AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeVault KubeVault
github-icon twitter-icon
TRY NOW FREE

We use cookies and other similar technology to collect data to improve your experience on our site, as described in our Privacy Policy.

You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

Mount Azure Secrets using CSI Driver

At first, you need to have a Kubernetes 1.14 or later cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind. To check the version of your cluster, run:

$ kubectl version --short
Client Version: v1.16.2
Server Version: v1.14.0

Before you begin:

  • Install KubeVault operator in your cluster from here.
  • Install Secrets Store CSI driver for Kubernetes secrets in your cluster from here.

To keep things isolated, we are going to use a separate namespace called demo throughout this tutorial.

$ kubectl create ns demo
namespace/demo created

Note: YAML files used in this tutorial stored in examples folder in GitHub repository KubeVault/docs

Vault Server

If you don’t have a Vault Server, you can deploy it by using the KubeVault operator.

The KubeVault operator can manage policies and secret engines of Vault servers which are not provisioned by the KubeVault operator. You need to configure both the Vault server and the cluster so that the KubeVault operator can communicate with your Vault server.

Now, we have the AppBinding that contains connection and authentication information about the Vault server. And we also have the service account that the Vault server can authenticate.

$ kubectl get serviceaccounts -n demo
NAME                       SECRETS   AGE
vault                      1         20h

$ kubectl get appbinding -n demo
NAME    AGE
vault   50m

$ kubectl get appbinding -n demo vault -o yaml
apiVersion: appcatalog.appscode.com/v1alpha1
kind: AppBinding
metadata:
  name: vault
  namespace: demo
spec:
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1RENDQWFDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFOTVFzd0NRWURWUVFERXdKallUQWUKRncweE9URXhNVEl3T1RFMU5EQmFGdzB5T1RFeE1Ea3dPVEUxTkRCYU1BMHhDekFKQmdOVkJBTVRBbU5oTUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdFZFZmtic2c2T085dnM2d1Z6bTlPQ1FYClBtYzBYTjlCWjNMbXZRTG0zdzZGaWF2aUlSS3VDVk1hN1NRSGo2L2YvOHZPeWhqNEpMcHhCM0hCYVFPZ3RrM2QKeEFDbHppU1lEd3dDbGEwSThxdklGVENLWndreXQzdHVQb0xybkppRFdTS2xJait6aFZDTHZ0enB4MDE3SEZadApmZEdhUUtlSXREUVdyNUV1QWlCMjhhSVF4WXREaVN6Y0h3OUdEMnkrblRMUEd4UXlxUlhua0d1UlIvR1B3R3lLClJ5cTQ5NmpFTmFjOE8wVERYRkIydWJQSFNza2xOU1VwSUN3S1IvR3BobnhGak1rWm4yRGJFZW9GWDE5UnhzUmcKSW94TFBhWDkrRVZxZU5jMlczN2MwQlhBSGwyMHVJUWQrVytIWDhnOVBVVXRVZW9uYnlHMDMvampvNERJRHdJRApBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFabHRFN0M3a3ZCeTNzeldHY0J0SkpBTHZXY3ZFeUdxYUdCYmFUbGlVbWJHTW9QWXoKbnVqMUVrY1I1Qlg2YnkxZk15M0ZtZkJXL2E0NU9HcDU3U0RMWTVuc2w0S1RlUDdGZkFYZFBNZGxrV0lQZGpnNAptOVlyOUxnTThkOGVrWUJmN0paUkNzcEorYkpDU1A2a2p1V3l6MUtlYzBOdCtIU0psaTF3dXIrMWVyMUprRUdWClBQMzFoeTQ2RTJKeFlvbnRQc0d5akxlQ1NhTlk0UWdWK3ZneWJmSlFEMVYxbDZ4UlVlMzk2YkJ3aS94VGkzN0oKNWxTVklmb1kxcUlBaGJPbjBUWHp2YzBRRXBKUExaRDM2VDBZcEtJSVhjZUVGYXNxZzVWb1pINGx1Uk50SStBUAp0blg4S1JZU0xGOWlCNEJXd0N0aGFhZzZFZVFqYWpQNWlxZnZoUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: vault
      port: 8200
      scheme: HTTPS
  parameters:
    apiVersion: config.kubevault.com/v1alpha1
    kind: VaultServerConfiguration
    path: kubernetes
    vaultRole: vault-policy-controller
    kubernetes:
      serviceAccountName: vault
      tokenReviewerServiceAccountName: vault-k8s-token-reviewer
      usePodServiceAccountForCSIDriver: true

Enable and Configure Azure Secret Engine

The following steps are required to enable and configure the Azure secrets engine in the Vault server.

There are two ways to configure the Vault server. You can either use the KubeVault operator or the Vault CLI to manually configure a Vault server.

