# HashiCorp Vault Demo for Vault Secrets Operator - Using Vault to sync secrets to K8s as the last mile provider to Applications

This demo shows how HashiCorp Vault Secrets Operator works. This will be using the dynamic secrets engine for PostgreSQL as an example.  The PostgreSQL generated shortlived credentials will be synced to K8s secrets using the Vault Secrets Operator.

In this demo, the following Custom Resource Definitions (CRDs) are used:
- VaultConnection (for connecting to Vault)
- VaultAuth (for authenticating to Vault)
- VaultDynamicSecret (for synchronizing with dynamic secrets)

As part of VaultAuth, we will also be showing how the Vault transit engine can be used to encrypt the client storage cache within Kubernetes objects.

Ref: https://developer.hashicorp.com/vault/docs/platform/k8s/vso/api-reference#storageencryption

There are also other CRDs that provide other functionality such as:
- VaultStaticSecret (for synchronizing with k2-v1 and k2-v2 static secrets)
- VaultPKISecret (for synchronizing with PKI secrets)

Ref: https://developer.hashicorp.com/vault/docs/platform/k8s/vso



## Setup of the Demo

This setup is tested on MacOS and is meant to simulate a distributed setup.  The components used in this demo are:
- Vault Enterprise installed on docker (to simulate an external Vault)
- PostgreSQL installed on docker (to simulate an external PostgreSQL database for the Dynamic secrets)
- Minikube (to simulate a K8s cluster.  Vault will be syncing the dynamic secret to K8s secrets for the application pods to use.)

Note that we will be using the docker and minikube routing to the host machine for communication between the docker Vault pod and the Kubernetes cluster.  The host machine will function as a network bridge for communication.

## Requirements to Run This Demo
You will need Visual Studio Code to be installed with the Jupyter plugin.  To run this notebook in VS Code, chose the Jupyter kernel and then Bash.
- To run the current cell, use Ctrl + Enter.
- To run the current cell and advance to the next, use Shift+Enter.

# Setup Pre-requisites (One-time)

Assumes you have docker installed and brew installed

- https://docs.docker.com/desktop/install/mac-install/
- https://brew.sh/

In [None]:
# Install minikube
brew install minikube

In [None]:
# Install Kubectl CLI
brew install kubernetes-cli

In [None]:
# Install Helm CLI.  This is used to install the VSO helm chart.
brew install helm

In [None]:
# Install K9s.  This is a nice console GUI for K8s.  https://k9scli.io/
brew install K9s

# Setting Up the Vault, PostgreSQL servers and K8s cluster

In [360]:
# For this demo, we will be simulating a Vault server that is hosted external from the K8s cluster.  i.e. in Docker.
export VAULT_PORT=8200
export VAULT_ADDR="http://127.0.0.1:${VAULT_PORT}"
export VAULT_TOKEN="root"

# Change the path to your license file
export VAULT_LICENSE=$(cat $HOME/vault-enterprise/vault_local/data/vault.hclic)

# Refresh Vault docker image with latest version
#docker pull hashicorp/vault-enterprise

# Run Vault in docker in Dev mode with Enterprise license.
# We have set VAULT_LOG_LEVEL to trace for troubleshooting purposes.  This will allow you to view detailed information as you test.
docker run -d --rm --name vault-enterprise --cap-add=IPC_LOCK \
-v $LOGS_PATH:/vault_logs \
-e "VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}" \
-e "VAULT_DEV_LISTEN_ADDRESS=:${VAULT_PORT}" \
-e "VAULT_LICENSE=${VAULT_LICENSE}" \
-e "VAULT_LOG_LEVEL=trace" \
-p ${VAULT_PORT}:${VAULT_PORT} \
-p 5696:5696 hashicorp/vault-enterprise:latest

a1be49008f89aba3d0b7e3414403a59ecb80dd70717987621a0eb4d7f63dd1bf


In [361]:
# Optional: You can enable file audit device for more information
docker exec -it vault-enterprise /bin/sh -c "mkdir /var/log/vault.d"
docker exec -it vault-enterprise /bin/sh -c "touch /var/log/vault.d/vault_audit.log"
docker exec -it vault-enterprise /bin/sh -c "chown -R vault:vault /var/log/vault.d"
vault audit enable file file_path=/var/log/vault.d/vault_audit.log

# You can run the following command in the container terminal to follow the logs
# tail -f /var/log/vault.d/vault_audit.log
# Or you can run it from outside on your host machine
# docker exec -it vault-enterprise /bin/sh -c "tail -f /var/log/vault.d/vault_audit.log"
# Use Ctrl + C to break

[0mSuccess! Enabled the file audit device at: file/[0m


In [362]:
# Start minikube
minikube start

* minikube v1.31.1 on Darwin 13.4.1 (arm64)
* Automatically selected the docker driver. Other choices: vmware, ssh
* Using Docker Desktop driver with root privileges
* Starting control plane node minikube in cluster minikube
* Pulling base image ...
* Creating docker container (CPUs=2, Memory=7803MB) ...[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K
* Preparing Kubernetes v1.27.3 on Docker 24.0.4 ...[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K

In [363]:
# Run a PostgreSQL database for the Dynamic Secret engine
export PG_ADMIN_NAME=root
export PG_ADMIN_PASSWORD=mypassword
export PG_PORT=5432

docker run --name postgres \
     -p $PG_PORT:$PG_PORT \
     --rm \
     -e POSTGRES_USER=$PG_ADMIN_NAME \
     -e POSTGRES_PASSWORD=$PG_ADMIN_PASSWORD \
     -d postgres

