Vault - Get started

Deploy Vault

Vault can be deployed via ITCare from the Security section of the left-hand side menu.

A Create Vault instance button takes you to the deployment form.

Find and select the Global Service in which you are going to create your new Vault instance. Click on Next.

In the next step, provide the following information:

Vault instance name
AD security group for administration

If you need to create a new AD security group, please create a request ticket via the AD Group Management form.

Click Next, then select the Region in which you wish to deploy.

Finally, the summary of your request is displayed. Check the information you've entered, then submit to launch the creation of your Vault instance.

Once the instance has been created, you will be notified by e-mail.

From your Bastion, access your Vault instance: https://<cluster>.vault.cegedim.cloud

Vault CLI on your bastion

This procedure explains how to use the CLI Vault on your bastion.

Download the latest version of Vault CLI from https://www.vaultproject.io/downloads onto your workstation.

Copy the downloaded file "vault_x.x.x_windows_amd64.zip" to your Bastion in C:\temp.

Open a cmd shell and run the command below:

mkdir %LOCALAPPDATA%\Vault "C:\Program Files\7-Zip\7z.exe" e c:\temp\vault_x.x.x_windows_amd64.zip "*.*" -o"%LOCALAPPDATA%\Vault"

Kubernetes integration

Request Vault prerequisite on Kubernetes

This article describe how to request Vault prerequisite on cegedim.cloud Kubernetes service.

An existing Kubernetes cluster is required to set up integration with Vault.

Request Kubernetes Authorized Endpoint for Vault + Vault chart

Why

cegedim Vault cluster need to access to direct Kubernetes API (as access through Rancher is not supported) and request to add in Rancher Apps & Marketplace "Official Hashicorp Vaul Chart"

How

Use ITCare to formulate a request via the support request form "All other requests relating to IT Solutions/Tools".

Subject of the request : Create K8S Authorized Endpoint for Vault and add Vault chart <CCS ccs2-my-cluster>
Comments :
- Could you please configure this on the K8S cluster <CCS ccs2-my-cluster>: - Kubernetes API Authorized Endpoint for Vault connexion - Add "Official Hashicorp Vaul Chart" in Rancher Apps & Marketplace

After ticket resolution, go to Rancher Cluster Manager → Cluster → Edit to check if Authorized EndPoint is Enabled.

From Rancher Cluster Explorer → Apps &Marketplace, check if vault chart is available

Configure Vault Injector on Kubernetes

This article describe how to configure Vault injector on cegedim.cloud Kubernetes service.

Create Vault project and namespace

Create project: vault
Create namespace: vault

Deploy Vault Agent Injector

From Rancher, go to "Apps & Marketplace" → "Charts"
Search for "vault" and select "vault - Official HashiCorp Vault Chart"

Select the "vault" namespace and provide deployment name "vault-injector"

Go to "Values YAML" and search for the "externalVaultAddr" parameter to set value with URL of your vault cluster https://<my-vault-cluster>.vault.cegedim.cloud/

Click on Install

Control steps

The deployment will create in vault namespace.

ClusterRole :

vault-injector-agent-injector-clusterrole

ServiceAccounts :

vault-injector: this service account will be used by vault to connect to the Kubernetes API
vault-injector-agent-injector: this service account is used by the vault-injector-agent-injector

CusterRoleBindings :

vault-injector-agent-injector-binding: attach ClusterRole vault-injector-agent-injector-clusterrole to vault-injector-agent-injector service account
vault-injector-server-binding: provide system:auth-delegator to vault-injector service account

Deployment :

vault-injector-agent-injector

Setup Kubernetes Auth Method on Cegedim Vault

This article describe how to enable the kubernetes auth method to authenticate on cegedim.cloud Vault instance using a Kubernetes Service Account Token.

Prerequisites :

Vault CLI
Kubernetes Authorized Endpoint for Vault
kubernetes certificate

Enable Kubernetes Auth Method on your cegedim.cloud Container Services From Vault CLI configured and connected to your cegedim.cloud Vault instance cluster.

vault auth enable -path=kubernetes-<ccs-my-cluster> kubernetes

You can check with Vault UI this Auth Method configuration in Access tab.

