<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/Acme.jpeg width=100 align="left">

# Kubernetes Auth with External Vault
---
Vault agent enables your applications to remain unaware of Vault.
The Vault Helm chart enables you to run Vault and Vault Agent injector service.   This injector service leverages the Kubernetes mutating admission webhook to intercept pods that define specific annotations and inject a Vault Agent container to managet secrets.   

<img src=images/auth-k8s.png width=500 align="left">   


Benefits:
- application remain Vault unaware
- existing deployments require no change; as annotations can be patched
- access to secrets can be enforced via Kubernetes service accounts and namespaces



# Prerequisites
One time install:
* `brew install kubernetes-cli` 
* `brew install helm`

Run time
`minikube start`

### Setup

In [62]:
cd ~/mydemo/vault/vault-guides/operations/provision-vault/kubernetes/minikube/external-vault
pwd

/Users/tio/mydemo/vault/vault-guides/operations/provision-vault/kubernetes/minikube/external-vault


In [63]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

In [64]:
vault login root

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       dRq6usE3NFp7vjYtgtH8uqQv
token_duration       ‚àû
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m


üòÑ  minikube v1.17.1 on Darwin 10.15.7
üéâ  minikube 1.18.1 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.18.1
üí°  To disable this notice, run: 'minikube config set WantUpdateNotification false'

‚ú®  Automatically selected the docker driver. Other choices: hyperkit, virtualbox, ssh
üëç  Starting control plane node minikube in cluster minikube
üíæ  Downloading Kubernetes v1.20.2 preload ...
    > preloaded-images-k8s-v8-v1....: 491.22 MiB / 491.22 MiB  100.00% 31.68 Mi
üî•  Creating docker container (CPUs=2, Memory=2947MB) ...[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K[K

In [4]:
minikube status

minikube
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured
timeToStop: Nonexistent



In [None]:
minikube dashboard

üîå  Enabling dashboard ...
ü§î  Verifying dashboard health ...
üöÄ  Launching proxy ...
ü§î  Verifying proxy health ...
üéâ  Opening http://127.0.0.1:62737/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/ in your default browser...


## Install Vault Helm chart

In [None]:
#helm repo add hashicorp https://helm.releases.hashicorp.com

In [3]:
helm install vault hashicorp/vault --set "server.dev.enabled=true"  --set 'server.extraArgs="-dev-listen-address=0.0.0.0:8200"'

NAME: vault
LAST DEPLOYED: Wed Mar 17 21:49:37 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/


Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault


In [6]:
kubectl get pods

NAME                                  READY   STATUS    RESTARTS   AGE
vault-0                               1/1     Running   0          29s
vault-agent-injector-c54c5747-6h9lj   1/1     Running   0          30s


**`vault-0` runs a Vault server in dev mode.  `vault-agent-injector` performs the injection based on the annotation present or patched on deployment.**

### Set secrets in Vault

In [65]:
vault secrets enable -path=secret kv-v2

[91mError enabling: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/mounts/secret
Code: 400. Errors:

* path is already in use at secret/[0m


In [66]:
vault kv put secret/devwebapp/config username='giraffe' password='salsa'

[0mKey              Value
---              -----
created_time     2021-03-18T02:28:53.061733Z
deletion_time    n/a
destroyed        false
version          1[0m


In [68]:
vault kv get secret/devwebapp/config

[0mKey              Value
---              -----
created_time     2021-03-18T02:28:53.061733Z
deletion_time    n/a
destroyed        false
version          1[0m
[0m[0m
[0mKey         Value
---         -----
password    salsa
username    giraffe[0m


### Enable the Vault Kubernetes Authentication

In [69]:
EXTERNAL_VAULT_ADDR=$(minikube ssh "dig +short host.docker.internal");
echo $EXTERNAL_VAULT_ADDR

192.168.65.2


In [71]:
cat <<EOF | kubectl apply --filename=-
apiVersion: v1
kind: ServiceAccount
metadata:
  name: internal-app
EOF

serviceaccount/internal-app created


In [10]:
kubectl exec vault-0 -- vault auth enable kubernetes

Success! Enabled kubernetes auth method at: kubernetes/


In [72]:
cat <<EOF | kubectl apply --filename=-
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: devwebapp
  labels:
    app: devwebapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: devwebapp
  template:
    metadata:
      labels:
        app: devwebapp
    spec:
      serviceAccountName: internal-app
      containers:
      - name: app
        image: burtlo/devwebapp-ruby:k8s
        imagePullPolicy: Always
        env:
        - name: VAULT_ADDR
          value: "http://$EXTERNAL_VAULT_ADDR:8200"
EOF

deployment.apps/devwebapp created


In [75]:
kubectl get pods

NAME                         READY   STATUS    RESTARTS   AGE
devwebapp-58fcdfffb9-qtmwv   1/1     Running   0          4m56s


In [76]:
kubectl exec \
    $(kubectl get pod --selector='app=devwebapp' --output='jsonpath={.items[0].metadata.name}') \
    -- curl -s localhost:8080 ; echo

<h1>Internal Server Error</h1>


### Deploy service and endpoints to address an external Vault

In [77]:
cat <<EOF | kubectl apply --filename=-
---
apiVersion: v1
kind: Service
metadata:
  name: external-vault
  namespace: default
spec:
  ports:
  - protocol: TCP
    port: 8200
---
apiVersion: v1
kind: Endpoints
metadata:
  name: external-vault
subsets:
  - addresses:
      - ip: $EXTERNAL_VAULT_ADDR
    ports:
      - port: 8200
EOF

service/external-vault created
endpoints/external-vault created


In [80]:
kubectl exec \
    $(kubectl get pod --selector='app=devwebapp' --output='jsonpath={.items[0].metadata.name}') \
    -- curl -s http://external-vault:8200/v1/sys/seal-status | jq


[1;39m{
  [0m[34;1m"type"[0m[1;39m: [0m[0;32m"shamir"[0m[1;39m,
  [0m[34;1m"initialized"[0m[1;39m: [0m[0;39mtrue[0m[1;39m,
  [0m[34;1m"sealed"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[34;1m"t"[0m[1;39m: [0m[0;39m1[0m[1;39m,
  [0m[34;1m"n"[0m[1;39m: [0m[0;39m1[0m[1;39m,
  [0m[34;1m"progress"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[34;1m"nonce"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"version"[0m[1;39m: [0m[0;32m"1.6.1+ent"[0m[1;39m,
  [0m[34;1m"migration"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[34;1m"cluster_name"[0m[1;39m: [0m[0;32m"vault-cluster-b21c5852"[0m[1;39m,
  [0m[34;1m"cluster_id"[0m[1;39m: [0m[0;32m"f49c7f18-415c-4dac-feaf-bf2adce232b5"[0m[1;39m,
  [0m[34;1m"recovery_seal"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[34;1m"storage_type"[0m[1;39m: [0m[0;32m"inmem_transactional_ha"[0m[1;39m
[1;39m}[0m


In [81]:
kubectl apply --filename=deployment-01-external-vault-service.yml


deployment.apps/devwebapp-through-service created


In [82]:
kubectl get pods

NAME                                         READY   STATUS    RESTARTS   AGE
devwebapp-58fcdfffb9-qtmwv                   1/1     Running   0          12m
devwebapp-through-service-6dd4b6d699-6gkgm   1/1     Running   0          14s


In [83]:
kubectl exec \
    $(kubectl get pod --selector='app=devwebapp-through-service' --output='jsonpath={.items[0].metadata.name}') \
    -- curl -s localhost:8080 ; echo

{"password"=>"salsa", "username"=>"giraffe"}


### Install Vault Helm chart to configured to address an external Vault

In [84]:
helm install vault hashicorp/vault \
    --set "injector.externalVaultAddr=http://external-vault:8200"

NAME: vault
LAST DEPLOYED: Thu Mar 18 10:47:28 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/


Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault


In [17]:
kubectl exec vault-0 -- vault write auth/kubernetes/role/internal-app \
    bound_service_account_names=internal-app \
    bound_service_account_namespaces=default \
    policies=internal-app \
    ttl=24h

Success! Data written to: auth/kubernetes/role/internal-app


In [85]:
kubectl get pods

NAME                                         READY   STATUS    RESTARTS   AGE
devwebapp-58fcdfffb9-qtmwv                   1/1     Running   0          15m
devwebapp-through-service-6dd4b6d699-6gkgm   1/1     Running   0          3m29s
vault-agent-injector-957c98b8d-pfb7d         1/1     Running   0          17s


### DEMO
#### Describe service account `vault`

In [86]:
kubectl describe serviceaccount vault

Name:                vault
Namespace:           default
Labels:              app.kubernetes.io/instance=vault
                     app.kubernetes.io/managed-by=Helm
                     app.kubernetes.io/name=vault
                     helm.sh/chart=vault-0.9.0
Annotations:         meta.helm.sh/release-name: vault
                     meta.helm.sh/release-namespace: default
Image pull secrets:  <none>
Mountable secrets:   vault-token-r4sjj
Tokens:              vault-token-r4sjj
Events:              <none>


In [87]:
VAULT_HELM_SECRET_NAME=$(kubectl get secrets --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')

In [90]:
kubectl describe secret $VAULT_HELM_SECRET_NAME

Name:         vault-token-r4sjj
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: vault
              kubernetes.io/service-account.uid: cb02fdbf-677a-4e1e-849e-20573ee2308c

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1111 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InJsNno3R1VyUHlEOWVtTk5EVmdDLVBleW80eldaZnIwU1VFNW4wNTJROXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LXRva2VuLXI0c2pqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiY2IwMmZkYmYtNjc3YS00ZTFlLTg0OWUtMjA1NzNlZTIzMDhjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dmF1bHQifQ.EHyTEb_2TauK416LpD7iSNC5MQxW1sdqHR9_46eWFcaBoJvyT4qQkgwJCdq-YFHANNQLUAe4tJjaPJWGyMC0y-4qE0i6-stYJcw3pCL1dRYsNHbtlJ8i2Osk4FY

### Configure Kubernetes authentication

In [91]:
vault auth enable kubernetes

[0mSuccess! Enabled kubernetes auth method at: kubernetes/[0m


In [93]:
TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME --output='go-template={{ .data.token }}' \
| base64 --decode)
echo $TOKEN_REVIEW_JWT

eyJhbGciOiJSUzI1NiIsImtpZCI6InJsNno3R1VyUHlEOWVtTk5EVmdDLVBleW80eldaZnIwU1VFNW4wNTJROXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LXRva2VuLXI0c2pqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiY2IwMmZkYmYtNjc3YS00ZTFlLTg0OWUtMjA1NzNlZTIzMDhjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dmF1bHQifQ.EHyTEb_2TauK416LpD7iSNC5MQxW1sdqHR9_46eWFcaBoJvyT4qQkgwJCdq-YFHANNQLUAe4tJjaPJWGyMC0y-4qE0i6-stYJcw3pCL1dRYsNHbtlJ8i2Osk4FYWjwhF1Py9xZrNx_eyI1JJe1t-B8FnNXdKoY_yMtInG6Nw9kXIJdxlpPu9ZgzB6c7A0DkzdJ0ho6eESxfbmVGTSy7d5mIT5nM0boW8g_EZbxwr8mMa7hotjRNGPUgVWuYNgTR6E1M32gUK6cvw3UuOEBnOfZZFMwAicxVRYr6IlVbI0z0TFH0hrPhcl7dg5gKIKWWvOHbBTgVrfhsDRK8H1H9RDA


In [94]:
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' \
 | base64 --decode)
echo $KUBE_CA_CERT