41ef2e71e2ecb41a45c874d3f6714ff38016ac1bee32058c5a92c711653af541


In [364]:
# Verify Vault, minikube, and PostgreSQL containers are running
docker ps

CONTAINER ID   IMAGE                                 COMMAND                  CREATED              STATUS              PORTS                                                                                                                                  NAMES
41ef2e71e2ec   postgres                              "docker-entrypoint.s…"   2 seconds ago        Up 1 second         0.0.0.0:5432->5432/tcp                                                                                                                 postgres
bb6d89a82649   gcr.io/k8s-minikube/kicbase:v0.0.40   "/usr/local/bin/entr…"   About a minute ago   Up About a minute   127.0.0.1:56295->22/tcp, 127.0.0.1:56296->2376/tcp, 127.0.0.1:56298->5000/tcp, 127.0.0.1:56299->8443/tcp, 127.0.0.1:56297->32443/tcp   minikube
a1be49008f89   hashicorp/vault-enterprise:latest     "docker-entrypoint.s…"   About a minute ago   Up About a minute   0.0.0.0:5696->5696/tcp, 0.0.0.0:8200->8200/tcp                                                 

# Configure PostgreSQL Database for Dynamic Secrets

In [365]:
# Setup psql alias to the container to make it easier to do CLI commands to the postgresql pod
alias psql="docker exec -it postgres psql"

In [366]:
# Configure the name of the database role used for the Vault database engine
export PGROLE=readonly

# Drop database role if it exists
#psql -U $PG_ADMIN_NAME -c "DROP ROLE \"$PGROLE\";"

# Create a database role for Vault database engine to use
psql -U $PG_ADMIN_NAME -c "CREATE ROLE \"$PGROLE\" NOINHERIT;"

# Grant the ability to read all tables to the role
psql -U $PG_ADMIN_NAME -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"$PGROLE\";"

# list users and roles and verify that the role is created
psql -U $PG_ADMIN_NAME -c '\x auto;' -c "\dg"

CREATE ROLE
GRANT
Expanded display is used automatically.
List of roles
-[ RECORD 1 ]----------------------------------------------------------
Role name  | readonly
Attributes | No inheritance, Cannot login
Member of  | {}
-[ RECORD 2 ]----------------------------------------------------------
Role name  | root
Attributes | Superuser, Create role, Create DB, Replication, Bypass RLS
Member of  | {}



# Enable the Database Secrets Engine

In [367]:
# Set the name of the PostgreSQL Database Secret path
export DBPATH=database

# Disable the database engine if it is there
vault secrets disable $DBPATH

# Enable the database secrets engine at the "database/" path
vault secrets enable -path $DBPATH database

[0mSuccess! Disabled the secrets engine (if it existed) at: database/[0m
[0mSuccess! Enabled the database secrets engine at: database/[0m


In [368]:
# As both Vault and PostgreSQL is running on docker, Vault will be connecting to PostgreSQL via the docker bridge network
# Obtain IP address of the postgres database for configuration
export POSTGRES_DB_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' postgres)
echo "Postgres IP Address is: $POSTGRES_DB_IP"
echo "Database Engine Path is: $DBPATH"
echo "Postgres Role is: $PGROLE"
echo "Postgres Admin Username is: $PG_ADMIN_NAME"
echo "Postgres Admin Password is: $PG_ADMIN_PASSWORD"

# Configure the database secrets engine with the connection credentials for the PostgreSQL database.
vault write $DBPATH/config/postgresql \
     plugin_name=postgresql-database-plugin \
     connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_DB_IP/postgres?sslmode=disable" \
     allowed_roles=$PGROLE \
     username="$PG_ADMIN_NAME" \
     password="$PG_ADMIN_PASSWORD"

Postgres IP Address is: 172.17.0.3
Database Engine Path is: database
Postgres Role is: readonly
Postgres Admin Username is: root
Postgres Admin Password is: mypassword
[0mSuccess! Data written to: database/config/postgresql[0m


In [369]:
# Define the SQL used to create the database role.
tee readonly.sql <<EOF
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' INHERIT;
GRANT readonly TO "{{name}}";
EOF

# Create the dyanamic database role that creates credentials with the readonly.sql.
# Using the same role name as the PostgreSQL role.  You can use a different name if needed.
# Set TTL of credential to 30 secs and the max TTL to 120 secs for this demo
echo "Database Engine Path is: $DBPATH"
echo "Postgres Role is: $PGROLE"
vault write $DBPATH/roles/$PGROLE \
      db_name=postgresql \
      creation_statements=@readonly.sql \
      default_ttl=30s \
      max_ttl=120s

# Remove the readonly.sql file
rm readonly.sql

CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' INHERIT;
GRANT readonly TO "{{name}}";
Database Engine Path is: database
Postgres Role is: readonly
[0mSuccess! Data written to: database/roles/readonly[0m


In [370]:
# Read credentials from the readonly database role
echo "Database Engine Path is: $DBPATH"
echo "Postgres Role is: $PGROLE"
results=$(vault read -format=json $DBPATH/creds/$PGROLE)
echo $results | jq

Database Engine Path is: database
Postgres Role is: readonly
[1;39m{
  [0m[34;1m"request_id"[0m[1;39m: [0m[0;32m"c842ba8e-83da-1b37-dee3-abfc02f19898"[0m[1;39m,
  [0m[34;1m"lease_id"[0m[1;39m: [0m[0;32m"database/creds/readonly/bxm052FI7t5GyKd99WSntJUV"[0m[1;39m,
  [0m[34;1m"lease_duration"[0m[1;39m: [0m[0;39m30[0m[1;39m,
  [0m[34;1m"renewable"[0m[1;39m: [0m[0;39mtrue[0m[1;39m,
  [0m[34;1m"data"[0m[1;39m: [0m[1;39m{
    [0m[34;1m"password"[0m[1;39m: [0m[0;32m"iCYylhvsJwRKVqwN1P-O"[0m[1;39m,
    [0m[34;1m"username"[0m[1;39m: [0m[0;32m"v-token-readonly-4F3svBVFzltkAgbI0hKE-1693388712"[0m[1;39m
  [1;39m}[0m[1;39m,
[1;39m}[0m


