 8ba77ddbe2
			
		
	
	8ba77ddbe2
	
	
	
		
			
			Removed escape characters from href and anchor text. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5f4b54eeedad59d5a32c9d4d7ed2c16e1250b426
		
			
				
	
	
	
		
			7.4 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	Configure Vault Using the Vault REST API
After Vault has been installed, you can configure Vault for use by hosted Kubernetes applications on . This section describes the minimum configuration requirements for secret management for hosted Kubernetes applications.
You can configure Vault using Vault's REST API. Configuration can
also be done by logging into a Vault server pod and using the Vault CLI
directly. For more information, see Configure Vault Using the CLI
<configure-vault-using-the-cli>.
The following steps use Vault's REST API and is run from controller-0.
- Set environment variables. - $ ROOT_TOKEN=$(kubectl exec -n vault sva-vault-manager-0 -- cat /mnt/data/cluster_keys.json | grep -oP --color=never '(?<="root_token":")[^"]*') $ SA_CA_CERT=$(kubectl exec -n vault sva-vault-0 -- awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /var/run/secrets/kubernetes.io/serviceaccount/ca.crt) $ TOKEN_JWT=$(kubectl exec -n vault sva-vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ KUBERNETES_PORT_443_TCP_ADDR=$(kubectl exec -n vault sva-vault-0 -- sh -c 'echo $KUBERNETES_PORT_443_TCP_ADDR') $ echo $(kubectl get secrets -n vault vault-ca -o jsonpath='{.data.tls\.crt}') | base64 --decode > /home/sysadmin/vault_ca.pem
- Enable the Kubernetes Auth method. - This allows Vault to use Kubernetes service accounts for authentication of Vault commands. - For more information, see: - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"type":"kubernetes","description":"kubernetes auth"}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/auth/kubernetes- Configure the Kubernetes Auth method. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"kubernetes_host": "'"https://$KUBERNETES_PORT_443_TCP_ADDR:443"'", "kubernetes_ca_cert":"'"$SA_CA_CERT"'", "token_reviewer_jwt":"'"$TOKEN_JWT"'"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/config
- Verify the Kubernetes Auth method. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/config
 
- Enable a secrets engine. - Vault supports a variety of secret engines, as an example, create a kv-v2 secrets engine. The kv-v2 secrets engine allows for storing arbitrary key-value pairs. Secrets engines are enabled at a "path" in Vault. When a request comes to Vault, the router automatically routes anything with the route prefix to the secrets engine. In this way, each secrets engine defines its own paths and properties. To the user, secrets engines behave similar to a virtual filesystem, supporting operations like read, write, and delete. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{"type": "kv","version":"2"}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/mounts/secret- For more information, see: 
- Create a sample policy and role for allowing access to the configured kv-v2 secrets engine. - Create a policy. - A Vault policy specifies read and/or write capabilities for a particular secret engine path, and the Vault role binds a specific Kubernetes service account to a policy. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" --request PUT -d '{"policy":"path \"secret/basic-secret/*\" {capabilities = [\"read\"]}"}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/policy/basic-secret-policy- For more information, see, https://www.vaultproject.io/docs/concepts/policies. 
- Create the role mapped to the policy. - Note - The service account and namespace used for the values below must exist on the kubernetes cluster. - bound_service_account_names
- bound_service_account_namespaces
 - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" --request POST --data '{ "bound_service_account_names": "basic-secret", "bound_service_account_namespaces": "pvtest", "policies": "basic-secret-policy", "max_ttl": "1800000"}' https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
- Verify the role configuration. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" https://sva-vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/role/basic-secret-role
 
- Create an initial example secret in the configured kv-v2 secrets engine. - Create a secret. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" -H "Content-Type: application/json" -X POST -d '{"username":"pvtest","password":"<password>"}' https://sva-vault.vault.svc.cluster.local:8200/v1/secret/basic-secret/helloworld
- Verify the secret. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" https://sva-vault.vault.svc.cluster.local:8200/v1/secret/basic-secret/helloworld
 
- (Optional) To enable and configure logging, use the steps below: - Enable Vault logging to file for persistent log storage. - $ curl --cacert /home/sysadmin/vault_ca.pem --request POST --header "X-Vault-Token:$ROOT_TOKEN" --data '{"type": "file", "description": "ctest", "options": {"file_path": "/vault/audit/vault_audit.log"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/audit/vaultfile
- Enable Vault logging to stdout for easy log reading from the Vault container. - $ curl --cacert /home/sysadmin/vault_ca.pem --request POST --header "X-Vault-Token:$ROOT_TOKEN" --data '{"type": "file", "description": "stdout", "options": {"file_path": "stdout"}}' https://sva-vault.vault.svc.cluster.local:8200/v1/sys/audit/stdout
- Verify the configuration. - $ curl --cacert /home/sysadmin/vault_ca.pem --header "X-Vault-Token:$ROOT_TOKEN" https://sva-vault.vault.svc.cluster.local:8200/v1/sys/audit
 
For more information, see :
Vault Overview <kubernetes-user-tutorials-vault-overview>.
Configure Vault Using the CLI <configure-vault-using-the-cli>