcC7oR8kaT9Uvm0qdjPmxzN0tPtrTIbrNaIIiS5QP4bgdX25A8xXTe4ljckPnjnv8fDIGLWNhYCGoO7U6OKdf4H0JXDOMEAa/V/O6DqHZpFdeGaSUoaFG2zUyDKH6J5GlBBym5NNRRuB+LGFbg0rnXvMY8hr3ChY1RM7+Zi9UITiQr1eqxTA3ZVsrNkml5l8tHoGWPLMwT4nKYe/f/klCbk7R8BYYBDDv60vqS6eD4gfP3BKNfhdYCxHAXB0XA5SM8VmZ+Lf9YZiVqJp8uxhIGmizbKOL7o8gg+o7G9c8UKBUos2RDviIKFk45tF41fFBqjS0jNjt5IzKs2EJ9gx5xbaUR6czyF2vGFG8f9iJIOQHCvY+4tMpVZg9cfaUkmMAXcVH0+j1DNx6/dh+tsJ4WKt+4lJ3FKiRLJEsPeZRHp4FEG4kzTd4RvZ6w2yZZk6ClEwHh7FAZ2J6sjZDigupX+5H5PZzsea9I5lyLxSsf5bRnLqUGh3S3WK8YmQ9wvQVmUieGzsTFD1N1bFhbEcndvAwuVIdBJJ5fWHfn6KeatG4Hz4cDiVLWB5fl3DK58k4qWUJYLUU=
Key      Value
---      -----
valid    true
