Copy the downloaded file "vault_x.x.x_windows_amd64.zip" to your Bastion in C:\temp.
Open a cmd shell and run the command below:
mkdir %LOCALAPPDATA%\Vault "C:\Program Files\7-Zip\7z.exe" e c:\temp\vault_x.x.x_windows_amd64.zip "*.*" -o"%LOCALAPPDATA%\Vault"
Kubernetes integration
Request Vault prerequisite on Kubernetes
This article describe how to request Vault prerequisite on cegedim.cloud Kubernetes service.
An existing Kubernetes cluster is required to set up integration with Vault.
Request Kubernetes Authorized Endpoint for Vault + Vault chart
Why
cegedim Vault cluster need to access to direct Kubernetes API (as access through Rancher is not supported) and request to add in Rancher Apps & Marketplace "Official Hashicorp Vaul Chart"
How
Use ITCare to formulate a request via the support request form "All other requests relating to IT Solutions/Tools".
Subject of the request : Create K8S Authorized Endpoint for Vault and add Vault chart <CCS ccs2-my-cluster>
Comments :
Could you please configure this on the K8S cluster <CCS ccs2-my-cluster>:
- Kubernetes API Authorized Endpoint for Vault connexion
- Add "Official Hashicorp Vaul Chart" in Rancher Apps & Marketplace
After ticket resolution, go to RancherCluster Manager → Cluster → Edit to check if Authorized EndPoint is Enabled.
From Rancher Cluster Explorer → Apps &Marketplace, check if vault chart is available
Configure Vault Injector on Kubernetes
This article describe how to configure Vault injector on cegedim.cloud Kubernetes service.
Create Vault project and namespace
Create project: vault
Create namespace: vault
Deploy Vault Agent Injector
From Rancher, go to "Apps & Marketplace" → "Charts"
Search for "vault" and select "vault - Official HashiCorp Vault Chart"
Select the "vault" namespace and provide deployment name "vault-injector"
Go to "Values YAML" and search for the "externalVaultAddr" parameter to set value with URL of your vault cluster https://<my-vault-cluster>.vault.cegedim.cloud/
Click on Install
Control steps
The deployment will create in vault namespace.
ClusterRole :
vault-injector-agent-injector-clusterrole
ServiceAccounts :
vault-injector: this service account will be used by vault to connect to the Kubernetes API
vault-injector-agent-injector: this service account is used by the vault-injector-agent-injector
CusterRoleBindings :
vault-injector-agent-injector-binding: attach ClusterRole vault-injector-agent-injector-clusterrole to vault-injector-agent-injector service account
vault-injector-server-binding: provide system:auth-delegator to vault-injector service account
Deployment :
vault-injector-agent-injector
Setup Kubernetes Auth Method on Cegedim Vault
This article describe how to enable the kubernetes auth method to authenticate on cegedim.cloudVault instance using a Kubernetes Service Account Token.
Prerequisites :
Vault CLI
Kubernetes Authorized Endpoint for Vault
kubernetes certificate
Enable Kubernetes Auth Method on your cegedim.cloudContainer Services
From Vault CLI configured and connected to your cegedim.cloud Vault instance cluster.
This article describe how to deploy Postgres DB with Postgres username and password stored on cegedim.cloud Vault instance.
Prerequisites :
cegedim.cloud Kubernetes cluster
cegedim.cloud Vault instance
Vault CLI
CCS connected to Cegedim Vault Cluster
Kubectl
Connect to your cegedim.cloud Vault instancefrom cmd shell
#Skip vault verification
set VAULT_SKIP_VERIFY=True
#Set vault address
set VAULT_ADDR="https://<my-vault-cluster>.vault.cegedim.cloud/"
#Get vault status
vault status
#Login on vault by selecting ldap method
vault login -method=ldap username="adm-<your-login>"
Create Engine demopostgres
It's important to prefix any engine path by this stratig path secret/, otherwise you will not be able to administrate with your BU adminrole
#Create Engine on vault
vault secrets enable -path=secret/demopostgres kv-v2
Create your DB Secret username and password
#Create your secret on vault
vault kv put secret/demopostgres/db username="myusername" password="mysecret"
#Check secret
vault kv get secret/demopostgres/db
#Create Kubernetes Service Account
kubectl create serviceaccount sa-demopostgres --namespace vault-demopostgres
# Verify that the service account has been created
kubectl get serviceaccounts --namespace vault-demopostgres
This article describe how to deploy SonarQube application with Postgres DB with Postgres username and password stored on cegedim.cloud Vault instance.
Prerequisites :
Cluster Kubernetes cegedim.cloud
Instance Vault cegedim.cloud
Vault CLI
Kubernetes cluster connected to cegedim.cloud Vault instance
Kubectl
Connect to your cegedim.cloud Vault instancefrom cmd shell
#Skip vault verification
set VAULT_SKIP_VERIFY=True
#Set vault address
set VAULT_ADDR="https://<my-vault-cluster>.vault.cegedim.cloud/"
#Get vault status
vault status
#Login on vault by selecting ldap method
vault login -method=ldap username="adm-<your-login>"
Create Engine demopostgres (or reuse engine created previously)
It's important to prefix any engine path by this stratig path secret/, otherwise you will not be able to administrate with your BU adminrole
#Create Engine on vault
vault secrets enable -path=secret/demopostgres kv-v2
Create your DB Secret username and password (or reuse DB Secret created previously)
#Create your secret on vault
vault kv put secret/demopostgres/db username="myusername" password="mysecret"
#Check secret
vault kv get secret/demopostgres/db
Create Kubernetes Service Account (or reuse Service Account created previously)
#Create Kubernetes Service Account
kubectl create serviceaccount sa-demopostgres --namespace vault-demopostgres
# Verify that the service account has been created
kubectl get serviceaccounts --namespace vault-demopostgres