Using KubeVault operator

You need to be familiar with the following CRDs:

Let’s enable and configure Azure secret engine by deploying the following SecretEngine yaml:

apiVersion: engine.kubevault.com/v1alpha1
kind: SecretEngine
metadata:
  name: azure-engine
  namespace: demo
spec:
  vaultRef:
    name: vault
  azure:
    credentialSecret: azure-cred

To configure the Azure secret engine, you need to provide azure credentials through a Kubernetes secret.

apiVersion: v1
kind: Secret
metadata:
  name: azure-cred
  namespace: demo
data:
  client-secret: eyJtc2ciOiJleGFtcGxlIn0=
  subscription-id: eyJtc2ciOiJleGFtcGxlIn0=
  client-id: eyJtc2ciOiJleGFtcGxlIn0=
  tenant-id: eyJtc2ciOiJleGFtcGxlIn0=

Let’s deploy SecretEngine:

$ kubectl apply -f docs/examples/guides/secret-engines/azure/azureCred.yaml
secret/azure-cred created

$ kubectl apply -f docs/examples/guides/secret-engines/azure/azureSecretEngine.yaml
secretengine.engine.kubevault.com/azure-engine created

Wait till the status become Success:

$ kubectl get secretengines -n demo
NAME           STATUS
azure-engine   Success

A sample AzureRole object is given below:

apiVersion: engine.kubevault.com/v1alpha1
kind: AzureRole
metadata:
  name: azure-role
  namespace: demo
spec:
  vaultRef:
    name: vault
  applicationObjectID: c1cb042d-96d7-423a-8dba-243c2e5010d3
  ttl: 1h

Let’s deploy AzureRole:

$ kubectl apply -f docs/examples/guides/secret-engines/azure/azureRole.yaml
azurerole.engine.kubevault.com/azure-role created

$ kubectl get azureroles -n demo
NAME         STATUS
azure-role   Success

You can also check from Vault that the role is created. To resolve the naming conflict, name of the role in Vault will follow this format: k8s.{clusterName}.{metadata.namespace}.{metadata.name}.

Don’t have Vault CLI? Download and configure it as described here

$ vault list azure/roles
Keys
----
k8s.-.demo.azure-role

$ vault read azure/roles/k8s.-.demo.azure-role
Key                      Value
---                      -----
application_object_id    c1cb042d-96d7-423a-8dba-243c2e5010d3
azure_roles              <nil>
max_ttl                  0s
ttl                      1h

For more detailed explanation visit Vault official website

Using Vault CLI

You can also use Vault CLI to enable and configure the Azure secret engine.

Don’t have Vault CLI? Download and configure it as described here

To generate secret from the Azure secret engine, you need to perform the following steps.

  • Enable Azure Secret Engine: To enable Azure secret engine run the following command.
$ vault secrets enable azure
Success! Enabled the azure secrets engine at: azure/
  • Configure the secrets engine: Configure the secrets engine with account credentials
$ vault write azure/config \
  subscription_id=$AZURE_SUBSCRIPTION_ID \
  tenant_id=$AZURE_TENANT_ID \
  client_id=$AZURE_CLIENT_ID \
  client_secret=$AZURE_CLIENT_SECRET

Success! Data written to: azure/config
  • Configure a role: Configure a role called “my-role” with an existing service principal:
$ vault write azure/roles/k8s.-.demo.azure-role \
                  application_object_id=c1cb042d-96d7-423a-8dba-243c2e5010d3 \
                  ttl=1h
Success! Data written to: azure/roles/k8s.-.demo.azure-role
  • Read the role:
$ vault list azure/roles
Keys
----
k8s.-.demo.azure-role

$ vault read azure/roles/k8s.-.demo.azure-role
Key                      Value
---                      -----
application_object_id    c1cb042d-96d7-423a-8dba-243c2e5010d3
azure_roles              <nil>
max_ttl                  0s
ttl                      1h

If you use Vault CLI to enable and configure the Azure secret engine then you need to update the vault policy for the service account ‘vault’ created during vault server configuration and add the permission to read at “azure/roles/*” with previous permissions. That is why it is recommended to use the KubeVault operator because the operator updates the policies automatically when needed.

Find how to update the policy for service account in here.

For more detailed explanation visit Vault official website

Mount secrets into a Kubernetes pod

Since Kubernetes 1.14, storage.k8s.io/v1beta1 CSINode and CSIDriver objects were introduced. Let’s check CSIDriver and CSINode are available or not.

$ kubectl get csidrivers
NAME                        CREATED AT
secrets.csi.kubevault.com   2019-12-09T04:32:50Z

$ kubectl get csinodes
NAME             CREATED AT
2gb-pool-57jj7   2019-12-09T04:32:52Z
2gb-pool-jrvtj   2019-12-09T04:32:58Z

So, we can create StorageClass now.

