Atividade 09 - Vault
Para instalar o vault, crie um arquivo values.yaml com o seguinte conteúdo:
server:
dev:
enabled: true
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: vault.<IP_DO_INGRESS>.nuvem.unicamp.br
tls:
- secretName: vault-tls
hosts:
- vault.<IP_DO_INGRESS>.nuvem.unicamp.br
Instale o vault
helm install vault vault \
--repo https://helm.releases.hashicorp.com \
--namespace vault --create-namespace \
--values values.yaml
Para ver o token inicial criado execute
kubectl -n vault logs vault-0
Verifique que o token criado foi “root”
Acesse http://vault.<IP_DO_INGRESS>.nuvem.unicamp.br e entre com o token
Crie um secret-engine chamado curso do tipo kv-v2
Crie um secret chamado senha dentro desse secret-engine, com os campos username=root e password=batata
Em Access -> Authentication Methods, clique em Enable new method, escolha Kubernetes, mantenha como Path kubernetes, e clique em Enable method
Em Kubernetes host coloque https://kubernetes.default.svc.cluster.local, e clique em Save
Clique em View method e em seguida em Create role
Preencha com os campos
Name = kubernetes-role
Bound service account name = default
Bound service account namespace = *
Expanda tokens e em Generated Token's Policies coloque kubernetes
Volte ao menu principal e clique em Policies e depois Create ACL policy
Coloque nome kubernetes e como policy
path "curso/*" {
capabilities = ["read"]
}
Instale o operator
Crie o arquivo vso-values.yaml com o seguinte conteudo:
defaultVaultConnection:
enabled: true
address: http://vault.vault.svc.cluster.local:8200
defaultAuthMethod:
enabled: true
namespace: ""
allowedNamespaces: ['*']
method: kubernetes
mount: kubernetes
kubernetes:
role: "kubernetes-role"
serviceAccount: default
tokenAudiences: []
helm install vault-secrets-operator vault-secrets-operator --repo https://helm.releases.hashicorp.com -n vault-secrets-operator-system --create-namespace --values vso-values.yaml
Crie um arquivo secret-vso.yaml com o seguinte conteudo:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vault-password
spec:
type: kv-v2
# Mount path of the secrets backend
mount: curso
# Path to the secret
path: senha
# Where to store the secrets, end user will create the secret
destination:
create: true
name: password
# Restart these pods when secrets rotated
# rolloutRestartTargets:
# - kind: Deployment
# name: php
# - kind: Deployment
# name: webserver
Aplique o yaml para criar o recurso
kubectl apply -f secret-vso.yaml
Verifique se a senha foi obtida do vault com sucesso
kubectl describe vaultstaticsecrets vault-password
Verifique se o secret foi criado com sucesso
kubectl get secrets password -o json | jq '.data | map_values(@base64d)'
Certificado TLS
Crie um registro no vault, no path certificados/meu-dominio, contendo o certificado (cert) e a chave (key).
Para fins didáticos, utilize o seguinte certificado:
cert:
-----BEGIN CERTIFICATE-----
MIIFFTCCA/2gAwIBAgISBXne7zeg9cEfFGkN5zSorpB6MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTIwHhcNMjUwODI1MDcwNjE4WhcNMjUxMTIzMDcwNjE3WjAnMSUwIwYDVQQD