In [371]:
# Obtain dynamic postgres username and password
export PGPASSWORD=$(echo $results | jq .data.password -r)
export PGUSER=$(echo $results | jq .data.username -r)
echo "Dynamic PostgreSQL username: $PGUSER"
echo "Dynamic PostgreSQL password: $PGPASSWORD"

# Connect to the postgres database using the dynamic credentials and show the connection information
# Re-run after 30s to show that the credentials has expired
psql "postgresql://$PGUSER:$PGPASSWORD@127.0.0.1/postgres" -c "\conninfo"

# You can also open the Docker dashboard and show the logs in the vault-enterprise container.  You should see the expiration of the credentials.

Dynamic PostgreSQL username: v-token-readonly-4F3svBVFzltkAgbI0hKE-1693388712
Dynamic PostgreSQL password: iCYylhvsJwRKVqwN1P-O
You are connected to database "postgres" as user "v-token-readonly-4F3svBVFzltkAgbI0hKE-1693388712" on host "127.0.0.1" at port "5432".


# Setup Vault Secrets Operator

## Configure Kubernetes namespace, service account, and token first

In [372]:
# Setup environment variables for K8s configuration

# Specify the namespace of the secrets and demo apps
export KUBENAMESPACE=demo-ns

# Name of K8s service account used to authenticate to Vault for the dynamic database secret.
export KUBESVCACCOUNT=vault-svc-account

# Name of the K8s service account token used for verification when Vault connects to minikube for K8s JWT auth
# This is required as Vault is external from the K8s
export KUBESVCACCOUNTTOKEN=vault-token-demo

# Since Vault is running on the host in docker.  From minikube, we will use the host DNS entry to connect back to the host to access Vault.
# Note that this is currently fine as we do not have TLS configured on Vault. 
# If TLS is on, you need a proper DNS name and certificate configured.
export MINIKUBEVAULTADDRESS=http://host.minikube.internal:8200

In [373]:
# Delete namespace if it exists
#kubectl delete ns $KUBENAMESPACE

# Create a new K8s namespace for this demo
echo "Creating K8s namespace: $KUBENAMESPACE"
kubectl create ns $KUBENAMESPACE

Creating K8s namespace: demo-ns
namespace/demo-ns created


In [374]:
# Create a K8s service account for Vault to use
echo "K8s namespace: $KUBENAMESPACE"
echo "K8s Service Account: $KUBESVCACCOUNT"
kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: $KUBESVCACCOUNT
  namespace: $KUBENAMESPACE
EOF

K8s namespace: demo-ns
K8s Service Account: vault-svc-account
serviceaccount/vault-svc-account created


In [375]:
# Create a service token for Vault to use in the K8s auth method and store it as a K8s secret
echo "K8s namespace: $KUBENAMESPACE"
echo "K8s Service Account Token: $KUBESVCACCOUNTTOKEN"
kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: $KUBESVCACCOUNTTOKEN
  namespace: $KUBENAMESPACE
  annotations:
    kubernetes.io/service-account.name: $KUBESVCACCOUNT
type: kubernetes.io/service-account-token
EOF

K8s namespace: demo-ns
K8s Service Account Token: vault-token-demo
secret/vault-token-demo created


In [376]:
# As the Vault Server is running externally, create a clusterRoleBinding for
# the namespace and service account used with the "system:auth-delegator" ClusterRole
# This step is important otherwise the K8s authentication configured later will fail.
kubectl create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: $KUBENAMESPACE
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: $KUBESVCACCOUNT
    namespace: $KUBENAMESPACE
EOF

clusterrolebinding.rbac.authorization.k8s.io/role-tokenreview-binding created


## Configure Vault Kubernetes Authentication

In [377]:
# Set the K8s auth path for the minikube cluster
export K8SAUTHPATH=kubernetes-minikube
# Role name to be used by minikube to read dynamic secrets
export K8SROLE=auth-role-minikube

# Disable K8s auth method if it exists
vault auth disable $K8SAUTHPATH
# Enable K8s auth method
vault auth enable -path $K8SAUTHPATH kubernetes

[0mSuccess! Disabled the auth method (if it existed) at: kubernetes-minikube/[0m
[0mSuccess! Enabled kubernetes auth method at: kubernetes-minikube/[0m


In [378]:
# For demo purposes, we will be setting the TTL on the K8s auth method to 30s and the max TTL to 60s.
# We will be using the auth role TTL for testing.
# This will be required to show how the VSO persistence caching works later on
vault write sys/auth/$K8SAUTHPATH/tune default_lease_ttl=30s max_lease_ttl=60s

vault read sys/auth/$K8SAUTHPATH/tune

[0mSuccess! Data written to: sys/auth/kubernetes-minikube/tune[0m
[0mKey                  Value
---                  -----
default_lease_ttl    30s
description          n/a
force_no_cache       false
max_lease_ttl        1m
token_type           default-service[0m


In [379]:
# As Vault will be connecting to the K8s cluster (minikube), we will need to make sure that it is connecting on a valid URL
# as the minikube CA has configured the following DNS entries on the certificate:
# control-plane.minikube.internal, kubernetes.default.svc.cluster.local, kubernetes.default.svc, kubernetes.default, kubernetes, localhost
# For this demo, we will use "kubernetes.default"