Create StorageClass

Create StorageClass object with the following content:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: vault-azure-storage
  annotations:
    storageclass.kubernetes.io/is-default-class: "false"
provisioner: secrets.csi.kubevault.com
parameters:
  ref: demo/vault # namespace/AppBinding, we created vault server configuration
  engine: Azure # vault engine name
  role: k8s.-.demo.azure-role # role name on vault which you want get access
  path: azure # specify the secret engine path, default is azure

$ kubectl apply -f docs/examples/guides/secret-engines/azure/storageClass.yaml
storageclass.storage.k8s.io/vault-azure-storage created

Test & Verify

Let’s create a separate namespace called trial for testing purpose.

$ kubectl create ns trial
namespace/trail created

Create PVC

Create a PersistentVolumeClaim with the following data. This makes sure a volume will be created and provisioned on your behalf.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: csi-pvc-azure
  namespace: trial
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 100Mi
  storageClassName: vault-azure-storage

$ kubectl apply -f docs/examples/guides/secret-engines/azure/pvc.yaml
persistentvolumeclaim/csi-pvc-azure created

Create VaultPolicy and VaultPolicyBinding for Pod’s Service Account

Let’s say pod’s service account name is pod-sa located in trial namespace. We need to create a VaultPolicy and a VaultPolicyBinding so that the pod has access to read secrets from the Vault server.

apiVersion: policy.kubevault.com/v1alpha1
kind: VaultPolicy
metadata:
  name: azure-se-policy
  namespace: demo
spec:
  vaultRef:
    name: vault
  # Here, azure secret engine is enabled at "azure".
  # If the path was "demo-se", policy should be like
  # path "demo-se/*" {}.
  policyDocument: |
    path "azure/*" {
      capabilities = ["create", "read"]
    }    
---
apiVersion: policy.kubevault.com/v1alpha1
kind: VaultPolicyBinding
metadata:
  name: azure-se-role
  namespace: demo
spec:
  vaultRef:
    name: vault
  policies:
  - ref: azure-se-policy
  subjectRef:
    kubernetes:
      serviceAccountNames:
      - "pod-sa"
      serviceAccountNamespaces:
      - "trial"

Let’s create VaultPolicy and VaultPolicyBinding:

$ kubectl apply -f docs/examples/guides/secret-engines/azure/vaultPolicy.yaml
vaultpolicy.policy.kubevault.com/azure-se-policy created

$ kubectl apply -f docs/examples/guides/secret-engines/azure/vaultPolicyBinding.yaml
vaultpolicybinding.policy.kubevault.com/azure-se-role created

Check if the VaultPolicy and the VaultPolicyBinding are successfully registered to the Vault server:

$ kubectl get vaultpolicy -n demo
NAME                           STATUS    AGE
azure-se-policy                Success   8s

$ kubectl get vaultpolicybinding -n demo
NAME                           STATUS    AGE
azure-se-role                  Success   10s

Create Service Account for Pod

Let’s create the service account pod-sa which was used in VaultPolicyBinding. When a VaultPolicyBinding object is created, the KubeVault operator create an auth role in the Vault server. The role name is generated by the following naming format: k8s.(clusterName or -).namespace.name. Here, it is k8s.-.demo.azure-se-role. We need to provide the auth role name as service account annotations while creating the service account. If the annotation secrets.csi.kubevault.com/vault-role is not provided, the CSI driver will not be able to perform authentication to the Vault.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: pod-sa
  namespace: trial
  annotations:
    secrets.csi.kubevault.com/vault-role: k8s.-.demo.azure-se-role

$ kubectl apply -f docs/examples/guides/secret-engines/azure/podServiceAccount.yaml
serviceaccount/pod-sa created

Create Pod

Now we can create a Pod which refers to this volume. When the Pod is created, the volume will be attached, formatted and mounted to the specific container.

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  namespace: trial
spec:
  containers:
  - name: mypod
    image: busybox
    command:
    - sleep
    - "3600"
    volumeMounts:
    - name: my-vault-volume
      mountPath: "/etc/azure"
      readOnly: true
  serviceAccountName: pod-sa # service account that was created
  volumes:
  - name: my-vault-volume
    persistentVolumeClaim:
      claimName: csi-pvc-azure

$ kubectl apply -f docs/examples/guides/secret-engines/azure/pod.yaml
pod/mypod created

Check if the Pod is running successfully, by running:

$ kubectl get pods -n trial
NAME                    READY   STATUS    RESTARTS   AGE
mypod                   1/1     Running   0          27s

Verify Secret

If the Pod is running successfully, then check inside the app container by running

$ kubectl exec -it -n trial  mypod sh
/ # ls /etc/azure/
client_id      client_secret

/ # cat /etc/azure/client_id
2b871d4a-757e-4b2f-bc78*************/ #

/ # cat /etc/azure/client_secret
9d7ce30a-4fa5-a*********************/ #

/ # exit

So, we can see that the secret client_id and client_secret are mounted into the pod, where the secret key is mounted as file and the value is the content of that file.

Cleaning up

To clean up the Kubernetes resources created by this tutorial, run:

$ kubectl delete ns demo
namespace "demo" deleted

$ $ kubectl delete ns trial
namespace "trial" deleted

What's on this Page

Search
Improve This Page