Helm/Vault Secrets Operator: Difference between revisions
Jump to navigation
Jump to search
| (28 intermediate revisions by the same user not shown) | |||
| Line 122: | Line 122: | ||
==Helm » Config== | ==Helm » Config== | ||
{|class='wikitable mw-collapsible' | {|class='wikitable mw-collapsible mw-collapsed' | ||
!scope='col' style='text-align:left' colspan='2'| | !scope='col' style='text-align:left' colspan='2'| | ||
Helm » Config | Helm » Config | ||
| Line 139: | Line 139: | ||
kubectl -n=vault-secrets-operator-system \ | kubectl -n=vault-secrets-operator-system \ | ||
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1 | scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1 | ||
</syntaxhighlight> | |||
|} | |||
==Helm » Debug== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left'| | |||
Helm » Debug | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy | |||
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager | |||
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service | |||
</syntaxhighlight> | |||
|} | |||
==Helm » Uninstall== | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Helm » Uninstall | |||
|- | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
helm -n=vault-secrets-operator-system status vso | |||
helm -n=vault-secrets-operator-system get all vso | |||
helm -n=vault-secrets-operator-system uninstall vso | |||
</syntaxhighlight> | |||
|valign='top' style='width:50%'| | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n=vault-secrets-operator-system delete pvc --all | |||
kubectl delete ns vault-secrets-operator-system | |||
kubectl delete pv vso-data-vso-0 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |} | ||
| Line 154: | Line 187: | ||
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml" | export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml" | ||
kubectl get service kubernetes -n default | kubectl get service kubernetes -n default | ||
kubectl config get-contexts | |||
kubectl cluster-info | kubectl cluster-info | ||
kubectl get --raw /.well-known/openid-configuration|yq -P | |||
kubectl config view -o=yaml|yq '.contexts[0].name' | |||
kubectl get ns shahed-academia | |||
kubectl -n=shahed-academia get VaultAuth auth-shahed-ab | |||
kubectl -n=shahed-academia get VaultConnection vault-shahed-ab | |||
kubectl get ns shahed-academia | |||
kubectl -n=shahed-academia get VaultAuth auth-shahed-ab | |||
kubectl -n=shahed-academia get VaultConnection vault-shahed-ab | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 178: | Line 210: | ||
name: shahed-academia | name: shahed-academia | ||
labels: | labels: | ||
app.kubernetes.io/version: 1.0.0 | |||
app.kubernetes.io/managed-by: kubectl | app.kubernetes.io/managed-by: kubectl | ||
YML | YML | ||
kubectl get namespace shahed-academia -o=yaml | kubectl get namespace shahed-academia -o=yaml | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |||
|valign='top'| | |||
{|class='wikitable' | |||
|valign='top'| | |||
* [[Vault#Auth|Skipped » Find More 👉 Vault » Auth]] | |||
---- | |||
* [[Vault#Engine » KV|Skipped » Find More 👉 Vault » Engine » KV]] | |||
|} | |||
|valign='top'| | |||
|- | |||
!scope='col'| Vault » Policy | |||
!scope='col'| Vault » Role | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
cat <<'INI' | vault policy write policy-shahed-ab-vso - | |||
# Mount : shahed/academia/dev | |||
# Secret: audit | |||
path "shahed/academia/dev/data/audit" { | |||
capabilities = ["read"] | |||
} | |||
INI | |||
vault policy read policy-shahed-ab-vso | |||
</syntaxhighlight> | |||
|valign='top'| | |||
<syntaxhighlight lang='bash'> | |||
vault kv get -mount=shahed/academia/dev audit | |||
kubectl get sa -n vault-secrets-operator-system | |||
kubectl get --raw /.well-known/openid-configuration|yq -P .issuer | |||
vault write auth/kubernetes/role/role-shahed-ab-vso bound_service_account_names=default \ | |||
bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-vso \ | |||
audience='https://kubernetes.default.svc.cluster.local' ttl=24h | |||
vault read auth/kubernetes/role/role-shahed-ab-vso | |||
</syntaxhighlight> | |||
|- | |||
|valign='top' colspan='2'| | |||
{|class='wikitable mw-collapsible mw-collapsed' | |||
!scope='col' style='text-align:left' colspan='2'| | |||
Config » Init | |||
|- | |- | ||
!scope='col'| VaultConnection | !scope='col'| VaultConnection | ||
| Line 198: | Line 272: | ||
metadata: | metadata: | ||
name: vault-shahed-ab | name: vault-shahed-ab | ||
labels: | |||
app.kubernetes.io/version: 1.0.0 | |||
app.kubernetes.io/managed-by: kubectl | |||
spec: | spec: | ||
address: http://vault.vault.svc.cluster.local:8200 | address: http://vault.vault.svc.cluster.local:8200 | ||
YML | |||
</syntaxhighlight> | |||
<syntaxhighlight lang='bash'> | |||
