Helm/Vault Secrets Operator: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(22 intermediate revisions by the same user not shown)
Line 122: Line 122:


==Helm » Config==
==Helm » Config==
{|class='wikitable mw-collapsible'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
!scope='col' style='text-align:left' colspan='2'|
Helm » Config
Helm » Config
Line 139: Line 139:
kubectl -n=vault-secrets-operator-system \
kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1
</syntaxhighlight>
|}
==Helm » Debug==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left'|
Helm » Debug
|-
|valign='top'|
<syntaxhighlight lang='bash'>
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service
</syntaxhighlight>
|}
==Helm » Uninstall==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Helm » Uninstall
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
helm -n=vault-secrets-operator-system status    vso
helm -n=vault-secrets-operator-system get all  vso
helm -n=vault-secrets-operator-system uninstall vso
</syntaxhighlight>
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
kubectl -n=vault-secrets-operator-system delete pvc --all
kubectl                                  delete ns  vault-secrets-operator-system
kubectl                                  delete pv  vso-data-vso-0
</syntaxhighlight>
</syntaxhighlight>
|}
|}
Line 156: Line 189:
kubectl config get-contexts
kubectl config get-contexts
kubectl cluster-info
kubectl cluster-info
</syntaxhighlight>


<syntaxhighlight lang='bash'>
cat <<'INI' | vault policy write policy-shahed-ab -
path "shahed/data/academia/dev/audit" {
  capabilities = ["read"]
}
INI


vault policy read  policy-shahed-ab
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'
 
 
kubectl get ns shahed-academia
kubectl    -n=shahed-academia get VaultAuth        auth-shahed-ab
kubectl    -n=shahed-academia get VaultConnection vault-shahed-ab
</syntaxhighlight>
</syntaxhighlight>


Line 185: Line 217:
</syntaxhighlight>
</syntaxhighlight>
|-
|-
!scope='col'| VaultConnection
|valign='top'|
!scope='col'| VaultAuth
{|class='wikitable'
|valign='top'|
* [[Vault#Auth|Skipped » Find More 👉 Vault » Auth]]
----
* [[Vault#Engine » KV|Skipped » Find More 👉 Vault » Engine » KV]]
|}
|valign='top'|
|-
!scope='col'| Vault » Policy
!scope='col'| Vault » Role
|-
|-
|valign='top'|
|valign='top'|
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
vault write auth/kubernetes/role/role-shahed-ab bound_service_account_names=default \
cat <<'INI' | vault policy write policy-shahed-ab-vso -
   bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab \
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI
 
vault policy read  policy-shahed-ab-vso
</syntaxhighlight>
 
|valign='top'|
<syntaxhighlight lang='bash'>
vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n vault-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer
 
vault write auth/kubernetes/role/role-shahed-ab-vso bound_service_account_names=default \
   bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-vso \
   audience='https://kubernetes.default.svc.cluster.local' ttl=24h
   audience='https://kubernetes.default.svc.cluster.local' ttl=24h


vault read  auth/kubernetes/role/role-shahed-ab
vault read  auth/kubernetes/role/role-shahed-ab-vso
</syntaxhighlight>
</syntaxhighlight>
 
|-
|valign='top' colspan='2'|
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Config » Init
|-
!scope='col'| VaultConnection
!scope='col'| VaultAuth
|-
|valign='top'|
<syntaxhighlight lang='yaml'>
<syntaxhighlight lang='yaml'>
cat <<'YML' | \
cat <<'YML' | \
Line 211: Line 278:
   address: http://vault.vault.svc.cluster.local:8200
   address: http://vault.vault.svc.cluster.local:8200
YML
YML
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl get    clusterrolebinding vault-server-binding
kubectl get    clusterrolebinding vault-server-binding -o=yaml
kubectl create clusterrolebinding vault-server-binding \
  --clusterrole=system:auth-delegator --serviceaccount=vault:vault


kubectl -n=shahed-academia get VaultConnection
kubectl -n=shahed-academia get VaultConnection
Line 230: Line 305:
spec:
spec:
   method: kubernetes
   method: kubernetes
   mount: auth/kubernetes/config
   mount: kubernetes
   vaultConnectionRef: vault-shahed-ab
   vaultConnectionRef: vault-shahed-ab
   kubernetes:
   kubernetes:
    role: role-shahed-ab-vso
    serviceAccount: default
     audiences:  
     audiences:  
       - https://kubernetes.default.svc.cluster.local
       - https://kubernetes.default.svc.cluster.local
    serviceAccount: default
    role: role-shahed-ab
YML
YML


