<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/Acme.jpeg width=100 align="left">

# Kubernetes Auth
---
Vault agent enables your applications to remain unaware of Vault.
The Vault Helm chart enables you to run Vault and Vault Agent injector service.   This injector service leverages the Kubernetes mutating admission webhook to intercept pods that define specific annotations and inject a Vault Agent container to managet secrets.   

<img src=images/auth-k8s.png width=500 align="left">   


Benefits:
- application remain Vault unaware
- existing deployments require no change; as annotations can be patched
- access to secrets can be enforced via Kubernetes service accounts and namespaces



### Setup

In [1]:
cd ~/mydemo/vault/vault-guides/operations/provision-vault/kubernetes/minikube/vault-agent-sidecar
pwd

/Users/tio/mydemo/vault/vault-guides/operations/provision-vault/kubernetes/minikube/vault-agent-sidecar


In [2]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

In [None]:
# One time - most likely not needed
brew install kubernetes-cli
brew install helm

In [3]:
minikube start

😄  minikube v1.17.1 on Darwin 10.15.7
🎉  minikube 1.18.1 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.18.1
💡  To disable this notice, run: 'minikube config set WantUpdateNotification false'

✨  Automatically selected the docker driver. Other choices: hyperkit, virtualbox, ssh
👍  Starting control plane node minikube in cluster minikube
💾  Downloading Kubernetes v1.20.2 preload ...
    > preloaded-images-k8s-v8-v1....: 491.22 MiB / 491.22 MiB  100.00% 31.68 Mi
🔥  Creating docker container (CPUs=2, Memory=2947MB) ...[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K

In [4]:
minikube status

minikube
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured
timeToStop: Nonexistent



In [None]:
minikube dashboard

🔌  Enabling dashboard ...
🤔  Verifying dashboard health ...
🚀  Launching proxy ...
🤔  Verifying proxy health ...
🎉  Opening http://127.0.0.1:62737/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/ in your default browser...


## Install Vault Helm chart

In [None]:
#helm repo add hashicorp https://helm.releases.hashicorp.com

In [3]:
helm install vault hashicorp/vault --set "server.dev.enabled=true"  --set 'server.extraArgs="-dev-listen-address=0.0.0.0:8200"'

NAME: vault
LAST DEPLOYED: Wed Mar 17 21:49:37 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/


Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault


In [6]:
kubectl get pods

NAME                                  READY   STATUS    RESTARTS   AGE
vault-0                               1/1     Running   0          29s
vault-agent-injector-c54c5747-6h9lj   1/1     Running   0          30s


**`vault-0` runs a Vault server in dev mode.  `vault-agent-injector` performs the injection based on the annotation present or patched on deployment.**

### Set secrets in Vault

In [7]:
kubectl exec vault-0 -- vault secrets enable -path=internal kv-v2

Success! Enabled the kv-v2 secrets engine at: internal/


In [43]:
kubectl exec vault-0 -- vault kv put internal/database/config username="dbuser-lsl" password="db-passw0rd1"

Key              Value
---              -----
created_time     2021-03-17T14:08:34.0119076Z
deletion_time    n/a
destroyed        false
version          3


In [9]:
kubectl exec vault-0 -- vault kv get internal/database/config

Key              Value
---              -----
created_time     2021-03-17T13:50:17.507897Z
deletion_time    n/a
destroyed        false
version          1

Key         Value
---         -----
password    db-secret-password
username    db-readonly-username


### Enable the Vault Kubernetes Authentication

In [10]:
kubectl exec vault-0 -- vault auth enable kubernetes

Success! Enabled kubernetes auth method at: kubernetes/


In [12]:
JWT=$(kubectl exec vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token);
CERT=$(kubectl exec vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt); 
KUBERNETES_PORT_443_TCP_ADDR=$(kubectl exec vault-0 -- env |grep KUBERNETES_PORT_443_TCP_ADDR | cut -d = -f 2)

In [13]:
kubectl exec vault-0 -- vault write auth/kubernetes/config \
    token_reviewer_jwt="$JWT" \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    kubernetes_ca_cert=$CERT