# First Get the IP address of host.docker.internal using nslookup
# last sed command is to strip the extra ^M character at the end of the string.
export DOCKERHOSTIP=$(docker exec -it vault-enterprise nslookup host.docker.internal | tail -n +3 | sed -n 's/Address:\s*//p' | sed 's/.$//')
echo "Docker Host IP address is: $DOCKERHOSTIP"
# Add the IP of host.docker.internal to the /etc/hosts file and map it to kubernetes.default
echo "Updating Vault's /etc/hosts file to add IP of host.docker.internal and mapping it to kubernetes.default" 
docker exec -it -e DOCKERHOSTIP="$DOCKERHOSTIP" vault-enterprise /bin/sh -c "echo $DOCKERHOSTIP kubernetes.default >> /etc/hosts"


Docker Host IP address is:  192.168.65.254
Updating Vault's /etc/hosts file to add IP of host.docker.internal and mapping it to kubernetes.default


In [380]:
# Prepare information needed for Kubernetes Auth Configuration

# 1. Get JWT token for Vault K8s Auth configuration
export JWT_TOKEN_DEFAULT_DEMONS=$(kubectl get secret -n $KUBENAMESPACE $KUBESVCACCOUNTTOKEN --output='go-template={{ .data.token }}' | base64 --decode)
echo "Token for \"$KUBESVCACCOUNT\" service account in \"$KUBENAMESPACE\" namespace is:"
echo $JWT_TOKEN_DEFAULT_DEMONS
echo
# You can view the JWT token information using http://calebb.net/

# 2. Obtain kubernetes API URL
# First get the internal API URL
export KUBE_INT_API=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')
# replace KUBE API external address 127.0.0.1 with configured "kubernetes.default" DNS entry.
# This will allow docker pods to connect back to the K8s
export KUBE_EXT_API=$(echo $KUBE_INT_API | sed "s/127.0.0.1/kubernetes.default/g")
# Get the K8s CA Cert
export KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
echo "Kubernetes API server - Internal: $KUBE_INT_API"
echo "Kubernetes API server - External (used by Vault): $KUBE_EXT_API"
echo "Kubernetes CA Cert: $KUBE_CA_CERT"

Token for "vault-svc-account" service account in "demo-ns" namespace is:
eyJhbGciOiJSUzI1NiIsImtpZCI6Imw1VExpdWtzQnJnckM5cXRBZ1VjR2k4U2ZBOWF1WlNsN2U3ZGlpaF85eGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vLW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LXRva2VuLWRlbW8iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidmF1bHQtc3ZjLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5ODlkYzBhZC02N2Q2LTRhOTEtOGU0Zi03OTJiMWQxYzU5ZjEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVtby1uczp2YXVsdC1zdmMtYWNjb3VudCJ9.CYUlp6ombVwRz8hoiLbcuDek7Rge5H-myKA2V-9ChoaKyTTGovfy55Q4B6cGWxWfCCFCPht8Hu16B2tg58ucpnzihBkWh--zcdh_nke6m-pxjO43S1YbNQC47MzJ7pq4Cu8xNsfNyhNI459z8fIaDrE41TkqHbS95vELPDltzPQ7R4wlxll6GL2AHwFSS4-wJtY_gxpRqUXfjEu5GpVFil7hNQbs6sNbVPaStC_khiWxPyrbv0rgsXKOFIrUHLXJkF-slW2ygHVvY74wMloKDZP0h8IAlu_N4G6hPktJkexWINQm8ji8oViwAK_zMGY2IwzAmHvBwm6MvKuamsY65A

Kub

In [381]:
# Configure Kubernetes Auth for the minikube cluster
echo "Kubernetes Auth Path: $K8SAUTHPATH"
vault write auth/$K8SAUTHPATH/config \
    token_reviewer_jwt="$JWT_TOKEN_DEFAULT_DEMONS" \
    kubernetes_host="$KUBE_EXT_API" \
    kubernetes_ca_cert="$KUBE_CA_CERT"
#     kubernetes_ca_cert=@~/.minikube/ca.crt  # Another option of specifying the CA cert if using minikube


Kubernetes Auth Path: kubernetes-minikube
[0mSuccess! Data written to: auth/kubernetes-minikube/config[0m


In [382]:
# Create vault policy to be used by the K8s role to read database dynamic secret
vault policy write policy-readonly-db - <<EOF
path "$DBPATH/creds/$PGROLE" {
   capabilities = ["read"]
}
EOF

# Create a new role for the dynamic secret with the required policy
# You can configure the TTL and max TTL at the role level.  
# For this demo, we will be using the auth mount settings and leaving the values as '0'
echo "K8s Service Account: $KUBESVCACCOUNT"
echo "K8s namespace: $KUBENAMESPACE"
echo "K8s role: $K8SROLE"
vault write auth/$K8SAUTHPATH/role/$K8SROLE \
   bound_service_account_names=$KUBESVCACCOUNT \
   bound_service_account_namespaces=$KUBENAMESPACE \
   token_ttl=0 \
   token_max_ttl=0 \
   token_policies=policy-readonly-db


[0mSuccess! Uploaded policy: policy-readonly-db[0m
K8s Service Account: vault-svc-account
K8s namespace: demo-ns
K8s role: auth-role-minikube
[0mSuccess! Data written to: auth/kubernetes-minikube/role/auth-role-minikube[0m


In [383]:
# Test that we can login
echo "JWT Token used for login:"
echo $JWT_TOKEN_DEFAULT_DEMONS
vault write auth/$K8SAUTHPATH/login role="$K8SROLE" jwt=$JWT_TOKEN_DEFAULT_DEMONS