Exx2YXVsdC4xNzcuMjIwLjEyMC4yNDgubmlwLmlvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAztjLzsfayfOSJf4eTaWRox59FxrX9LuS0kWx/1itgqAK
N4sn4utSdWRsW05pCc2Fa8mz1fzVCjvOHCaDwa1q5yMiYX+2VAb6t0SkiCIYciJw
cLzQpdeHyTE1ocf2AVgEGkW4QAsblm1inAj2KG4YKApOwdBYQVPRDWX2rVfY9CBm
6aPhLXZFXbjMrNwesXcDzjKiT2OMcO7eBk0lw1n1sJ+iHKrxDvOcPAqV/hC76Ark
TD6wR6Z9JtK/+GQRNzuOA0g4oinU+KzPereot5PGY+TC+L55P3ys3Lz2tQ8oP0bS
9VjJmrip5VC+vfq6/dvQY1CWruqnJEWetTbZGt5HMwIDAQABo4ICLTCCAikwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBSeerzQHrEOeerObMdPppZvN+yd1TAfBgNVHSME
GDAWgBQAtSnyLY5vMeibTK14Pvrc6QzR0jAzBggrBgEFBQcBAQQnMCUwIwYIKwYB
BQUHMAKGF2h0dHA6Ly9yMTIuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CHHZhdWx0
LjE3Ny4yMjAuMTIwLjI0OC5uaXAuaW8wEwYDVR0gBAwwCjAIBgZngQwBAgEwLwYD
VR0fBCgwJjAkoCKgIIYeaHR0cDovL3IxMi5jLmxlbmNyLm9yZy8xMjMuY3JsMIIB
BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcApELFBklgYVSPD9TqnPt6LSZFTYepfy/f
RVn2J086hFQAAAGY4EIlugAABAMASDBGAiEA00585VIT5Tv1zZohhbD9EdLq9HKo
zYpMauAZ1b1hfQwCIQDqZJf/wXgxdHzxhewYgK5BwoZUHUl0AOuAN4bbct2RZQB1
AA3h8jAr0w3BQGISCepVLvxHdHyx1+kw7w5CHrR+Tqo0AAABmOBCJboAAAQDAEYw
RAIgRmsMiQUc+mnR8u/j5+PBtbVp9ZSLXUb9VOE33qdxXPECIDzFVhYHPkLJkD5D
OTzITKbTVnOJflyKrvDx77s6z91+MA0GCSqGSIb3DQEBCwUAA4IBAQBKq1+VKpoV
I8ZwJkz3QsyhlyV1Gc/GLQTu7BjMeY56F6efdA+dTxBcS/mtAOJsihr1HdgCIQH/
lUkrsm9Bvg0NEglOjoRCwe3m0K9+oOfsaqvNltKplbETamLc5fZFf2BjlNfmkbaO
mRJqtsG/W4WCnbYoUU8H+jCCP+3wT2VqSU/jSCcc7AKrg6WUie2psaNCSEbyFFaC
pdVWOiSzlCw4A9pZTnudx4p75cfW2DJ8oUHZGokfxvlfD2rMG3yWJ8mrCH4AZr19
TyjktjVv5xypJkcnCvv9xqu/x8DsxLWaJPLMIatVKJoSa6OU5sFHh8tLZvmkQure
pPYkp4eC5+zV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFBjCCAu6gAwIBAgIRAMISMktwqbSRcdxA9+KFJjwwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEMMAoGA1UEAxMDUjEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2pgodK2+lP474B7i5Ut1qywSf+2nAzJ+Npfs6DGPpRONC5kuHs0BUT1M
5ShuCVUxqqUiXXL0LQfCTUA83wEjuXg39RplMjTmhnGdBO+ECFu9AhqZ66YBAJpz
kG2Pogeg0JfT2kVhgTU9FPnEwF9q3AuWGrCf4yrqvSrWmMebcas7dA8827JgvlpL
Thjp2ypzXIlhZZ7+7Tymy05v5J75AEaz/xlNKmOzjmbGGIVwx1Blbzt05UiDDwhY
XS0jnV6j/ujbAKHS9OMZTfLuevYnnuXNnC2i8n+cF63vEzc50bTILEHWhsDp7CH4
WRt/uTp8n1wBnWIEwii9Cq08yhDsGwIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUALUp8i2ObzHom0yteD763OkM0dIwHwYDVR0jBBgwFoAU
ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
AQELBQADggIBAI910AnPanZIZTKS3rVEyIV29BWEjAK/duuz8eL5boSoVpHhkkv3
4eoAeEiPdZLj5EZ7G2ArIK+gzhTlRQ1q4FKGpPPaFBSpqV/xbUb5UlAXQOnkHn3m
FVj+qYv87/WeY+Bm4sN3Ox8BhyaU7UAQ3LeZ7N1X01xxQe4wIAAE3JVLUCiHmZL+
qoCUtgYIFPgcg350QMUIWgxPXNGEncT921ne7nluI02V8pLUmClqXOsCwULw+PVO
ZCB7qOMxxMBoCUeL2Ll4oMpOSr5pJCpLN3tRA2s6P1KLs9TSrVhOk+7LX28NMUlI
usQ/nxLJID0RhAeFtPjyOCOscQBA53+NRjSCak7P4A5jX7ppmkcJECL+S0i3kXVU
y5Me5BbrU8973jZNv/ax6+ZK6TM8jWmimL6of6OrX7ZU6E2WqazzsFrLG3o2kySb
zlhSgJ81Cl4tv3SbYiYXnJExKQvzf83DYotox3f0fwv7xln1A2ZLplCb0O+l/AK0
YE0DS2FPxSAHi0iwMfW2nNHJrXcY3LLHD77gRgje4Eveubi2xxa+Nmk/hmhLdIET
iVDFanoCrMVIpQ59XWHkzdFmoHXHBV7oibVjGSO7ULSQ7MJ1Nz51phuDJSgAIU7A
0zrLnOrAj/dfrlEWRhCvAgbuwLZX1A2sjNjXoPOHbsPiy+lO1KF8/XY7
-----END CERTIFICATE-----
key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAztjLzsfayfOSJf4eTaWRox59FxrX9LuS0kWx/1itgqAKN4sn
