HashiCorp Vault

Introduction

HashiCorp Vault (Vault) is a tool for securely accessing secrets. A secret is anything that requires tightly controlled access, such as API keys, passwords, and certificates. HashiCorp Vault provides a unified interface to any secret, tight access control, and detailed audit logs.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing which secrets is complex and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. HashiCorp Vault solves this need.

There are two key components of vault setup:

  1. The Vault Operator simplifies installation, management, and maintenance of instances of HashiCorp Vault and Vault integration

  2. The Kubernetes-Vault project allows pods to automatically receive a Vault token using Vault’s AppRole auth backend.

Click here to learn more about HashiCorp Vault.

Prerequisites

The following elements are required to integrate Nirmata with Vault.

  1. Nirmata Cluster with Kubernetes 1.8+, minimum 3 nodes in a cluster. (This example uses Kubernetes version 1.9.4 with 3 nodes).

  2. Flannel Network Overlay

  3. RBAC usage on cluster

Resources: This example utilizes resources from the following github repo: Vault Operator/etcd operator and Vault and etcd clusters

Goals and Key Steps for Integration

The goal of integrating HashiCorp Vault is enable a tool that manages dynamic secrets. Users can also leverage a HashiCorp Vault integration with Nirmata to prepare for additional integrations, such as Portworx.

Deploying Vault in a Nirmata Kubernetes Cluster

Integrating Nirmata with Vault begins with deploying Vault Operator in the cluster.

To deploy Vault Operator in a cluster, create and configure a Kubernetes cluster through Nirmata.

Next, pull the Vault specific binaries, configuration, and YAML files. Then configure the necessary (RBAC policy.](https://github.com/coreos/vault-operator/blob/master/example/rbac-template.yaml

After configuring the RBAC policy, deploy Flannel.

Vault Operator uses an etcd operator as backend storage. Create and deploy custom resource definitions (CRD) to an etcd operator and then create and deploy a Vault cluster with the custom resource definitions.

Create a Kubernetes Cluster using Nirmata

To create and configure a Kubernetes Cluster through Nirmata, setup the cloud-provider, Host Group, and Kubernetes Cluster.

When complete, the Kubernetes Cluster is displayed in Nirmata.

image

Cluster Level Deployments

To deploy Vault at the cluster level, begin by deploying CRDs.

Deploy the etcd_crds.yaml Deploy the vault_crd.yaml

To deploy a YAML on a cluster, open the cluster and then select Apply YAML from the Cluster Settings menu.

image

Drop the YAML file into the upload box or select the file from the directory.

Add Custom Resource Definitions (CRD)

To deploy Vault at the cluster level, begin by deploying CRDs.

Deploy the etcd_crds.yaml Deploy the vault_crd.yaml

To deploy a YAML on a cluster, open the cluster and then select Apply YAML from the Cluster Settings menu.

image

Drop the YAML file into the upload box or select the file from the directory.

Create the Vault Environment

Vault creates resources in its own namespace: vault.

Create a “vault” namespace as a Nirmata environment.

To create a new Environment, select Environment from the sidebar menu. Then click, +Add Environment and complete the information in the pop-up window using the name “vault.” Click Add.

image

The new environment appears in the Environments list.

image

Create the Vault Application Space and Upload YAML Files

Now, create a new application in the Vault environment using the supplied YAMLs.

Vault Application YAMLs: etcd-operator-deploy.yaml deployment.yaml example-vault.yaml

To create a new application, add each YAML to the Application Catalog. Select Catalog in the sidebar menu and then select Application Catalog. From the main Application Catalog screen, click Add Application.

Drop the YAML file into the upload box or select the file from the directory.

image

DO NOT DEPLOY THE APPLICATION

Open the RBAC template file and edit the service account and namespace lines as shown.

image

After editing the RBAC template, deploy the file via Kubectl to the new namespace by opening the cluster and the Cluster Settings menu. Then select Launch Terminal to run a Kubectl command.

image

Using a text editor, paste the new RBAC into rbac.yaml. On the cluster, the rbac.yaml will display as shown.

image

To deploy the rbac.yaml, run the Deploy RBAC Command in the same terminal window. Replace ‘default’ with the active namespace before running.

Deploy RBAC Command:

Command: sh
/ # kubectl -n default create -f rbac.yaml

Deploy Flannel Overlay

To deploy the Flannel Overlay, apply the Flannel Overlay YAML and using a Kubectl command.

Apply Flannel Overlay Command:

kubectl apply -f

Flannel Overlay YAML

How to Deploy the Vault Operator

To deploy the Vault Operator, deploy both the etcd operator and the deployment YAML.

To deploy the etcd operator , click on Catalog in the sidebar menu and then select Application Catalog. From the main Application Catalog screen, click Add Application.

Wait at least ten minutes before deploying the deployment YAML using the Kubectl Deploy Command, replacing ‘default’ with the active namespace.

Kubectl Deploy Command:

$ kubectl -n default get deploy

After deploying both the etcd operator and the deployment YAML, verify that an etcd and vault operator are running on the cluster.

How to Deploy the Vault Cluster

To deploy the Vault cluster, create a new application. Click on Catalog in the sidebar menu and then select Application Catalog. From the main Application Catalog screen, click Add Application.

Add the sample Vault Cluster YAML file.

Sample Vault Cluster YAML:

apiVersion: "vault.security.coreos.com/v1alpha1"
kind: "VaultService"
metadata:
  name: "example"
spec:
  nodes: 2
  version: "0.9.1-0"

image

Run Sample Vault Cluster application in the Vault environment, open the environment and click +Run Application.

image

After deploying the Sample Vault Cluster, the cluster will display:

kubectl -n default get pods -l app=vault,vault_cluster=example

Note: Cluster value and namespace value are environment-dependent.

As the Vault cluster comes online, various pods will begin starting up and running.

Leveraging the Vault Cluster

See the Vault Usage Guide for information on how to initialize, unseal, and use the deployed Vault cluster.

For an overview of the default TLS configuration and to learn how to specify custom TLS assets for a Vault cluster see the TLS Setup Guide.