# If this fails, please review the docker logs for the vault-enterprise container

JWT Token used for login:
eyJhbGciOiJSUzI1NiIsImtpZCI6Imw1VExpdWtzQnJnckM5cXRBZ1VjR2k4U2ZBOWF1WlNsN2U3ZGlpaF85eGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vLW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LXRva2VuLWRlbW8iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidmF1bHQtc3ZjLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5ODlkYzBhZC02N2Q2LTRhOTEtOGU0Zi03OTJiMWQxYzU5ZjEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVtby1uczp2YXVsdC1zdmMtYWNjb3VudCJ9.CYUlp6ombVwRz8hoiLbcuDek7Rge5H-myKA2V-9ChoaKyTTGovfy55Q4B6cGWxWfCCFCPht8Hu16B2tg58ucpnzihBkWh--zcdh_nke6m-pxjO43S1YbNQC47MzJ7pq4Cu8xNsfNyhNI459z8fIaDrE41TkqHbS95vELPDltzPQ7R4wlxll6GL2AHwFSS4-wJtY_gxpRqUXfjEu5GpVFil7hNQbs6sNbVPaStC_khiWxPyrbv0rgsXKOFIrUHLXJkF-slW2ygHVvY74wMloKDZP0h8IAlu_N4G6hPktJkexWINQm8ji8oViwAK_zMGY2IwzAmHvBwm6MvKuamsY65A
[0mKey                                       Value

In [384]:
# Update the role to include the audience claim value to "vault".  This will be used as part of the VSO setup
echo "K8s Service Account: $KUBESVCACCOUNT"
echo "K8s namespace: $KUBENAMESPACE"
echo "K8s role: $K8SROLE"
vault write auth/$K8SAUTHPATH/role/$K8SROLE \
   audience=vault

K8s Service Account: vault-svc-account
K8s namespace: demo-ns
K8s role: auth-role-minikube
[0mSuccess! Data written to: auth/kubernetes-minikube/role/auth-role-minikube[0m


## Install the Vault Secrets Operator helm chart to your K8s cluster

In [None]:
# Run K9s to monitor K8s cluster. https://k9scli.io/
# Some quick commands
# :po - View pods
# :sa - View service accounts
# :ns - View namespace
# :sec - View secrets
# :crd - View CRDs
# :deploy - View deployments
# :q - quit
# 0 - View all namespaces.  Type other numbers for specific namespaces.
open /opt/homebrew/bin/k9s

# Start by viewing secrets and you can see the service-account-token that was created earlier. 
# Type :sec and type '0' to view all secrets in all namespaces.
# Press Enter to view the details and escape to return back.

In [None]:
# Add the HashiCorp repo (Only required for the first time)
helm repo add hashicorp https://helm.releases.hashicorp.com

In [None]:
# Optional.  Update the repo (Only required when new versions are released)
# Vault Secrets Operator supports for the latest three versions of Vault.
helm repo update

In [385]:
# Install the VSO helm chart and specify the Vault server address
echo "Vault Server Address: $MINIKUBEVAULTADDRESS"

helm install vault-secrets-operator hashicorp/vault-secrets-operator \
--version 0.1.0 -n vault-secrets-operator-system --create-namespace --values - <<EOF
defaultVaultConnection:
  # toggles the deployment of the VaultAuthMethod CR
  enabled: true
  # Address of the Vault Server.
  address: $MINIKUBEVAULTADDRESS
  skipTLSVerify: true
EOF

Vault Server Address: http://host.minikube.internal:8200
NAME: vault-secrets-operator
LAST DEPLOYED: Wed Aug 30 17:46:09 2023
NAMESPACE: vault-secrets-operator-system
STATUS: deployed
REVISION: 1


In [388]:
# View installed charts
helm list -A
# Check that the two VSO pods are ready before proceeding
kubectl get pods -n vault-secrets-operator-system

NAME                  	NAMESPACE                    	REVISION	UPDATED                             	STATUS  	CHART                       	APP VERSION
vault-secrets-operator	vault-secrets-operator-system	1       	2023-08-30 17:46:09.888207 +0800 +08	deployed	vault-secrets-operator-0.1.0	0.1.0      
NAME                                                         READY   STATUS    RESTARTS   AGE
vault-secrets-operator-controller-manager-6744664ddf-79fp9   2/2     Running   0          32s


In [389]:
# Setting up for VaultConnection CRD.  This will be used by the VaultAuth CRD below
echo "K8s namespace: $KUBENAMESPACE"
echo "Vault Server Address: $MINIKUBEVAULTADDRESS"

kubectl create -f - <<EOF
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
  name: vault-connection-demo
  namespace: $KUBENAMESPACE
spec:
  address: $MINIKUBEVAULTADDRESS
  skipTLSVerify: true
EOF

K8s namespace: demo-ns
Vault Server Address: http://host.minikube.internal:8200
vaultconnection.secrets.hashicorp.com/vault-connection-demo created


In [390]:
# Setting up VaultAuth.  Make sure the "mount" and "role name" matches the mount/role created in Vault.
# vaultConnectionRef references the VaultConnection above
# Also note the audiences specification here is set to "vault" and matches with the audiences setting in the configured role for Vault K8s Auth
echo "K8s namespace: $KUBENAMESPACE"
echo "K8s Auth Path: $K8SAUTHPATH"
echo "K8s role: $K8SROLE"
echo "K8s Service Account: $KUBESVCACCOUNT"

kubectl create -f - <<EOF
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vault-auth-demo
  namespace: $KUBENAMESPACE
spec:
  vaultConnectionRef: vault-connection-demo
  method: kubernetes
  mount: $K8SAUTHPATH
  kubernetes:
    role: $K8SROLE
    serviceAccount: $KUBESVCACCOUNT
    audiences:
      - vault
EOF

K8s namespace: demo-ns
K8s Auth Path: kubernetes-minikube
K8s role: auth-role-minikube
K8s Service Account: vault-svc-account
vaultauth.secrets.hashicorp.com/vault-auth-demo created


In [391]:
# Create the VaultDynamicSecret CRD.  
# This will create the K8s secret and bind it to sync with the dynamic database secret.
echo "K8s namespace: $KUBENAMESPACE"
echo "Vault K8s auth mount path: $DBPATH"
echo "Vault role: $PGROLE"

kubectl create -f - <<EOF
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: vso-db-demo
  namespace: $KUBENAMESPACE
spec:

  # Mount path of the secrets backend
  mount: $DBPATH

  # Path to the secret
  path: creds/$PGROLE

  # Where to store the secrets, 
  # If create is false, end user will create the secret.  
  # If create is true, VSO will create the secret
  destination:
    create: true
    name: vso-db-demo

  # Restart these pods when secrets rotated
  rolloutRestartTargets:
  - kind: Deployment
    name: vso-db-demo

  # Name of the CRD to authenticate to Vault
  vaultAuthRef: vault-auth-demo
EOF

# If create: false, you will need to create the secret manually.  Example below.
# kubectl create -f - <<EOF
# apiVersion: v1
# kind: Secret
# metadata:
#   name: vso-db-demo
#   namespace: $KUBENAMESPACE
# EOF

K8s namespace: demo-ns
Vault K8s auth mount path: database
Vault role: readonly
vaultdynamicsecret.secrets.hashicorp.com/vso-db-demo created


In [392]:
# Let's have a look at the dynamic credentials in K8s secrets
# You can also use k9s to view the secret.
# - Use ':sec' to view secrets.  Type '0' to view all namespaces.
# - Use the up and down arrows to select the vso demo secret name and then press 'x' to view the decoded secret.
echo "K8s dynamic secret name: $(kubectl get secrets -n $KUBENAMESPACE --output=json | jq -r '.items[] | select(.data.username).metadata.name')"
export DYNAMICUSERNAME=$(kubectl get secrets -n $KUBENAMESPACE --output=json | jq -r '.items[] | .data | select(.username) | .username')
export DYNAMICPASSWORD=$(kubectl get secrets -n $KUBENAMESPACE --output=json | jq -r '.items[] | .data | select(.username) | .password')
echo
echo "Dynamic credentials (base64 encoded):"
echo "username: $DYNAMICUSERNAME"
echo "password: $DYNAMICPASSWORD"
echo
echo "Dynamic credentials (decoded):"
echo "username: $(echo $DYNAMICUSERNAME | base64 --decode)"
echo "password: $(echo $DYNAMICPASSWORD | base64 --decode)"

K8s dynamic secret name: vso-db-demo

Dynamic credentials (base64 encoded):
username: di1rdWJlcm5ldC1yZWFkb25seS10Smo4cjZhbGhpN0N1dFBVM2pSOC0xNjkzMzg4ODE5
password: OUptby1CbUNJbndqdXlrVkgydTE=

Dynamic credentials (decoded):
username: v-kubernet-readonly-tJj8r6alhi7CutPU3jR8-1693388819
password: 9Jmo-BmCInwjuykVH2u1


## Create the Application

In [393]:
# Create new application nginx deployment that references the K8s dynamic secret
# Also note that this shows two ways of binding the secrets
# - via env: (Environment Variables)
# - via volumeMounts: (Volume Mount)
# View the vault-enterprise pod logs and also the k9s pods dashboard - type :po

kubectl create -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vso-db-demo
  namespace: $KUBENAMESPACE
  labels:
    test: vso-db-demo
spec:
  # Change this to indicate how many pods to provision.  We will be testing with 3 pods.
  replicas: 3
  strategy:
    rollingUpdate:
      maxUnavailable: 1
  selector:
    matchLabels:
      test: vso-db-demo
  template:
    metadata:
      labels:
        test: vso-db-demo
    spec:
      volumes:
        - name: secrets
          secret:
            secretName: "vso-db-demo"
      containers:
        - name: example
          image: nginx:latest
          env:
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "vso-db-demo"
                  key: password
            - name: DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: "vso-db-demo"
                  key: username
          volumeMounts:
            - name: secrets
              mountPath: /etc/secrets
              readOnly: true
          resources:
            limits:
              cpu: "0.5"
              memory: "512Mi"
            requests:
              cpu: "250m"
              memory: "50Mi"
          livenessProbe:
            httpGet:
              path: /
              port: 80
              httpHeaders:
                - name: X-Custom-Header
                  value: Awesome
            initialDelaySeconds: 3
            periodSeconds: 3
EOF

deployment.apps/vso-db-demo created


In [394]:
# Access one of the application pods and access the secret
# Show that the secret is mounted by volume in /etc/secrets
# and also as environment variables
export APPPODNAME=$(kubectl get pods -n demo-ns | grep -m 1 demo | cut -d " " -f1)
echo "Pod: $APPPODNAME"
echo -e "\n/etc/secrets/username:"
kubectl exec -it -n $KUBENAMESPACE $APPPODNAME -- /bin/sh -c 'cat /etc/secrets/username'
echo -e "\n/etc/secrets/password:"
kubectl exec -it -n $KUBENAMESPACE $APPPODNAME -- /bin/sh -c 'cat /etc/secrets/password'
echo -e "\n\nEnvironment Variables:"
kubectl exec -it -n $KUBENAMESPACE $APPPODNAME -- /bin/sh -c 'env | grep DB_USERNAME'
kubectl exec -it -n $KUBENAMESPACE $APPPODNAME -- /bin/sh -c 'env | grep DB_PASSWORD'

# You should also notice that the application pods gets recreated when the secret lease is revoked and a new secret is generated. 
# We previously set:
# the database engine role to TTL of 30s and max TTL of 120s
# the K8s auth mount to TTL of 30s and max TTL of 60s.
# As the K8s max TTL is lower, you should see the pods restart around 60s.

