Helm/Vault Secrets Operator

helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update && helm repo list kubectl config get-contexts

Helm » Context

export KUBECONFIG="${HOME}/.kube/aws-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/lke-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Helm » Install

Helm » Install
helm show values hashicorp/vault-secrets-operator --version=1.1.0\|less helm show values hashicorp/vault-secrets-operator --version=1.2.0\|less
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml" kubectl create ns vault-secrets-operator-system \|\| true	kubectl get ns\|grep vault-secrets-operator-system kubectl delete ns vault-secrets-operator-system \|\| true
Install	Notes
cat <<'YML' \| \ helm -n=vault-secrets-operator-system upgrade \ -i vso hashicorp/vault-secrets-operator --version=1.2.0 -f - --- controller: replicas: 1 kubeRbacProxy: image: repository: quay.io/brancz/kube-rbac-proxy tag: v0.18.1 resources: limits: cpu: 500m memory: 128Mi requests: cpu: 5m memory: 64Mi manager: image: repository: hashicorp/vault-secrets-operator tag: 1.2.0 resources: limits: cpu: 500m memory: 128Mi requests: cpu: 10m memory: 64Mi hooks: resources: limits: cpu: 500m memory: 128Mi requests: cpu: 10m memory: 64Mi csi: enabled: false driver: image: repository: hashicorp/vault-secrets-operator-csi tag: 1.0.1 livenessProbe: image: repository: registry.k8s.io/sig-storage/livenessprobe tag: v2.16.0 nodeDriverRegistrar: image: repository: registry.k8s.io/sig-storage/csi-node-driver-registrar tag: v2.14.0 YML
Verify
helm -n=vault-secrets-operator-system status vso helm -n=vault-secrets-operator-system get manifest vso

Helm » Config

Scale » Down

Scale » Up

kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=0

kubectl -n=vault-secrets-operator-system \
scale deploy/vso-vault-secrets-operator-controller-manager --replicas=1

Helm » Debug

kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service -c manager
kubectl -n=vault-secrets-operator-system logs -f  svc/vso-vault-secrets-operator-metrics-service

Helm » Uninstall

helm -n=vault-secrets-operator-system status    vso
helm -n=vault-secrets-operator-system get all   vso
helm -n=vault-secrets-operator-system uninstall vso

kubectl -n=vault-secrets-operator-system delete pvc --all
kubectl                                  delete ns  vault-secrets-operator-system
kubectl                                  delete pv  vso-data-vso-0

Vault » Config

Vault » Config
Context	Namespace
export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml" kubectl get service kubernetes -n default kubectl config get-contexts kubectl cluster-info kubectl get --raw /.well-known/openid-configuration\|yq -P kubectl config view -o=yaml\|yq '.contexts[0].name' kubectl get ns shahed-academia kubectl -n=shahed-academia get VaultAuth auth-shahed-ab kubectl -n=shahed-academia get VaultConnection vault-shahed-ab	cat <<'YML' \| \ kubectl apply -f - --- apiVersion: v1 kind: Namespace metadata: name: shahed-academia labels: app.kubernetes.io/version: 1.0.0 app.kubernetes.io/managed-by: kubectl YML kubectl get namespace shahed-academia -o=yaml
Vault » Policy	Vault » Role
cat <<'INI' \| vault policy write policy-shahed-ab - path "shahed/data/academia/dev/audit" { capabilities = ["read"] } INI vault policy read policy-shahed-ab	kubectl get --raw /.well-known/openid-configuration\|yq -P .issuer vault write auth/kubernetes/role/role-shahed-ab bound_service_account_names=default \ bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab \ audience='https://kubernetes.default.svc.cluster.local' ttl=24h vault read auth/kubernetes/role/role-shahed-ab
VaultConnection	VaultAuth
cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultConnection metadata: name: vault-shahed-ab labels: app.kubernetes.io/version: 1.0.0 app.kubernetes.io/managed-by: kubectl spec: address: http://vault.vault.svc.cluster.local:8200 YML kubectl get clusterrolebinding vault-server-binding kubectl get clusterrolebinding vault-server-binding -o=yaml kubectl create clusterrolebinding vault-server-binding \ --clusterrole=system:auth-delegator --serviceaccount=vault:vault kubectl -n=shahed-academia get VaultConnection kubectl -n=shahed-academia get VaultConnection vault-shahed-ab -o=yaml	cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: auth-shahed-ab labels: app.kubernetes.io/version: 1.0.0 app.kubernetes.io/managed-by: kubectl spec: method: kubernetes mount: auth/kubernetes/config vaultConnectionRef: vault-shahed-ab kubernetes: role: role-shahed-ab serviceAccount: default audiences: - https://kubernetes.default.svc.cluster.local YML kubectl -n=shahed-academia get VaultAuth kubectl -n=shahed-academia get VaultAuth auth-shahed-ab -o=yaml
Secret	ConfigMap
cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: academia-audit-sec-sync spec: path: shahed/academia/dev/audit vaultAuthRef: auth-shahed-ab refreshAfter: 30s mount: shahed type: kv-v2 destination: name: academia-audit type: Secret create: true labels: app.kubernetes.io/version: 1.0.0 app.kubernetes.io/managed-by: vso YML kubectl -n=shahed-academia get VaultStaticSecret academia-audit-sec-sync -o=yaml kubectl -n=shahed-academia get Secret academia-audit -o=yaml	cat <<'YML' \| \ kubectl -n shahed-academia apply -f - --- apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: name: academia-audit-cfm-sync spec: path: shahed/academia/dev/audit vaultAuthRef: auth-shahed-ab refreshAfter: 30s mount: shahed type: kv-v2 destination: name: academia-audit type: ConfigMap create: true labels: app.kubernetes.io/version: 1.0.0 app.kubernetes.io/managed-by: vso YML kubectl -n=shahed-academia get VaultStaticSecret academia-audit-cfm-sync -o=yaml kubectl -n=shahed-academia get ConfigMap academia-audit -o=yaml

Playground

Playground
helm -n=vault-secrets-operator-system install vso hashicorp/vault-secrets-operator --version=1.1.0 helm -n=vault-secrets-operator-system upgrade -i vso hashicorp/vault-secrets-operator --version=1.2.0 helm show values hashicorp/vault-secrets-operator --version=1.2.0\|less
kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy -- bash kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c manager -- bash kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c kube-rbac-proxy kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service
kubectl -n=vault-secrets-operator-system delete all --all kubectl -n=vault-secrets-operator-system delete ing --all kubectl -n=vault-secrets-operator-system delete sts --all	kubectl delete pv vault-data-vault-0 kubectl -n=vault-secrets-operator-system delete svc --all kubectl -n=vault-secrets-operator-system delete pvc --all
kubectl -n=vault-secrets-operator-system rollout history deploy/vso-vault-secrets-operator-controller-manager kubectl -n=vault-secrets-operator-system rollout restart deploy/vso-vault-secrets-operator-controller-manager kubectl -n=vault-secrets-operator-system rollout status deploy/vso-vault-secrets-operator-controller-manager
kubectl -n=vault-secrets-operator-system exec -it svc/vso-vault-secrets-operator-metrics-service -c manager -- ash kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service -c manager kubectl -n=vault-secrets-operator-system logs -f svc/vso-vault-secrets-operator-metrics-service

References

References
Helm » Vault Secrets Operator Helm » Prometheus Stack Helm » Cert Manager Helm » Harbor Helm » Pi-Hole Helm » Vault Helm	Vault » Docs » Secrets management Vault » Docs » Build your CA Vault » Docs » Monitoring Vault » Docs » How Vault » Docs » Why Vault » Install Vault
K8s » Configure Service Accounts for Pods K8s » Restart Pods With Kubectl K8s » Interactive Pod K8s » Restart Pods Docker » Makefile Kubernetes Minikube Kubectl CURL K8s	K8s » `kubectl rollout` K8s » CSI Hostpath Driver Security » Password K8s » Storage K8s » Ingress K8s » Service K8s » Run MinIO CIDR UFW	Bind9 » Authoritative DNS Server Bind9 » Secondary DNS Server Minikube » Ingress DNS Minikube » Systemd Minikube » MetalLB Minikube » Registry Minikube » Tunnel Localtunnel ZA Proxy

Helm/Vault Secrets Operator

Contents

Helm » Context

Helm » Install

Helm » Config

Helm » Debug

Helm » Uninstall

Vault » Config

Playground

References

Navigation menu

Helm/Vault Secrets Operator

Helm » Context

Helm » Install

Helm » Config

Helm » Debug

Helm » Uninstall

Vault » Config

Playground

References

Navigation menu

Search