Line 243: Line 318:
</syntaxhighlight>
</syntaxhighlight>
|-
|-
!scope='col'| Secret
!scope='col'| VaultStaticSecret
!scope='col'| ConfigMap
!scope='col'| VaultStaticSecret » Verify
|-
|-
|valign='top'|
|valign='top'|
Line 254: Line 329:
kind: VaultStaticSecret
kind: VaultStaticSecret
metadata:
metadata:
   name: academia-audit-sec-sync
   name: academia-audit-vso
spec:
spec:
  path: shahed/academia/dev/audit
   vaultAuthRef: auth-shahed-ab
   vaultAuthRef: auth-shahed-ab
  mount: shahed/academia/dev
   refreshAfter: 30s
   refreshAfter: 30s
   mount: shahed
   path: audit
   type: kv-v2
   type: kv-v2


   destination:
   destination:
     name: academia-audit
     name: academia-audit-vso
     type: Secret
     type: Opaque
     create: true
     create: true
     labels:
     labels:
       app.kubernetes.io/version: 1.0.0
       app.kubernetes.io/component: secret-sync
       app.kubernetes.io/managed-by: vso
       app.kubernetes.io/name: vault-secrets-operator
YML
YML
</syntaxhighlight>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia get VaultStaticSecret academia-audit-sec-sync -o=yaml
kubectl -n=shahed-academia get Secret            academia-audit -o=yaml
</syntaxhighlight>
</syntaxhighlight>


|valign='top'|
|valign='top'|
<syntaxhighlight lang='yaml'>
{|class='wikitable'
cat <<'YML' | \
!scope='col'| Type
kubectl -n shahed-academia apply -f -
!scope='col'| Purpose
---
!scope='col'| Required Keys in Vault
apiVersion: secrets.hashicorp.com/v1beta1
|-
kind: VaultStaticSecret
| <code>Opaque</code> (Default)              || General secrets (passwords, keys)    || Any keys
metadata:
|-
  name: academia-audit-cfm-sync
| <code>kubernetes.io/dockerconfigjson</code> || Private registry credentials        || Must contain a <code>.dockerconfigjson</code> key
spec:
|-
  path: shahed/academia/dev/audit
| <code>kubernetes.io/tls</code>              || HTTPS/SSL certificates              || Must contain <code>tls.crt</code> and <code>tls.key</code>
  vaultAuthRef: auth-shahed-ab
|-
  refreshAfter: 30s
| <code>kubernetes.io/ssh-auth</code>        || SSH private keys                    || Must contain <code>ssh-privatekey</code>
  mount: shahed
|}
  type: kv-v2
 
  destination:
    name: academia-audit
    type: ConfigMap
    create: true
    labels:
      app.kubernetes.io/version: 1.0.0
      app.kubernetes.io/managed-by: vso
YML
</syntaxhighlight>


<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
kubectl -n=shahed-academia get VaultStaticSecret academia-audit-cfm-sync -o=yaml
kubectl -n=shahed-academia delete Secret            academia-audit-vso
kubectl -n=shahed-academia get ConfigMap        academia-audit -o=yaml
kubectl -n=shahed-academia delete VaultStaticSecret academia-audit-vso
</syntaxhighlight>
</syntaxhighlight>
|}


==Helm » Debug==
{|class='wikitable mw-collapsible'
!scope='col' style='text-align:left'|
Helm » Debug
|-
|valign='top'|
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=shahed-academia get    Secret            academia-audit-vso -o=yaml
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=shahed-academia get    VaultStaticSecret academia-audit-vso -o=yaml
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service
</syntaxhighlight>
</syntaxhighlight>
|}


==Helm » Uninstall==
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='2'|
Helm » Uninstall
|-
|valign='top' style='width:50%'|
<syntaxhighlight lang='bash'>
<syntaxhighlight lang='bash'>
helm -n=vault-secrets-operator-system status    vso
kubectl -n=shahed-academia describe VaultStaticSecret academia-audit-vso
helm -n=vault-secrets-operator-system get all  vso
kubectl -n=shahed-academia label    VaultStaticSecret academia-audit-vso \
helm -n=vault-secrets-operator-system uninstall vso
last-sync=$(date +%s) --overwrite
</syntaxhighlight>


|valign='top' style='width:50%'|
kubectl -n shahed-academia get      VaultStaticSecret academia-audit-vso -w
<syntaxhighlight lang='bash'>
kubectl -n=vault-secrets-operator-system delete pvc --all
kubectl                                  delete ns  vault-secrets-operator-system
kubectl                                  delete pv  vso-data-vso-0
</syntaxhighlight>
</syntaxhighlight>
|}
|}
|}


Line 362: Line 402:
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service
kubectl -n=vault-secrets-operator-system get      pods --show-labels
</syntaxhighlight>
</syntaxhighlight>
|-
|-
Line 394: Line 435:


==References==
==References==
{|class='wikitable mw-collapsible'
{|class='wikitable mw-collapsible mw-collapsed'
!scope='col' style='text-align:left' colspan='3'|
!scope='col' style='text-align:left' colspan='3'|
References
References
|-
|-
|valign='top' style='width:33%'|
|valign='top' style='width:33%'|
* [[Helm/External Secrets Operator|Helm » External Secrets Operator]]
* [https://artifacthub.io/packages/helm/hashicorp/vault-secrets-operator Helm » Vault Secrets Operator]
* [https://artifacthub.io/packages/helm/hashicorp/vault-secrets-operator Helm » Vault Secrets Operator]
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]]
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]]

Latest revision as of 02:25, 24 January 2026

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update && helm repo list
kubectl config get-contexts

Helm » Context

Helm » Context 

export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Helm » Install

Helm » Install 

helm show   values hashicorp/vault-secrets-operator --version=1.1.0|less
helm show   values hashicorp/vault-secrets-operator --version=1.2.0|less

export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl create ns   vault-secrets-operator-system || true

kubectl get ns|grep vault-secrets-operator-system
kubectl delete ns   vault-secrets-operator-system || true
Install Notes 
cat <<'YML' | \
helm -n=vault-secrets-operator-system upgrade \
-i vso hashicorp/vault-secrets-operator --version=1.2.0 -f -
---
controller:
  replicas: 1
  kubeRbacProxy:
    image:
      repository: quay.io/brancz/kube-rbac-proxy
      tag: v0.18.1
    resources:
      limits:
        cpu: 500m
        memory: 128Mi
      requests:
        cpu: 5m
        memory: 64Mi
  manager:
    image:
      repository: hashicorp/vault-secrets-operator
      tag: 1.2.0
    resources:
      limits:
        cpu: 500m
        memory: 128Mi
      requests:
        cpu: 10m
        memory: 64Mi

hooks:
  resources:
    limits:
      cpu: 500m
      memory: 128Mi
    requests:
      cpu: 10m
      memory: 64Mi

csi:
  enabled: false
  driver:
    image:
      repository: hashicorp/vault-secrets-operator-csi
      tag: 1.0.1
  livenessProbe:
    image:
      repository: registry.k8s.io/sig-storage/livenessprobe
      tag: v2.16.0
  nodeDriverRegistrar:
    image:
      repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
      tag: v2.14.0
YML
Verify 
helm -n=vault-secrets-operator-system status vso
helm -n=vault-secrets-operator-system get    manifest vso

Helm » Config

Helm » Config

Scale » Down Scale » Up 
kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=0

kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1

Helm » Debug

Helm » Debug 

kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service

Helm » Uninstall

Helm » Uninstall 

helm -n=vault-secrets-operator-system status    vso
helm -n=vault-secrets-operator-system get all   vso
helm -n=vault-secrets-operator-system uninstall vso

kubectl -n=vault-secrets-operator-system delete pvc --all
kubectl                                  delete ns  vault-secrets-operator-system
kubectl                                  delete pv  vso-data-vso-0