4utSdWRsW05pCc2Fa8mz1fzVCjvOHCaDwa1q5yMiYX+2VAb6t0SkiCIYciJwcLzQ
pdeHyTE1ocf2AVgEGkW4QAsblm1inAj2KG4YKApOwdBYQVPRDWX2rVfY9CBm6aPh
LXZFXbjMrNwesXcDzjKiT2OMcO7eBk0lw1n1sJ+iHKrxDvOcPAqV/hC76ArkTD6w
R6Z9JtK/+GQRNzuOA0g4oinU+KzPereot5PGY+TC+L55P3ys3Lz2tQ8oP0bS9VjJ
mrip5VC+vfq6/dvQY1CWruqnJEWetTbZGt5HMwIDAQABAoIBAQCWw74JgfIesMId
nxNHVR7J3jce2Bn/75gcW2BZ1bDiPPQ1d+AirZL0rbWs94Hn+zz8S5AgsKA3TU/1
hL0UNeptflZY6lVi+ZNUcVvbPb7DsgZypa0OtAHsy0lkGfNdF2ImJBsf0vjQs/nj
8UQ6Q8Snqpus+MbbFtSRB3i88ALaLFNUuC0/RKqFH+74ajo71Z/7LznM06A9rO+0
02ZwVOyvRdiTxg7WVNQz3jGnxnEsGgcBzs19pPdAuqonKCia4/93Buzb0Eq693H1
4LjjO4YB/UMTNQtCtjTaMbEPbSIKzLG3s7mwBRsDQhLanNbxAMFYkdRrlzlTmTYq
pZV//fWBAoGBAPkYZjxZPvXSg1nlf1nhNt/GmEnR+vInZmiVjfWNstuTeHHEvobr
JcsNsinPZ9sXcXJSYqi8e65vVydvQUql7VUCPCDIp4qF39A0LmD9NiCO8jLVbOdQ
SDbHrWi1R2Cf2OqJl8KiM3Ac+7Rt9qdDhMH4IvBqnTnQiJxF2BOTtUjpAoGBANSU
mStI0qIb+xM2A3LDY56wBAvESv4XNtdE6b6d3HP/eIV7eSfVUzoh8ScUl4JZm3GR
0PjFa29gpyPosHmisAxbLUG5BpuBaLtKuThFrqw7vdgI81dpsBGrYmmX3R+DvVQ5
pexpafERBOBQXE2ehDuZw+VOJNeNsLH7oism7r27AoGBAIKzBbm2ji2HtnntzCOJ
4zQJTRC2x7hVaguIJUNphSZnO3ReaiX6rgrb9dawR+sSYuk8Rx4IP9EoBI/hdV3I
sD3BfXEqN5acZfIl3wvu8H6m4ng/ufOpESsFHHzrWTdex/9QELwERX8XBg8G/7uF
1tu76gFBv5t9SqDMmPK0txM5AoGBALo3RYl+LE0nV6Q3f4PLlvuOUq0AEXVNXpPq
YRvCazgNxUSgqbv0Cgj1bKsARcxAtIMi6bzSK0+QijlRfy2+Dpt0T0uwShJ0pQrT
5TZfDCkB2EZjaM7c3QhNalL3XhNaMsKSET/sA4rRjsT0gDbaMhmHk+vNrUZJb0wq
Ep/cZew7AoGAc9jhhGZ7sgdh3SIv7WYsMIpYFdrTdrcestC2h39BIQR32xbAhoDS
8vuxkCzb7pf5W39xs7M80wBTqcrsbe4VifO46H3MBO07M7t3nR1tmO+1UYU+apIt
PEfVTWqgswZ4h/MA12MWG1eO0k5BdTaw+ktn1FjFut21sBK/7K5WQ5o=
-----END RSA PRIVATE KEY-----
Crie um arquivo secret-vso-tls.yaml com o seguinte conteudo:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vault-tls
spec:
type: kv-v2
# Mount path of the secrets backend
mount: curso
# Path to the secret
path: certificados/meu-dominio
# Where to store the secrets, end user will create the secret
destination:
create: true
name: certificado-tls
type: kubernetes.io/tls
transformation:
excludeRaw: true
excludes:
- cert
- key
templates:
tls.key:
text: '{{- printf "%s" (get .Secrets "key") -}}'
tls.crt:
text: '{{- printf "%s" (get .Secrets "cert") -}}'
Aplique o yaml para criar o recurso
kubectl apply -f secret-vso-tls.yaml
Verifique se o secret foi criado com sucesso
kubectl get secrets certificado-tls -o json | jq '.data | map_values(@base64d)'
Configuração via linha de comando
Caso deseje, é possível fazer a configuração do vault diretamente via linha de comando, acessando por:
kubectl -n vault exec -ti vault-0 -- /bin/sh
E executando os seguintes comandos
vault auth enable -path kubernetes kubernetes
vault write auth/kubernetes/config kubernetes_host="https://kubernetes.default.svc.cluster.local"
vault policy write kubernetes - <<EOF
path "curso/*" {
capabilities = ["read"]
}
EOF
vault write auth/kubernetes/role/kubernetes-role bound_service_account_names=default bound_service_account_namespaces='*' policies=kubernetes ttl=24h
vault secrets enable -path=curso kv-v2
vault kv put curso/meu-secret chave1=valor1 chave2=valor2
Projeto
Altere o projeto para que ele use senhas vindas do vault