kubectl get clusterrolebinding vault-server-binding | |||
kubectl get clusterrolebinding vault-server-binding -o=yaml | |||
kubectl create clusterrolebinding vault-server-binding \ | |||
--clusterrole=system:auth-delegator --serviceaccount=vault:vault | |||
kubectl -n=shahed-academia get VaultConnection | kubectl -n=shahed-academia get VaultConnection | ||
| Line 219: | Line 300: | ||
metadata: | metadata: | ||
name: auth-shahed-ab | name: auth-shahed-ab | ||
labels: | |||
app.kubernetes.io/version: 1.0.0 | |||
app.kubernetes.io/managed-by: kubectl | |||
spec: | spec: | ||
method: kubernetes | method: kubernetes | ||
mount: kubernetes | mount: kubernetes | ||
vaultConnectionRef: vault-shahed-ab | |||
kubernetes: | kubernetes: | ||
role: role-shahed-ab-vso | |||
serviceAccount: default | serviceAccount: default | ||
audiences: | |||
- https://kubernetes.default.svc.cluster.local | |||
YML | YML | ||
| Line 230: | Line 317: | ||
kubectl -n=shahed-academia get VaultAuth auth-shahed-ab -o=yaml | kubectl -n=shahed-academia get VaultAuth auth-shahed-ab -o=yaml | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |||
!scope='col'| VaultStaticSecret | |||
!scope='col'| VaultStaticSecret » Verify | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang='yaml'> | |||
cat <<'YML' | \ | |||
kubectl -n shahed-academia apply -f - | |||
--- | |||
apiVersion: secrets.hashicorp.com/v1beta1 | |||
kind: VaultStaticSecret | |||
metadata: | |||
name: academia-audit-vso | |||
spec: | |||
vaultAuthRef: auth-shahed-ab | |||
mount: shahed/academia/dev | |||
refreshAfter: 30s | |||
path: audit | |||
type: kv-v2 | |||
destination: | |||
name: academia-audit-vso | |||
type: Opaque | |||
create: true | |||
labels: | |||
app.kubernetes.io/component: secret-sync | |||
app.kubernetes.io/name: vault-secrets-operator | |||
YML | |||
</syntaxhighlight> | |||
|valign='top'| | |||
{|class='wikitable' | |||
!scope='col'| Type | |||
!scope='col'| Purpose | |||
!scope='col'| Required Keys in Vault | |||
|- | |||
| <code>Opaque</code> (Default) || General secrets (passwords, keys) || Any keys | |||
|- | |||
| <code>kubernetes.io/dockerconfigjson</code> || Private registry credentials || Must contain a <code>.dockerconfigjson</code> key | |||
|- | |||
| <code>kubernetes.io/tls</code> || HTTPS/SSL certificates || Must contain <code>tls.crt</code> and <code>tls.key</code> | |||
|- | |||
| <code>kubernetes.io/ssh-auth</code> || SSH private keys || Must contain <code>ssh-privatekey</code> | |||
|} | |} | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
kubectl -n= | kubectl -n=shahed-academia delete Secret academia-audit-vso | ||
kubectl -n= | kubectl -n=shahed-academia delete VaultStaticSecret academia-audit-vso | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
kubectl -n=shahed-academia get Secret academia-audit-vso -o=yaml | |||
kubectl -n=shahed-academia get VaultStaticSecret academia-audit-vso -o=yaml | |||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang='bash'> | <syntaxhighlight lang='bash'> | ||
kubectl -n= | kubectl -n=shahed-academia describe VaultStaticSecret academia-audit-vso | ||
kubectl -n=shahed-academia label VaultStaticSecret academia-audit-vso \ | |||
kubectl | last-sync=$(date +%s) --overwrite | ||
kubectl -n shahed-academia get VaultStaticSecret academia-audit-vso -w | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
|} | |} | ||
| Line 285: | Line 402: | ||
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager | kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager | ||
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service | kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service | ||
kubectl -n=vault-secrets-operator-system get pods --show-labels | |||
</syntaxhighlight> | </syntaxhighlight> | ||
|- | |- | ||
| Line 317: | Line 435: | ||
==References== | ==References== | ||
{|class='wikitable mw-collapsible' | {|class='wikitable mw-collapsible mw-collapsed' | ||
!scope='col' style='text-align:left' colspan='3'| | !scope='col' style='text-align:left' colspan='3'| | ||
References | References | ||
|- | |- | ||
|valign='top' style='width:33%'| | |valign='top' style='width:33%'| | ||
* [[Helm/External Secrets Operator|Helm » External Secrets Operator]] | |||
* [https://artifacthub.io/packages/helm/hashicorp/vault-secrets-operator Helm » Vault Secrets Operator] | * [https://artifacthub.io/packages/helm/hashicorp/vault-secrets-operator Helm » Vault Secrets Operator] | ||
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]] | * [[Helm/Prometheus Stack|Helm » Prometheus Stack]] | ||
Latest revision as of 02:25, 24 January 2026
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update && helm repo list
kubectl config get-contexts
|
Helm » Context
|
Helm » Context | |
|---|---|
export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"
|
|
Helm » Install
|
Helm » Install | |
|---|---|
helm show values hashicorp/vault-secrets-operator --version=1.1.0|less
helm show values hashicorp/vault-secrets-operator --version=1.2.0|less
| |
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns vault-secrets-operator-system || true
|
kubectl get ns|grep vault-secrets-operator-system
kubectl delete ns vault-secrets-operator-system || true
|
| Install | Notes |
cat <<'YML' | \
helm -n=vault-secrets-operator-system upgrade \
-i vso hashicorp/vault-secrets-operator --version=1.2.0 -f -
---
controller:
replicas: 1
kubeRbacProxy:
image:
repository: quay.io/brancz/kube-rbac-proxy
tag: v0.18.1
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
manager:
image:
repository: hashicorp/vault-secrets-operator
tag: 1.2.0
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
hooks:
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
csi:
enabled: false
driver:
image:
repository: hashicorp/vault-secrets-operator-csi
tag: 1.0.1
livenessProbe:
image:
repository: registry.k8s.io/sig-storage/livenessprobe
tag: v2.16.0
nodeDriverRegistrar:
image:
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
tag: v2.14.0
YML
|
|
| Verify | |
helm -n=vault-secrets-operator-system status vso
helm -n=vault-secrets-operator-system get manifest vso
|
|
Helm » Config
|
Helm » Config | |
|---|---|
| Scale » Down | Scale » Up |
kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=0
|
kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1
|
Helm » Debug
|
Helm » Debug |
|---|
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service
|
Helm » Uninstall
|
Helm » Uninstall | |
|---|---|
helm -n=vault-secrets-operator-system status vso
helm -n=vault-secrets-operator-system get all vso
helm -n=vault-secrets-operator-system uninstall vso
|
kubectl -n=vault-secrets-operator-system delete pvc --all
kubectl delete ns vault-secrets-operator-system
kubectl delete pv vso-data-vso-0
|
Vault » Config
|
Vault » Config | ||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Context | Namespace | |||||||||||||||||||||||||
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'
kubectl get ns shahed-academia
kubectl -n=shahed-academia get VaultAuth auth-shahed-ab
kubectl -n=shahed-academia get VaultConnection vault-shahed-ab
|
cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
name: shahed-academia
labels:
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/managed-by: kubectl
YML
kubectl get namespace shahed-academia -o=yaml
| |||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| Vault » Policy | Vault » Role | |||||||||||||||||||||||||
cat <<'INI' | vault policy write policy-shahed-ab-vso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
capabilities = ["read"]
}
INI
vault policy read policy-shahed-ab-vso
|
vault kv get -mount=shahed/academia/dev audit
kubectl get sa -n vault-secrets-operator-system
kubectl get --raw /.well-known/openid-configuration|yq -P .issuer
vault write auth/kubernetes/role/role-shahed-ab-vso bound_service_account_names=default \
bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-vso \
audience='https://kubernetes.default.svc.cluster.local' ttl=24h
vault read auth/kubernetes/role/role-shahed-ab-vso
| |||||||||||||||||||||||||
| ||||||||||||||||||||||||||
Playground
|
Playground | |
|---|---|
helm -n=vault-secrets-operator-system install vso hashicorp/vault-secrets-operator --version=1.1.0
helm -n=vault-secrets-operator-system upgrade -i vso hashicorp/vault-secrets-operator --version=1.2.0
helm show values hashicorp/vault-secrets-operator --version=1.2.0|less
| |
kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy -- bash
kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c manager -- bash
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service
kubectl -n=vault-secrets-operator-system get pods --show-labels
| |
kubectl -n=vault-secrets-operator-system delete all --all
kubectl -n=vault-secrets-operator-system delete ing --all
kubectl -n=vault-secrets-operator-system delete sts --all
|
kubectl delete pv vault-data-vault-0
kubectl -n=vault-secrets-operator-system delete svc --all
kubectl -n=vault-secrets-operator-system delete pvc --all
|
kubectl -n=vault-secrets-operator-system rollout history deploy/vso-vault-secrets-operator-controller-manager
kubectl -n=vault-secrets-operator-system rollout restart deploy/vso-vault-secrets-operator-controller-manager
kubectl -n=vault-secrets-operator-system rollout status deploy/vso-vault-secrets-operator-controller-manager
| |
kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c manager -- ash
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service
| |
References
|
References | ||
|---|---|---|