Vault » Config

Vault » Config

Context Namespace 
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get service kubernetes -n default
kubectl config get-contexts
kubectl cluster-info


kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl config view -o=yaml|yq '.contexts[0].name'


kubectl get ns shahed-academia
kubectl     -n=shahed-academia get VaultAuth        auth-shahed-ab
kubectl     -n=shahed-academia get VaultConnection vault-shahed-ab

cat <<'YML' | \
kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: shahed-academia
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
YML

kubectl get namespace shahed-academia -o=yaml
Vault » Policy Vault » Role 
cat <<'INI' | vault policy write policy-shahed-ab-vso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-vso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n vault-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-vso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-vso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-vso

Config » Init

VaultConnection VaultAuth 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
  name: vault-shahed-ab
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
spec:
  address: http://vault.vault.svc.cluster.local:8200
YML

kubectl get    clusterrolebinding vault-server-binding
kubectl get    clusterrolebinding vault-server-binding -o=yaml

kubectl create clusterrolebinding vault-server-binding \
  --clusterrole=system:auth-delegator --serviceaccount=vault:vault

kubectl -n=shahed-academia get VaultConnection
kubectl -n=shahed-academia get VaultConnection vault-shahed-ab -o=yaml

cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: auth-shahed-ab
  labels:
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: kubectl
spec:
  method: kubernetes
  mount: kubernetes
  vaultConnectionRef: vault-shahed-ab
  kubernetes:
    role: role-shahed-ab-vso
    serviceAccount: default
    audiences: 
      - https://kubernetes.default.svc.cluster.local
YML

kubectl -n=shahed-academia get VaultAuth
kubectl -n=shahed-academia get VaultAuth auth-shahed-ab -o=yaml
VaultStaticSecret VaultStaticSecret » Verify 
cat <<'YML' | \
kubectl -n shahed-academia apply -f -
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: academia-audit-vso
spec:
  vaultAuthRef: auth-shahed-ab
  mount: shahed/academia/dev
  refreshAfter: 30s
  path: audit
  type: kv-v2

  destination:
    name: academia-audit-vso
    type: Opaque
    create: true
    labels:
      app.kubernetes.io/component: secret-sync
      app.kubernetes.io/name: vault-secrets-operator
YML
Type Purpose Required Keys in Vault
Opaque (Default) General secrets (passwords, keys) Any keys
kubernetes.io/dockerconfigjson Private registry credentials Must contain a .dockerconfigjson key
kubernetes.io/tls HTTPS/SSL certificates Must contain tls.crt and tls.key
kubernetes.io/ssh-auth SSH private keys Must contain ssh-privatekey 
kubectl -n=shahed-academia delete Secret            academia-audit-vso
kubectl -n=shahed-academia delete VaultStaticSecret academia-audit-vso

kubectl -n=shahed-academia get    Secret            academia-audit-vso -o=yaml
kubectl -n=shahed-academia get    VaultStaticSecret academia-audit-vso -o=yaml

kubectl -n=shahed-academia describe VaultStaticSecret academia-audit-vso
kubectl -n=shahed-academia label    VaultStaticSecret academia-audit-vso \
 last-sync=$(date +%s) --overwrite

kubectl -n shahed-academia get      VaultStaticSecret academia-audit-vso -w

Playground

Playground 

helm -n=vault-secrets-operator-system install    vso hashicorp/vault-secrets-operator --version=1.1.0
helm -n=vault-secrets-operator-system upgrade -i vso hashicorp/vault-secrets-operator --version=1.2.0
helm show   values                                   hashicorp/vault-secrets-operator --version=1.2.0|less

kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy -- bash
kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c manager         -- bash

kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service
kubectl -n=vault-secrets-operator-system get      pods --show-labels

kubectl -n=vault-secrets-operator-system delete all --all
kubectl -n=vault-secrets-operator-system delete ing --all
kubectl -n=vault-secrets-operator-system delete sts --all

kubectl          delete pv  vault-data-vault-0
kubectl -n=vault-secrets-operator-system delete svc --all
kubectl -n=vault-secrets-operator-system delete pvc --all

kubectl -n=vault-secrets-operator-system rollout history deploy/vso-vault-secrets-operator-controller-manager
kubectl -n=vault-secrets-operator-system rollout restart deploy/vso-vault-secrets-operator-controller-manager
kubectl -n=vault-secrets-operator-system rollout status  deploy/vso-vault-secrets-operator-controller-manager

kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c manager -- ash
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Helm/Vault_Secrets_Operator&oldid=16394"