Create Kubernetes native secrets from HCP Vault Dedicated with VSO
The Vault Secrets Operator allows you to create native Kubernetes Secrets from static and dynamic secrets managed by Vault.
Challenge
Kubernetes secrets can are a static configuration object containing confidential information. They are typically created during the deployment of an application, and remain unchanged throughout the lifecycle of the application’s container. Kubernetes does not support secret rotation, leaving that responsibility to the development or operations team.
Solution
The Vault Secrets Operator takes a static or dynamic secret from Vault and creates a Kubernetes secret. With VSO, using Vault is transparent, which lets you avoid updating your applications or processes.
In this tutorial, you will set up:
- Your local environment to support Vault Dedicated.
- Start a Kubernetes cluster using minikube.
- Configure networking between Vault Dedicated and Kubernetes.
- Deploy the Vault Secrets Operator
- Create and read Kubernetes secrets managed by Vault Dedicated.
Vault Secrets Operator for self-hosted Vault in Kubernetes
Using the Vault Secrets Operator with self-hosted Vault running in a Kubernetes cluster is explored in the Vault Secrets Operator tutorial.
Prerequisites
- HCP Vault Dedicated dev tier or higher cluster available
- Vault
- kubectl
- Helm
- minikube installed and configured
- ngrok installed and configured with an auth token
This tutorial was tested against the following specific versions:
- HCP Vault Dedicated 1.15.4
- Vault CLI 1.15
- Kubectl 1.27.2
- Helm 3.11.2
- minikube 1.31
- Kubernetes 1.27.3
Lab setup
Vault setup
Note
If you do not have access to an HCP Vault Dedicated cluster, visit the Create a Vault Cluster on HCP tutorial.
Launch the HCP Portal and login.
Click Vault in the left navigation pane.
In the Vault clusters pane, click vault-cluster.
Under Cluster URLs, click Public Cluster URL.
Security consideration
When an HCP Vault Dedicated cluster has public access enabled, you can connect to Vault from any internet connected device. If your use case requires public access to be enabled, we recommend configuring the IP allow list to limit which IPv4 public IP addresses or CIDR ranges can connect to Vault to limit the attack surface.
When the Vault Dedicated cluster has private access enabled you will need to access the cluster from a connected cloud provider such as AWS with a VPC peering connection, a AWS transit gateway connection, or Azure with a Azure Virtual Network peering connection. For the purposes of this tutorial, your cluster should have public access enabled.
Open a new terminal and set the
VAULT_ADDR
environment variable to the copied address.Return to the Overview page and click Generate token.
Within a few moments, a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the
VAULT_TOKEN
environment variable.Set the
VAULT_NAMESPACE
environment variable toadmin
.The
admin
namespace is the top-level namespace automatically created by HCP Vault. All CLI operations default to use the namespace defined in this environment variable.Note
For these tasks, you can use HCP Vault Dedicated's admin token. However, it is recommended that admin tokens are only used for enough initial setup or in emergencies. As a best practice, use an authentication method or token that meets the policy requirements.
Enable the KV secret engine.
Create a secret at path
secret/exampleapp/config
with ausername
andpassword
.The Vault Dedicated server is ready.
Kubernetes setup
You will use minikube, a CLI tool that provisions and manages the lifecycle of single-node Kubernetes cluster, to set up a Kubernetes cluster on your system.
Start a Kubernetes cluster.
The initialization process takes several minutes as it retrieves any necessary dependencies and executes various container images.
Verify the status of the Kubernetes cluster.
The Kubernetes cluster is ready.
Configure Kubernetes
Create Vault service account
Create a Kubernetes service account named
vault-auth
with a service account token. This token is used by Vault to authenticate with the Kubernetes API.Example output:
Create a role for the
vault-auth
service account to permit access to the Kubernetes API.Example output:
Retrieve the
vault-auth
secret and store it as an environment variable.The secret includes the Kubernetes public key
ca.crt
and thetoken
as base64 encoded strings.Decode the ca.crt certificate and store it as an environment variable.
Decode the token and store it as an environment variable.
You have collected the necessary information for the
vault-auth
service account to configure the Kubernetes auth method.
Configure networking
In this tutorial, you will configure ngrok to expose the Kubernetes API to Vault Dedicated. For production workloads, this would typically be set up using a peering connection, transit gateway, or VPN. Refer to the HashiCorp Virtual Network documentation to learn more.
In another terminal, start a proxy to expose the Kubernetes API.
Leave this tab open with the proxy running.
In another terminal, start ngrok and create a tunnel to the proxy listening on port
8001
.Warning
ngrok is used to expose the Kubernetes API over the internet to HCP Vault Dedicated. Using
--scheme=http
exposes the API without encryption to avoid TLS certificate errors.For production workloads, use a private peering or transit gateway connection with trusted certificates.
Example output:
Copy the ngrok forwarding address.
Return to the terminal where you set the
VAULT_ADDR
environment variable and set an environment variable for the ngrok forwarding address.The Kubernetes API is now accessible to Vault Dedicated.
Configure Vault
Enable the Kubernetes auth method.
Configure the Kubernetes auth method to connect to the Kubernetes API using the
vault-auth
service account token.Example output:
Create a Vault policy that permits read access to
secret/exampleapp/config
Example output:
Create a role for the Kubernetes auth method and include the
exampleapp-read
Vault policy.Example output:
Install the Vault Secrets Operator
Install and update the HashiCorp Helm repository.
Install the Vault Secrets Operator.
Example output:
The Vault Secrets Operator has been installed.
Configure the Vault Secrets Operator
Create a connection to Vault Dedicated.
Verify the configuration.
Configure authentication for the Vault Secrets Operator controller.
Example output:
Configure the Vault Secrets Operator to read from the
secret
KV v2 mount at theexampleapp/config
path.Example output:
Verify the Kubernetes secret was created.
The secret
vso-handled
was created by the Vault Secrets Operator and named based on thename
parameter provided in theVaultStaticSecret
config.Read the Kubernetes secret value and decode the base64 encoded strings.
Applications and users can now read the secret natively in Kubernetes such as mounting a volume or using an environment variable.
Clean up
Delete any Vault Dedicated clusters created that will not be used after completing the tutorial.
Stop minikube.
(Optional) Delete the minikube instance.
Return to the terminal running ngrok and type
ctrl-c
to stop ngrok.Return to the terminal running the Kubernetes proxy and type
ctrl-c
to stop the proxy.
Additional Resources
- Vault Secrets Operator with HCP Vault tutorial
- Vault Secrets Operator documentation