Installation and Configuration of HashiCorp Vault on AKS .
This article focuses on deployment and configuration of HashiCorp Vault on AKS and use the secret values as ENV variables in pod.
Prerequisite: Helm, Kubernetes, yaml.
1: Install the Vault Helm chart
1.1: Add the HashiCorp Helm repository using following command.
helm repo add hashicorp https://helm.releases.hashicorp.com
1.2: Update all the helm repositories.
helm repo update
1.3: Pull the vault helm chart in your local machine using following command.
helm pull hashicorp/vault --untar
1.4: Now open the values.yaml file and do the changes according to your need.
I am gonna enable UI mode and its service type as LoadBalancer to access the Web UI of Vault as shown below.
1.5: Create a namespace ‘vault’ and install the vault helm chart in that namespace using following commands.
kubectl create ns vaulthelm install vault . -f values.yaml -n vault
1.6: Get all the pods within the vault namespace.
kubectl get pods -n vault
The vault-0
pod deployed runs a Vault server and reports that it is Running
but that it is not ready (0/1
). This is because the status check defined in a readinessProbe returns a non-zero exit code.
2: Initialize and unseal Vault
Vault starts uninitialized and in the sealed state. The process of initializing and unsealing Vault can be performed via the exposed Web UI.
2.1: Get the external IP of the vault-ui service, launch the web browser and enter the EXTERNAL-IP with the port 8200
in the address. For example: http://20.62.223.255:8200
2.2: Enter 5
in the Key shares and 3
in the Key threshold text fields.
2.3: Click Initialize.
2.4: When the root token and unseal key is presented, scroll down to the bottom and select Download keys. Save the generated unseal keys file to your computer.
2.5: Click Continue to Unseal to proceed and open the downloaded file.
2.6: Copy one of the keys
(not keys_base64
) and enter it in the Master Key Portion field. Click Unseal to proceed.
The Unseal status shows 1/3 keys provided
.
Enter another key and click Unseal.
The Unseal status shows 2/3 keys provided
.
Enter another key and click Unseal.
After 3 out of 5 unseal keys are entered, Vault is unsealed and is ready to operate.
2.7: Copy the root_token
and enter its value in the Token field. Click Sign In.
3: Set a secret in Vault
3.1: Select the Secrets tab in the Vault UI. Under Secrets Engines, select Enable new engine.
3.2: Under Enable a Secrets Engine, select KV and Next.
3.3: Enter secret
in the Path text field and select Enable Engine.
3.4: Now create a secret as shown below as per your need.
Enter microservices/service-name
in the Path for this secret.
Select Add to create another key and value field in Version data.
Select Save to create the secret.
4: Configure Kubernetes authentication
Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token.
4.1: Select the Access tab in the Vault UI. Under Authentication Methods, select Enable new method.
4.2: Under Enable an Authentication Method, select Kubernetes and Next.
Select Enable Method to create this authentication method with the default method options configuration.
The view displays the configuration settings that enable the auth method to communicate with the Kubernetes cluster. The Kubernetes host, CA Certificate, and Token Reviewer JWT require configuration. These values are defined on the vault-0
pod.
4.3: Enter the address returned from the following command in Kubernetes host field.
echo "https://$( kubectl exec vault-0 -n vault -- env | grep KUBERNETES_PORT_443_TCP_ADDR | cut -f2 -d'='):443"
4.4: For the Kubernetes CA Certificate field, toggle the Enter as text. Enter the certificate returned from the following command in Kubernetes CA Certificate entered as text.
kubectl exec vault-0 -n vault -- cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
4.5: Expand the Kubernetes Options section. Enter the token returned from the following command in Token Reviewer JWT field.
echo $(kubectl exec vault-0 -n vault -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)
4.6: Select Save.
5: Configure Micro-service authentication
5.1: Select the Policies tab in the Vault UI. Under ACL Policies, select the Create ACL policy action.
5.2: Enter microservices
in the Name field.
5.3: Enter this policy in the Policy field.
path “secret/data/microservices/*” {
capabilities = [“read”]
}
5.4: Select Create policy.
The policy is assigned to the micro-service through a Kubernetes role. This role also defines the Kubernetes service account and Kubernetes namespace that is allowed to authenticate.
5.5: Under Authentication Methods, click the … for the kubernetes/ auth method. Select View configuration.
5.6: Under the kubernetes method, choose the Roles tab and Select Create role.
5.7: Enter microservices in Name field.
Enter vault
in the Bound service account names field.
Enter default
in the Bound service account namespaces field and select Add.
5.8: Expand the Tokens section.
Enter microservices
in the Generated Token's Policies and select save.
6: Deploy application
6.1: Define a Kubernetes service account named vault
as shown below.
cat > sa.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
EOF
Create the vault
service account using following command.
kubectl apply -f sa.yaml
6.2: Add the highlighted part shown in below image in your k8s deployment file as per your requirements. Using vault.hashicorp.com/agent-inject-template-config annotations, you can use secrets as a ENV variables in pod.
Note: In place of sleep 1000000
in args, use your own command to start the application.
6.3: Apply the above deployment file and you are done.