Pod: vso-db-demo-75f6cbc9f6-6lw9p

/etc/secrets/username:
v-kubernet-readonly-tJj8r6alhi7CutPU3jR8-1693388819
/etc/secrets/password:
9Jmo-BmCInwjuykVH2u1

Environment Variables:
DB_USERNAME=v-kubernet-readonly-tJj8r6alhi7CutPU3jR8-1693388819
DB_PASSWORD=9Jmo-BmCInwjuykVH2u1


## Setup VSO Persistent Caching with Vault Transit Encryption (Optional but Highly Recommended)

In the case of dynamic secrets, we highly recommend that VSO run with persistence caching enabled for performance reasons. This allow for a new VSO leader to pick up where the old VSO leader left off.  This ensures that any Vault tokens used to sync dynamic secrets are renewed.

If there is no persistence caching all dynamic secret leases would be revoked when the Vault token TTL expires.
See https://developer.hashicorp.com/vault/docs/concepts/lease

The transit encryption engine is used to encrypt the persistent Vault client cache. 

In [395]:
# To see how VSO persistent caching works. 
# We will be tweaking the TTLs as follows:
# DB engine role TTL is 30s -> 60s. Max TTL 120s -> 180s
# K8s auth mount TTL is 30s.  Max TTL 60s -> 90s
echo "Database Engine Path is: $DBPATH"
echo "Postgres Role is: $PGROLE"
echo "K8s Auth Path is: $K8SAUTHPATH"

vault write $DBPATH/roles/$PGROLE \
      default_ttl=60s \
      max_ttl=180s

vault write sys/auth/$K8SAUTHPATH/tune default_lease_ttl=30s max_lease_ttl=90s

# You should now notice that the pods restart at around 90s due to the K8s auth max TTL.


Database Engine Path is: database
Postgres Role is: readonly
K8s Auth Path is: kubernetes-minikube
[0mSuccess! Data written to: database/roles/readonly[0m
[0mSuccess! Data written to: sys/auth/kubernetes-minikube/tune[0m


In [396]:
# Now we will see the behavior when the VSO controller is restarted. 
# As the token is not cached, when the current token expires, the leases to the secrets expire as well.

# Wait until the app pods are recreated before restarting the VSO controller.

# Stop VSO controller
kubectl scale deployment -n vault-secrets-operator-system vault-secrets-operator-controller-manager --replicas=0
# Start VSO controller
kubectl scale deployment -n vault-secrets-operator-system vault-secrets-operator-controller-manager --replicas=1

# You will notice the the app pods will restart before the max TTL is reached as the VSO controller needs to retrieve a new vault token.
# The corresponding database secret leases will also expire and needs to be refreshed.

deployment.apps/vault-secrets-operator-controller-manager scaled
deployment.apps/vault-secrets-operator-controller-manager scaled


In [397]:
# Configure the path of the transit engine
export TRANSITPATH=transit
export ENCKEYNAME=vso-client-cache
# Role name to be used by VSO to encrypt client cache storage
export K8SVSOROLE=auth-role-vso-operator

# Enable an instance of the Transit Secrets Engine.
vault secrets enable -path=$TRANSITPATH transit

[0mSuccess! Enabled the transit secrets engine at: transit/[0m


In [398]:
# Create a secret cache configuration.  No. of entries.  Min is 10.  0 is unlimited.
vault write $TRANSITPATH/cache-config size=500

[0mKey     Value
---     -----
size    500[0m


In [399]:
# Create an encryption key
vault write -force $TRANSITPATH/keys/$ENCKEYNAME

[0mKey                       Value
---                       -----
allow_plaintext_backup    false
auto_rotate_period        0s
deletion_allowed          false
derived                   false
exportable                false
imported_key              false
keys                      map[1:1693388872]
latest_version            1
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      vso-client-cache
supports_decryption       true
supports_derivation       true
supports_encryption       true
supports_signing          false
type                      aes256-gcm96[0m


In [400]:
# Create a policy for the operator role to access the encryption key
vault policy write demo-auth-policy-operator - <<EOF
path "$TRANSITPATH/encrypt/$ENCKEYNAME" {
   capabilities = ["create", "update"]
}
path "$TRANSITPATH/decrypt/$ENCKEYNAME" {
   capabilities = ["create", "update"]
}
EOF

[0mSuccess! Uploaded policy: demo-auth-policy-operator[0m


In [401]:
# Name of K8s VSO operator service account
export KUBEVSOSVCACCOUNT=vso-operator

# Create a new K8s Service Account for the operator.  We will be using the same namespace used by VSO.
kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  # SA bound to the VSO namespace for transit engine auth
  namespace: vault-secrets-operator-system
  name: $KUBEVSOSVCACCOUNT
EOF

serviceaccount/vso-operator created


In [402]:
# Create Kubernetes auth role for the K8s VSO operator service account
# Note that the claim for audiences is set to "vault" and will be set similarly for the VaultAuth CRD below.
# You can configure the TTL and max TTL at the role level.  
# For this demo, we will be using the auth mount settings and leaving the values as '0'
echo "Vault K8s Auth Path: $K8SAUTHPATH"
echo "Vault K8s VSO Role: $K8SVSOROLE"
echo "K8s VSO Service Account: $KUBEVSOSVCACCOUNT"
vault write auth/$K8SAUTHPATH/role/$K8SVSOROLE \
   bound_service_account_names=$KUBEVSOSVCACCOUNT \
   bound_service_account_namespaces=vault-secrets-operator-system \
   token_policies=demo-auth-policy-operator \
   token_ttl=0 \
   token_max_ttl=0 \
   audience=vault


Vault K8s Auth Path: kubernetes-minikube
Vault K8s VSO Role: auth-role-vso-operator
K8s VSO Service Account: vso-operator
[0mSuccess! Data written to: auth/kubernetes-minikube/role/auth-role-vso-operator[0m


In [403]:
# Create the VaultAuth CRD for the transit engine
# You can view the CRD in k9s.  Type :crd and select 'vaultauths.secrets.hashicorp.com'.
# You will this CRD in the vault-secrets-operator-system namespace
echo "Vault K8s Auth Path: $K8SAUTHPATH"
echo "Vault K8s VSO Role: $K8SVSOROLE"
echo "Vault Transit Engine Path: $TRANSITPATH"
echo "Vault Transit Engine Encryption Key: $ENCKEYNAME"
echo "K8s VSO Service Account: $KUBEVSOSVCACCOUNT"

kubectl create -f - <<EOF
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: vault-auth-demo-transit
  # This Vault Auth is used for transit engine hence stays in the VSO namespace
  namespace: vault-secrets-operator-system
  labels:
    cacheStorageEncryption: "true"
spec:
  method: kubernetes
  mount: $K8SAUTHPATH
  vaultConnectionRef: default
  kubernetes:
    role: $K8SVSOROLE
    serviceAccount: $KUBEVSOSVCACCOUNT
    audiences:
      - vault
  storageEncryption:
    mount: $TRANSITPATH
    keyName: $ENCKEYNAME
EOF

Vault K8s Auth Path: kubernetes-minikube
Vault K8s VSO Role: auth-role-vso-operator
Vault Transit Engine Path: transit
Vault Transit Engine Encryption Key: vso-client-cache
K8s VSO Service Account: vso-operator
vaultauth.secrets.hashicorp.com/vault-auth-demo-transit created


In [404]:
# Update the VSO helm chart to use caching
# Note that this can also be done initially when installing the helm chart earlier
tee patch.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: manager
        args:
        - "--client-cache-persistence-model=direct-encrypted"
EOF


kubectl patch deployment vault-secrets-operator-controller-manager -n vault-secrets-operator-system --patch-file patch.yaml

rm patch.yaml

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: manager
        args:
        - "--client-cache-persistence-model=direct-encrypted"
deployment.apps/vault-secrets-operator-controller-manager patched


In [405]:
# Stop and Start the VSO controller to turn on the caching
kubectl scale deployment -n vault-secrets-operator-system vault-secrets-operator-controller-manager --replicas=0
kubectl scale deployment -n vault-secrets-operator-system vault-secrets-operator-controller-manager --replicas=1

# Use k9s to view the vault-secret-operator-controller-manager pod in the vault-secrets-operator-system namespace
# Select the manager container and view the logs.  I
# You should see log entries like this at the start of the logs:
# "logger":"clientCacheFactory","msg":"Successfully restored the Client","persist":true,"enforceEncryption":true,"cacheKey":"kubernetes-066e311ea9b634fa8dca26"}
# INFO    setup    Starting manager    {"clientCachePersistenceModel": "direct-encrypted", "clientCacheSize": 10000}

# This shows that the VSO cache configuration is configured properly.

deployment.apps/vault-secrets-operator-controller-manager scaled
deployment.apps/vault-secrets-operator-controller-manager scaled


# End of Demo

# Cleanup

In [406]:
# Cleanup
# Disable the database secrets engine
vault secrets disable database

# stop vault
docker stop vault-enterprise

# stop postgres
docker stop postgres

# Uninstall VSO helm chart
helm uninstall vault-secrets-operator -n vault-secrets-operator-system 
# stop minikube
minikube delete


[0mSuccess! Disabled the secrets engine (if it existed) at: database/[0m
vault-enterprise
postgres
release "vault-secrets-operator" uninstalled
* Deleting "minikube" in docker ...
* Deleting container "minikube" ...
* Removing /Users/johnnyfang/.minikube/machines/minikube ...
* Removed all traces of the "minikube" cluster.


# Appendix - Other Useful Commands

In [None]:
# For debugging, for testing the K8s API
echo "JWT Token: $JWT_TOKEN_DEFAULT_DEMONS"
echo "K8s API Internal URL: $KUBE_INT_API"
curl $KUBE_INT_API/apis/apps/v1/ \
  --cacert ~/.minikube/ca.crt  \
  --header "Authorization: Bearer $JWT_TOKEN_DEFAULT_DEMONS"

In [None]:
# For testing connectivity.  Bash shell to a temporary pod and do curl commands
kubectl run my-shell --rm -i --tty --image ubuntu -- bash
apt update
apt install curl
curl http://host.minikube.internal:8200 

In [None]:
# View all K8s pod details - wide format
kubectl get pod -o wide -A

# Getting K8s secrets sample
kubectl get secrets -n $KUBENAMESPACE  --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name'

In [None]:
# Delete previous deployment example
kubectl delete deployment -n $KUBENAMESPACE vso-db-demo

In [None]:
# Docker network commands
# Internal host name - host.docker.internal
docker network ls
docker network connect <network> <container>
docker network create --driver bridge vso-connect

# Get IP address of Vault pod
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' vault-enterprise


In [None]:
# Follow minikube logs
new minikube logs -f