Success! Data written to: auth/kubernetes/config


In [14]:
kubectl exec vault-0 -- vault read auth/kubernetes/config

Key                       Value
---                       -----
disable_iss_validation    false
disable_local_ca_jwt      false
issuer                    n/a
kubernetes_ca_cert        -----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMDMxNTA4MjM1NloXDTMxMDMxNDA4MjM1NlowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALHR
7/SVN7tZUIRM4bPEpjGz2HbhtPeUIXgoDZzzUbRCWMzNKkjoCQ8VZGHLayNlhhaM
RiMrwbQWywfqDfkyrCLskIM4L4y19ie855xRiF3WIFeRtLSnoBOoV1UxVja4i+5P
Dt8YS9Yn237j//vKIlhTOVP47S9gTS7ToZ9cz9e09sjvQ1UdzenQp9ki/9ZCQe9R
MtBB7jBE0KtN6kipBBhW0fe74tabXYAGgzesOfzoH+wi1hZMI44ncmgeZqj2yVNc
gdGbn9Llcm+Ej1tpKVL2vWd5hYcwqrZoityrcrA5wWHl6Nj3T85S1LoPxLII8E2L
jCGVk5Wp5zrj3nOGNwMCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBTiSjojzSFJum1GGPWUDBDi4ogzHTANBgkqhkiG9w0BAQsFAAOCAQEAirBBk2em
o4DSQy3DddIpyynNh8NrRzRhlU1o99HE0oD4gqq6wTzTCWaYDWy0m0lm0SnWChq9
EbFBOHC9

In [15]:
cat <<EOF > /tmp/internal-app.hcl
path "internal/data/database/config" {
  capabilities = ["read"]
}
EOF
#cat /tmp/internal-app.hcl
kubectl cp /tmp/internal-app.hcl vault-0:/tmp/internal-app.hcl
kubectl exec vault-0 -- vault policy write internal-app /tmp/internal-app.hcl

Success! Uploaded policy: internal-app


In [16]:
kubectl exec vault-0 -- vault policy read internal-app

path "internal/data/database/config" {
  capabilities = ["read"]
}


**The role connects the Kubernetes service account `internal-app` and namespace `default` with the Vault policy `internal-app`**

In [17]:
kubectl exec vault-0 -- vault write auth/kubernetes/role/internal-app \
    bound_service_account_names=internal-app \
    bound_service_account_namespaces=default \
    policies=internal-app \
    ttl=24h

Success! Data written to: auth/kubernetes/role/internal-app


In [18]:
kubectl exec vault-0 -- vault read auth/kubernetes/role/internal-app 

Key                                 Value
---                                 -----
bound_service_account_names         [internal-app]
bound_service_account_namespaces    [default]
policies                            [internal-app]
token_bound_cidrs                   []
token_explicit_max_ttl              0s
token_max_ttl                       0s
token_no_default_policy             false
token_num_uses                      0
token_period                        0s
token_policies                      [internal-app]
token_ttl                           24h
token_type                          default
ttl                                 24h


### DEMO
#### Create service account `internal-app`

In [21]:
kubectl get serviceaccounts

NAME                   SECRETS   AGE
default                1         3m32s
internal-app           1         4s
vault                  1         109s
vault-agent-injector   1         109s


In [None]:
cat service-account-internal-app.yml

In [20]:
kubectl apply --filename service-account-internal-app.yml

serviceaccount/internal-app created


### Launch an application

In [22]:
kubectl apply --filename deployment-orgchart.yml

deployment.apps/orgchart created


In [30]:
cat deployment-orgchart.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: orgchart
  labels:
    app: orgchart
spec:
  selector:
    matchLabels:
      app: orgchart
  replicas: 1
  template:
    metadata:
      annotations:
      labels:
        app: orgchart
    spec:
      serviceAccountName: internal-app
      containers:
        - name: orgchart
          image: jweissig/app:0.0.1


In [23]:
kubectl get pods

NAME                                  READY   STATUS              RESTARTS   AGE
orgchart-7457f8489d-n4jcl             0/1     ContainerCreating   0          5s
vault-0                               1/1     Running             0          118s
vault-agent-injector-c54c5747-6h9lj   1/1     Running             0          119s


**Verify that no secrets are written to the orgcharg container in the orgchart pod**

In [24]:
kubectl exec \
    $(kubectl get pod -l app=orgchart -o jsonpath="{.items[0].metadata.name}") \
    --container orgchart -- ls /vault/secrets

ls: /vault/secrets: No such file or directory
command terminated with exit code 1


### Inject secrets into the pod using annotations

In [25]:
cat patch-inject-secrets.yml

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "internal-app"
        vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"


In [26]:
kubectl patch deployment orgchart --patch "$(cat patch-inject-secrets.yml)"

deployment.apps/orgchart patched


**A new `orgchart pod starts alongside the existing pod. WHen it is ready the original terminates and removes itself fromt he list of active pods**

In [29]:
kubectl get pods

NAME                                  READY   STATUS    RESTARTS   AGE
orgchart-798cbc6c76-fhzgq             2/2     Running   0          17s
vault-0                               1/1     Running   0          2m30s
vault-agent-injector-c54c5747-6h9lj   1/1     Running   0          2m31s


**Wait until the redeploybed orgchart pod retports it is Running.  This new pod now launches two containers: the `orgchart` and `vault-agent`**

**Config JWT for a role with bound_claim**

In [52]:
kubectl logs \
    $(kubectl get pod -l app=orgchart -o jsonpath="{.items[0].metadata.name}") \
    --container vault-agent

==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.6.1
             Version Sha: 6d2db3f033e02e70202bef9ec896360062b88b03

2021-03-17T13:51:54.060Z [INFO]  sink.file: creating file sink
2021-03-17T13:51:54.060Z [INFO]  sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
2021-03-17T13:51:54.060Z [INFO]  template.server: starting template server
2021-03-17T13:51:54.060Z [INFO]  auth.handler: starting auth handler
2021/03/17 13:51:54.060963 [INFO] (runner) creating new runner (dry: false, once: false)
2021-03-17T13:51:54.060Z [INFO]  auth.handler: authenticating
2021-03-17T13:51:54.061Z [INFO]  sink.server: starting sink server
2021/03/17 13:51:54.061731 [INFO] (runner) creating watcher
2021-03-17T13:51:54.080Z [INFO]  auth.handler: authentication successful, sending token to sinks
2021-03-17T13:51:54.080Z [INFO]  auth.handle

In [51]:
kubectl exec vault-0 -- vault kv put internal/database/config username="dbuser-lsl" password="db-passw0rd3"

Key              Value
---              -----
created_time     2021-03-17T14:15:22.3722272Z
deletion_time    n/a
destroyed        false
version          6


In [53]:
kubectl exec \
    $(kubectl get pod -l app=orgchart -o jsonpath="{.items[0].metadata.name}") \
    --container orgchart -- cat /vault/secrets/database-config.txt

data: map[password:db-passw0rd2 username:dbuser-lsl]
metadata: map[created_time:2021-03-17T14:11:31.590307Z deletion_time: destroyed:false version:5]


---
### Apply a template to the injected secrets

In [54]:
cat patch-inject-secrets-as-template.yml

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/role: "internal-app"
        vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config"
        vault.hashicorp.com/agent-inject-template-database-config.txt: |
          {{- with secret "internal/data/database/config" -}}
          postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard


**Apply the updated annotations**

In [57]:
kubectl patch deployment orgchart --patch "$(cat patch-inject-secrets-as-template.yml)"

deployment.apps/orgchart patched


**Wait until `orgchart` pod reports that it is `Running` and ready**

In [60]:
kubectl get pods

NAME                                  READY   STATUS    RESTARTS   AGE
orgchart-55c76c489d-szr87             2/2     Running   0          11s
vault-0                               1/1     Running   0          35m
vault-agent-injector-c54c5747-6h9lj   1/1     Running   0          35m


In [61]:
kubectl exec \
    $(kubectl get pod -l app=orgchart -o jsonpath="{.items[0].metadata.name}") \
    -c orgchart -- cat /vault/secrets/database-config.txt


postgresql://dbuser-lsl:db-passw0rd3@postgres:5432/wizard

**END**

## Cleanup

In [4]:
minikube stop
minikube delete

✋  Stopping node "minikube"  ...
🛑  Powering off "minikube" via SSH ...
🛑  1 nodes stopped.
🔥  Deleting "minikube" in docker ...
🔥  Deleting container "minikube" ...
🔥  Removing /Users/tio/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.


In [None]:
#rm -rf ~/.minikube