Vault¶
This are some quick notes I took on how to setup a simple Vault for usage with heqet. For a more detailed documentation on how to configure Vault, check out the Official Vault Docs.
Note: Most of this commands can be executed either using the vault command on your local device or the inside the vault pod itself.
Init Vault using GPG¶
Copy GPG Public Key¶
cat > nold.pub << EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGBXTjkBCAC7qZU1cz7RWYbAb838ypRLJZKLWfVBvry4XYwWPN0Rcj55dPN+
...
5of4H66FzNwJxYrunmM5KTeUxZiLPC1JoKMF5uvKoo59TD0IuAPq735QDjWbS4vb
dMtSqTCinZSd
=wuZw
-----END PGP PUBLIC KEY BLOCK-----
EOF
Init Vault¶
vault operator init -key-shares=1 -key-threshold=1 -pgp-keys="nold.pub"
Save Unseal Key somewhere sage e.g. Keepass¶
Decode Unseal Key¶
$ echo $unseal-key | base64 -d | gpg -dq
Unseal Vault¶
vault operator unseal
Enable Kubernetes Auth¶
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
disable_iss_validation=true
Create Secret Store¶
vault secrets enable -path=heqet kv-v2
Add Secrets-Operator Role & Policy¶
Create Policy¶
vault policy write heqet-app << EOF
path "heqet/+/*" {
capabilities = ["read"]
}
EOF
Add Auth Role¶
vault write auth/kubernetes/role/heqet-app \
bound_service_account_names=vault-secrets-operator \
bound_service_account_namespaces=vault-secrets-operator \
policies=heqet-app \
ttl=6h
Add Secrets¶
Remember, Secret path: heqet/<APP-NAME>/<SECRET-NAME>
vault kv put heqet/argocd/argocd-secret admin.password='$2y$12$FP8OlsVj5pOOqRAhI4XPoev1STaW01uUEZGcNPQtVZmpacebNhj9i' server.secretkey="pDYAWK2mHa68GwwVPAsQOsG/SUT8iIo3S3FXYUWf2qM="
vault kv put heqet/loki-stack/loki-stack-grafana admin-user=admin admin-password='grafana'
vault kv put heqet/pihole/pihole-admin password=pihole
vault kv put heqet/minio/minio-secret secret-key=secret access-key=access
Vault-Issuer Cert-Manager via Kubernetes Service Account¶
We expect you already have setup a PKI & Intermediate PKI. You will need a policy to allow your approle to create new certs:
And a role: [dc = my local domain]
vault write pki_int/roles/dc \
allowed_domains=.dc \
allow_subdomains=true \
max_ttl=72h
Policy:
vault policy write pki_int - <<EOF
path "pki_int*" { capabilities = ["read", "list"] }
path "pki_int/roles/dc" { capabilities = ["create", "update"] }
path "pki_int/sign/dc" { capabilities = ["create", "update"] }
path "pki_int/issue/dc" { capabilities = ["create"] }
EOF
Authorize Service Account
vault write auth/kubernetes/role/vault-issuer \
bound_service_account_names=vault-issuer \
bound_service_account_namespaces=cert-manager \
policies=pki_int \
ttl=6h