Vault Unaware

The Vault Unaware method uses the Vault Agent Injector to attach a sidecar container to a given pod. The sidecar handles all authentication with Vault, retrieves the specified secrets, and mounts them on a shared filesystem to make them available to all containers in the pod. The applications running in the pod can access these secrets as files.

Prerequisites

  • Configure and enable the Kubernetes Auth Method before configuring the Vault Unaware method.

  • Ensure a policy and role exists for the Application’s service account to access the ‘secret’ path secret engine, and a secret actually exists in this secret engine.

  1. Set environment variables on controller-0.

    $ ROOT_TOKEN="$( kubectl get secrets -n vault cluster-key-root -o jsonpath='{.data.strdata}' | base64 -d )"
    
    $ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca.pem
    
  2. Create the policy.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" --request PUT -d '{"policy":"path \"secret/basic-secret/*\" {capabilities = [\"read\"]}"}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/policy/basic-secret-policy
    
  3. Create the role with policy and namespace.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "test", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
    
  4. Create the secret.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"data":{"password": "<password>", "username": "test"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/data/basic-secret/helloworld
    
  5. Verify the secret.

    $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" https://sva-vault.vault.svc.cluster.local:8200/v1/secret/basic-secret/helloworld
    

Procedure

  1. Use the following helloworld.yaml file to create a test namespace, an example Vault-Unaware deployment, ‘basic-secret’, with vault annotations for creating the Vault Agent Injector sidecar container:

    cat <<EOF >> helloworld.yaml
    apiVersion: v1
    kind: Namespace
    metadata:
      name: test
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: basic-secret
      namespace: test
      labels:
        app: basic-secret
    spec:
      selector:
        matchLabels:
          app: basic-secret
      replicas: 1
      template:
        metadata:
          annotations:
              vault.hashicorp.com/agent-inject: "true"
              vault.hashicorp.com/tls-skip-verify: "true"
              vault.hashicorp.com/agent-inject-secret-helloworld: "secret/data/basic-secret/helloworld"
              vault.hashicorp.com/agent-inject-template-helloworld: |
                {{- with secret "secret/data/basic-secret/helloworld" -}}
                {
                  "username" : "{{ .Data.data.username }}",
                  "password" : "{{ .Data.data.password }}"
                }
                {{- end }}
              vault.hashicorp.com/role: "basic-secret-role"
          labels:
            app: basic-secret
        spec:
          serviceAccountName: basic-secret
          containers:
          - name: app
            image: jweissig/app:0.0.1
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: basic-secret
      labels:
        app: basic-secret
      namespace: test
    EOF
    
  2. Apply the application and verify the pod is running.

    $ kubectl create -f helloworld.yaml
    
  3. Verify secrets are injected into the pod.

    $ POD="$( kubectl get pods -n test | cut -d' ' -f1 | grep basic-secret )"
    $ kubectl exec -n test $POD -- cat /vault/secrets/helloworld