# Dynamic Database Credentials with Vault and Kubernetes

### Introduction to Vault
- Secrets
    - secret allow account to authenticate and login into a service like database
    - hashicorp vault allow to to have dynamic secret
    - Vault manages the lifecycle, automatically rotating the password and revoking the access when they are no longer required.
- Authentication
    - is the process to authenticate k8s pod so that it can get vault token which allow that pod to access required service
    - process:
        - deploy pod with service account token
        - pod request secret token from vault
        - vault validate service account tokent with k8s api
        - vault return secret token for secret requested
- Policy
    - Policy ties together secrets and authentication by defining which secrets and what administrative operations an authenticated user can perform
- reference link: https://www.hashicorp.com/blog/dynamic-database-credentials-with-vault-and-kubernetes


### Secrets - Configuring dynamic secrets for PostgreSQL
- config postgres deployment
    - config is define at ./config/postgres.yml
    - this config supply root password env POSTGRES_PASSWORD
    - so we can see root password in the file
- enable databse secret in vault
    - start interactive shell in pod vault-0
        - kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
    - enable databse secret
        - vault secrets enable database

### Creating database roles
- role object in databse secret engine
    - is an object which allow vault to create role in postgres database
    - role object in postgres data include:
        - account
        - password of account
        - valid untile or time to live (ttl)
        - 
- to define a role in vault you need to config
    - db_name: the database name inside postgres
    - creation_statements: statement which vault to create role in postgres
        - name: random account will be create on postgres by vault
        - password: randome paossword of the account name
        - expiration: experation time of the account
    - revocation_statement: statement which vault use to forbit account to login after expiration time
    - default_ttl: 
    - max_ttl: maxinum time to renew credential
    - example command to create database role
        vault write database/roles/db-app \
        db_name=wizard \
        creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
        revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
        default_ttl="1h" \
        max_ttl="24h"


### Creating database connections
- database connection allow vault to access postgress database with root users and password
- naming for database connection: database/config/$connection_name
- connection_name should be the same as database as it means connection to database name
- Example:
    - we have specify root user and root password when config deployment
    - we use root user and root password to config connection at vault
    - example command:
        - vault write database/config/wizard \
            plugin_name=postgresql-database-plugin \
            allowed_roles="*" \
            connection_url="postgresql://{{username}}:{{password}}@postgres:5432/wizard?sslmode=disable" \
            username="postgres" \
            password="password"

### Rotating the root credentials
- after config vault connection ==> vault will have access to postgres database 
- we rotate or to change root password so that only vault have random root access
- if you need access to databse you need to request through vault
- command to rotate password:
    - vault write --force /database/rotate-root/wizard
- check database access with original credential
    - kubectl exec -it $(kubectl get pods --selector "app=postgres" -o jsonpath="{.items[0].metadata.name}") -c postgres -- bash -c 'PGPASSWORD=password psql -U postgres'
- check credential of role
    - credentials of role is store at database/creds/$role_name
    - example command to read credential of role
        - vault read database/creds/db-app
    - we will have randome username and password
    

### Authentication - Configuring Kubernetes Authentication in Vault
- enable k8d engine in vault
    - to allow k8s pods to make request to vault 
    - command to enable k8s engine: vault auth enable kubernetes
- config k8s authentication for vault
    - vault use this config to authenticate again k8s to check request which is come from actual k8s pods
    - config content:
        - token_reviewer_jwt: service account token from k8s
        - kubernetes_host: endpoint of k8s api service
        - kubernetes_ca_cert: ca cert issue by k8s service
- example command to config k8s authentication for vault
    - kubectl exec $(kubectl get pods --selector "app.kubernetes.io/instance=vault,component=server" -o jsonpath="{.items[0].metadata.name}") -c vault -- \
        sh -c ' \
            vault write auth/kubernetes/config \
            token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
            kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
            kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'

### Policy - Creating policy to allow access to secrets
- database policy is an object which binding credential of role with permission
- config information
    - path: the path of credential of role
    - capabilities: list of permission 
- example of policy configuration:
    - define at ./config/web-policy.hcl
- apply policy
    - vault policy write web ./config/web-policy.hcl
- write content to a file with cat:
    - cat > $file_name << EOF
    content line 1
    content line 2
    EOF

In [None]:
cat > ./config/web-policy.hcl << EOF
path "database/creds/db-app" {
  capabilities = ["read"]
}
EOF

### Assigning Vault policy to Kubernetes Service Accounts
- using role to binding k8s service account to vault policy
- properties to config k8s role
    - bound_service_account_names: k8s service account
    - bound_service_account_namespaces: k9s namespace
    - policies: vault policy want to binding
    - ttl (time to live): is the time to live for the Vault token returned from successful authentication
- example k8s role config
    - vault write auth/kubernetes/role/web \
        bound_service_account_names=web \
        bound_service_account_namespaces=default \
        policies=web \
        ttl=1h

### Injecting secrets into Kubernetes Deployments
- define service account
    - service account with name is the same name as we used for k8s role before
- define Deployment which use the service account 
    - using vault annotation for inject secrets into k8s deployment or allow k8s pods of deployment can request secret from vault
- annotations:
    - vault.hashicorp.com/agent-inject
        - use agent inject or not
    - vault.hashicorp.com/agent-inject-secret-db-creds
        - what database credential to get (random user and password generate by vault)
    - vault.hashicorp.com/agent-inject-template-db-creds
        - template code which use vault credential to authenticate k8s pods again database
    - vault.hashicorp.com/role:
        - role of k8s would use
- example about k8s service account and deployment config with vault annotation: ./config/web.yaml

### Summary
- to make vault as a middle-man for grant credential to access database, we have some general step
    - deploy database with root password assign by environment variable
    - config so that vault have root permission and it can create new database role
    - postgress database role specify account name, password, expiration date and access to what tables
    - config so that k8s and vault can talk together
    - k8s annotations allow vault to inject secret into pod container through shared volume
- Example
    - we have an web application which store config at env CONFIG_FILE
    - using k8s annotation allow vault to create a share volume /vault/secrets/ so that content can have access to secret file
    - secret inject is done by vault-agent-inject pod
- Reference link for annotation docs: https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations