Vault Unaware

The Vault Unaware method uses the Vault Agent Injector to attach a sidecar container to a given pod. The sidecar handles all authentication with Vault, retrieves the specified secrets, and mounts them on a shared filesystem to make them available to all containers in the pod. The applications running in the pod can access these secrets as files.

Prerequisites

  • Configure and enable the Kubernetes Auth Method before configuring the Vault Unaware method.

  • Ensure a policy and role exists for the Application’s service account to access the ‘secret’ path secret engine, and a secret actually exists in this secret engine.

  1. Set environment variables on controller-0.

    $ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root -o jsonpath='{.data.strdata}' | base64 -d )"

$ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca.pem

  2. Create the policy.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" --request PUT -d '{"policy":"path \"secret/basic-secret/*\" {capabilities = [\"read\"]}"}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/policy/basic-secret-policy

  3. Create the role with policy and namespace.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "test", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role

  4. Create the secret.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"data":{"password": "<password>", "username": "test"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld

  5. Verify the secret.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" https://sva-vault.vault.svc.cluster.local:8200/v1/secret/basic-secret/helloworld

Procedure

  1. Use the following helloworld.yaml file to create a test namespace, an example Vault-Unaware deployment, ‘basic-secret’, with vault annotations for creating the Vault Agent Injector sidecar container:

    cat <<EOF >> helloworld.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: test
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: basic-secret
  namespace: test
  labels:
    app: basic-secret
spec:
  selector:
    matchLabels:
      app: basic-secret
  replicas: 1
  template:
    metadata:
      annotations:
          vault.hashicorp.com/agent-inject: "true"
          vault.hashicorp.com/tls-skip-verify: "true"
          vault.hashicorp.com/agent-inject-secret-helloworld: "secret/data/basic-secret/helloworld"
          vault.hashicorp.com/agent-inject-template-helloworld: |
            {{- with secret "secret/data/basic-secret/helloworld" -}}
            {
              "username" : "{{ .Data.data.username }}",
              "password" : "{{ .Data.data.password }}"
            }
            {{- end }}
          vault.hashicorp.com/role: "basic-secret-role"
      labels:
        app: basic-secret
    spec:
      serviceAccountName: basic-secret
      containers:
      - name: app
        image: jweissig/app:0.0.1
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: basic-secret
  labels:
    app: basic-secret
  namespace: test
EOF

  2. Apply the application and verify the pod is running.

    $ kubectl create -f helloworld.yaml

  3. Verify secrets are injected into the pod.

    $ POD="$( kubectl get pods -n test | cut -d' ' -f1 | grep basic-secret )"
$ kubectl exec -n test $POD -- cat /vault/secrets/helloworld