-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMDMxNTA4MjM1NloXDTMxMDMxNDA4MjM1NlowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALHR
7/SVN7tZUIRM4bPEpjGz2HbhtPeUIXgoDZzzUbRCWMzNKkjoCQ8VZGHLayNlhhaM
RiMrwbQWywfqDfkyrCLskIM4L4y19ie855xRiF3WIFeRtLSnoBOoV1UxVja4i+5P
Dt8YS9Yn237j//vKIlhTOVP47S9gTS7ToZ9cz9e09sjvQ1UdzenQp9ki/9ZCQe9R
MtBB7jBE0KtN6kipBBhW0fe74tabXYAGgzesOfzoH+wi1hZMI44ncmgeZqj2yVNc
gdGbn9Llcm+Ej1tpKVL2vWd5hYcwqrZoityrcrA5wWHl6Nj3T85S1LoPxLII8E2L
jCGVk5Wp5zrj3nOGNwMCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBTiSjojzSFJum1GGPWUDBDi4ogzHTANBgkqhkiG9w0BAQsFAAOCAQEAirBBk2em
o4DSQy3DddIpyynNh8NrRzRhlU1o99HE0oD4gqq6wTzTCWaYDWy0m0lm0SnWChq9
EbFBOHC9kGvUZ28kh077tZ6aOr+bs6QUAYdJj+DRKNoADfpPOzzZQ0z5QnW4RFnt
Cakr3JdnxL2F5ObPAHhZUOmOvB/7dOjEF43e4d0Ug/N13Kh2vdS4yq0q++An26xo
klfpvaHcvi4iOjr6kUO9gGY+rOhDaGXDDKNY+n7hGyFQ1clTXTR15EnU9q3iDR

In [95]:
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')
echo $KUBE_HOST

https://127.0.0.1:55019


**Auth Kubernetes configuration**

In [96]:
vault write auth/kubernetes/config \
        token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
        kubernetes_host="$KUBE_HOST" \
        kubernetes_ca_cert="$KUBE_CA_CERT"

[0mSuccess! Data written to: auth/kubernetes/config[0m


### Inject secrets into the pod using annotations

In [97]:
vault policy write devwebapp - <<EOF
path "secret/data/devwebapp/config" {
  capabilities = ["read"]
}
EOF

[0mSuccess! Uploaded policy: devwebapp[0m


In [98]:
vault write auth/kubernetes/role/devweb-app \
        bound_service_account_names=internal-app \
        bound_service_account_namespaces=default \
        policies=devwebapp \
        ttl=24h

[0mSuccess! Data written to: auth/kubernetes/role/devweb-app[0m


### Inject secrets into the pod

In [99]:
cat patch-02-inject-secrets.yml

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "devweb-app"


In [100]:
kubectl patch deployment devwebapp --patch "$(cat patch-02-inject-secrets.yml)"

deployment.apps/devwebapp patched


**A new `devwebapp` pod starts alongside the existing pod**

In [101]:
kubectl get pods

NAME                                         READY   STATUS    RESTARTS   AGE
devwebapp-8cb674845-8rhwz                    2/2     Running   0          59s
devwebapp-through-service-6dd4b6d699-6gkgm   1/1     Running   0          10m
vault-agent-injector-957c98b8d-pfb7d         1/1     Running   0          7m26s


In [102]:
kubectl exec -it \
    $(kubectl get pod --selector='app=devwebapp' --output='jsonpath={.items[0].metadata.name}') \
    -c app -- cat /vault/secrets/credentials.txt

data: map[password:salsa username:giraffe]
metadata: map[created_time:2021-03-18T02:28:53.061733Z deletion_time: destroyed:false version:1]


**END**

## Cleanup

In [4]:
minikube stop
minikube delete

‚úã  Stopping node "minikube"  ...
üõë  Powering off "minikube" via SSH ...
üõë  1 nodes stopped.
üî•  Deleting "minikube" in docker ...
üî•  Deleting container "minikube" ...
üî•  Removing /Users/tio/.minikube/machines/minikube ...
üíÄ  Removed all traces of the "minikube" cluster.


In [None]:
#rm -rf ~/.minikube

**Wait until the redeploybed orgchart pod retports it is Running.  This new pod now launches two containers: the `orgchart` and `vault-agent`**