Configure Kubernetes Auth Method

Prerequisites:

token_reviewer_jwt: Token to get from Rancher Kubernetes Secret vault-injector-token

kubernetes_host: Kubernetes Authorized Endpoint API pour obtenir de la configuration de Rancher Kubernetes Cluster.

kubernetes_ca_cert: Use below CA Root Certificate of Kubernetes Authorized Endpoint API

This is not the Kubernetes CA as the the Kubernetes Authorized Endpoint API is exposed by cegedim.Cloud Load Balancer and Let's Encrypt certificate

Copy/past below certificate file on C:\Temp in your bastion profile to allow access with Vault CLI.

2KB

isg_root_x1.cer

From cmd shell and run below command with correct above prerequisite values to configure Auth Method:

vault write auth/kubernetes-<ccs-my-cluster>/config token_reviewer_jwt="xxxxxxxxxxxxxxxxxx" kubernetes_host="https://<my-ccs-cluster>-api.ccs.cegedim.cloud" kubernetes_ca_cert=@isg_root_x1.cer disable_iss_validation=true

Vault agent with Kubernetes use cases

Inject Secrets inside Pod path /vault/secrets/

This article describe how to deploy Postgres DB with Postgres username and password stored on cegedim.cloud Vault instance.

Prerequisites :

cegedim.cloud Kubernetes cluster
cegedim.cloud Vault instance
Vault CLI
CCS connected to Cegedim Vault Cluster
Kubectl

Connect to your cegedim.cloud Vault instance from cmd shell

#Skip vault verification
set VAULT_SKIP_VERIFY=True
 
#Set vault address
set VAULT_ADDR="https://<my-vault-cluster>.vault.cegedim.cloud/"
 
#Get vault status
vault status
 
#Login on vault by selecting ldap method
vault login -method=ldap username="adm-<your-login>"

Create Engine demopostgres

It's important to prefix any engine path by this stratig path secret/, otherwise you will not be able to administrate with your BU adminrole

#Create Engine on vault
vault secrets enable -path=secret/demopostgres kv-v2

Create your DB Secret username and password

#Create your secret on vault
vault kv put secret/demopostgres/db username="myusername" password="mysecret"
 
#Check secret
vault kv get secret/demopostgres/db

Create JSON read policy file C:\Temp\policy_demopostgres.json

path "secret/demopostgres/data/db"
{
  capabilities = ["read"]
}

Create policy

#Create policy
vault policy write policy_demopostgres c:\Temp\policy_demopostgres.json
 
#Check policy creation
vault policy read policy_demopostgres

Apply policy on secret

This action connect Kubernetes service account sa-demopostgres, from namespace vault-demopostgres with the Vault policy policy_demopostgres.

The token returned after authentication are valid for 24 hours.

#Apply policy on secret
vault write auth/kubernetes-<ccs-my-cluster>/role/demopostgres bound_service_account_names=sa-demopostgres bound_service_account_namespaces=vault-demopostgres policies=policy_demopostgres ttl=24h

Create Namespace

#Create Namespace
kubectl create namespace vault-demopostgres

Create Kubernetes Service Account

#Create Kubernetes Service Account
kubectl create serviceaccount sa-demopostgres --namespace vault-demopostgres
 
# Verify that the service account has been created
kubectl get serviceaccounts --namespace vault-demopostgres

Create deployment file vault_demopostgres.yaml

vault_demopostgres.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: db-postgres
  name: db-postgres
spec:
  selector:
    matchLabels:
      app: db-postgres
  replicas: 1
  template:
    metadata:
      labels:
        app: db-postgres
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "demopostgres"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-cache-enable: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes-ccs2-rd-shared
        vault.hashicorp.com/agent-inject-secret-db-username: secret/demopostgres/db
        vault.hashicorp.com/agent-inject-template-db-username: |
          {{ with secret "secret/demopostgres/db" -}}
          {{ .Data.data.username }}
          {{- end }}
        vault.hashicorp.com/agent-inject-secret-db-password: secret/demopostgres/db
        vault.hashicorp.com/agent-inject-template-db-password: |
          {{ with secret "secret/demopostgres/db" -}}
          {{ .Data.data.password }}
          {{- end }}
    spec:
      serviceAccountName: sa-demopostgres
      containers:
      - name: db-postgres
        image: postgres
        imagePullPolicy: "IfNotPresent"
        env:
        - name: POSTGRES_USER_FILE
          value: /vault/secrets/db-username
        - name: POSTGRES_PASSWORD_FILE
          value: /vault/secrets/db-password
        - name: POSTGRES_HOST_AUTH_METHOD
          value: "scram-sha-256"
        - name: POSTGRES_INITDB_ARGS
          value: --auth-host=scram-sha-256
        ports:
        - containerPort: 5432
        resources:
          requests:
            memory: "200Mi"
            cpu: "100m"
          limits:
            memory: "1Gi"
            cpu: "500m"
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          name: postgresql-data
      volumes:
      - name: postgresql-data
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: db-postgres
spec:
  selector:
    app: db-postgres
  ports:
  - protocol: TCP
    port: 5432

