Static secrets with the Vault Secrets Operator on Kubernetes
Challenge
Vault offers a complete solution for secrets management, but developers and operators all need to learn a completely new tool. They want a cloud native way to access the secrets through the Kubernetes secrets cache.
Solution
A Kubernetes Operator is a software extension that uses custom resources to manage applications hosted on Kubernetes.
The Vault secret operator is a Kubernetes Operator that syncs secrets between Vault and Kubernetes natively without having to learn details of Vault use.
Currently, Vault secret operator is available as a Beta feature, and it supports kv-v1 and kv-v2, TLS certificates in PKI and full range of static and dynamic secrets.
The Secrets Operator syncs the secrets between Vault and the Kubernetes secrets in a specified namespace. Within that namespace, applications have access to the secrets. The secrets are still managed by Vault, but accessed through the standard way on Kubernetes.
Prerequisites
- Vault version 1.12.0 or later
- Docker
- Kubernetes command-line interface (CLI)
- Kubernetes in Docker (Kind)
- k9s
- The helm CLI
This lab was written with the following versions.
Kubernetes in Docker (Kind):
Kubernetes-cli:
K9s:
The GitHub repo
Clone repo at learn-vault-secrets-operator.
Move into that folder.
Kind of Kubernetes
Create a Kind cluster.
Output should resemble the following:
You have created a Kubernetes cluster running on Docker.
Vault Cluster
If you have not already, add the HashiCorp Repo.
In order to have the latest version of the HashiCorp helm charts, Update the repo.
Details of the output might differ, the important things to look for is the Update Complete.
Determine the latest version of Vault.
Ideally for this lab you will need Vault v1.10 or greater.
Using the YAML file in /vault install Vault on your Kind cluster
The Output should resemble the following:
Configure Vault
Connect to the Vault instance.
Enable the Kubernetes auth method.
Configure the auth method.
Output as follows:
Enable the kv v2 Secrets Engine.
Create a read only policy.
Output is as follows:
Create a role in Vault to enable access to secret.
Output as follows:
Notice that the bound_service_account_namespaces is app, limiting where the secret is synced to.
Create some secrets.
Exit the Vault instance.
The Vault Secrets Operator
Now use helm to deploy the Vault Secrets Operator.
Examining the file
vault/vault-operator-values.yaml
:vault/vault-operator-values.yamlThe same namespace, app as mentioned during the secret creation is mentioned here.
Deploy and sync a secret
Create a namespace called
app
on your Kind cluster.Create the secret in the app namespace.
Secret rotation
First, display the secret in k9s.
Open a new terminal and start up
k9s
.If not already displayed, list the namespaces by typing
:ns
.Choose the app namespace and press
enter
.This area is blank, so type in
:secrets
and hit enter.Now the secrets named secretkv is displayed, highlight it.
Display the secret by pressing the
x
key.Back in your terminal, connect to the Vault instance.
Rotate the secret.
Return to
k9s
, and escape back to the secret page and hitx
again to display the updated secret.
Clean up
Exit the Vault instance.
Now delete the Kind cluster.
Additional discussion
A Kubernetes Operator is a software extension that uses custom resources to manage applications hosted on Kubernetes. The Vault Secret operator leverages the HashiCorp Vault as a complete secrets management solution.
Secrets exist within Namespaces, which are virtual clusters with a Kubernetes Cluster. The secrets operator allows you to administer the secrets through Vault, but access as a Kubernetes native structure.
Kubernetes cluster administrators interested in using the the Vault Secrets Operator to rotate Dynamic secrets are encouraged to look at the demo include with the source for the Vault Secrets Operator.
Next steps
The Vault Secrets Operator is a first class Kubernetes Operator pattern for use with HashiCorp Vault responsible for syncing Vault secrets to Kubernetes Secrets natively.
In this tutorial you set up a Kubernetes in Docker Cluster with a Vault instance, Vault Secrets Operator controller and created a secret in a namespace called app. Then you displayed the secret in k9s, and used Vault to rotate the secret. Finally, you validated the change in the Vault secret value was reflected in the Kubernetes secret.