Deploy Vault Postgres Demo

kubectl apply -f vault_demopostgres.yaml --namespace vault-demopostgres

Control steps

Check you deployment in Rancher

Inject Secrets inside pod with Configmap

This article describe how to deploy SonarQube application with Postgres DB with Postgres username and password stored on cegedim.cloud Vault instance.

Prerequisites :

Cluster Kubernetes cegedim.cloud
Instance Vault cegedim.cloud
Vault CLI
Kubernetes cluster connected to cegedim.cloud Vault instance
Kubectl

Connect to your cegedim.cloud Vault instance from cmd shell

#Skip vault verification
set VAULT_SKIP_VERIFY=True
 
#Set vault address
set VAULT_ADDR="https://<my-vault-cluster>.vault.cegedim.cloud/"
 
#Get vault status
vault status
 
#Login on vault by selecting ldap method
vault login -method=ldap username="adm-<your-login>"

Create Engine demopostgres (or reuse engine created previously)

It's important to prefix any engine path by this stratig path secret/, otherwise you will not be able to administrate with your BU adminrole

#Create Engine on vault
vault secrets enable -path=secret/demopostgres kv-v2

Create your DB Secret username and password (or reuse DB Secret created previously)

#Create your secret on vault
vault kv put secret/demopostgres/db username="myusername" password="mysecret"
 
#Check secret
vault kv get secret/demopostgres/db

Create JSON read policy file C:\Temp\policy_demopostgres.json

path "secret/demopostgres/data/db" { capabilities = ["read"] }

Create policy

#Create policy
vault policy write policy_demopostgres c:\Temp\policy_demopostgres.json
 
#Check policy creation
vault policy read policy_demopostgres

Apply policy on secret

This action connect Kubernetes service account sa-demopostgres, from namespace vault-demopostgres with the Vault policy policy_demopostgres.

The token returned after authentication are valid for 24 hours

#Apply policy on secret
vault write auth/kubernetes-<ccs-my-cluster>/role/demopostgres bound_service_account_names=sa-demopostgres bound_service_account_namespaces=vault-demopostgres policies=policy_demopostgres ttl=24h

Create Namespace (or reuse Namespace created previously)

#Create Namespace
kubectl create namespace vault-demopostgres

Create Kubernetes Service Account (or reuse Service Account created previously)

#Create Kubernetes Service Account
kubectl create serviceaccount sa-demopostgres --namespace vault-demopostgres
 
# Verify that the service account has been created
kubectl get serviceaccounts --namespace vault-demopostgres

Create deployment file vault_demosonarqube.yaml

vault_demosonarqube.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: db-sonarqube
  name: db-sonarqube
spec:
  selector:
    matchLabels:
      app: db-sonarqube
  replicas: 1
  template:
    metadata:
      labels:
        app: db-sonarqube
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "demopostgres"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-cache-enable: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes-ccs2-rd-shared
        vault.hashicorp.com/agent-inject-secret-db-username: secret/demopostgres/db
        vault.hashicorp.com/agent-inject-template-db-username: |
          {{ with secret "secret/demopostgres/db" -}}
          {{ .Data.data.username }}
          {{- end }}
        vault.hashicorp.com/agent-inject-secret-db-password: secret/demopostgres/db
        vault.hashicorp.com/agent-inject-template-db-password: |
          {{ with secret "secret/demopostgres/db" -}}
          {{ .Data.data.password }}
          {{- end }}
    spec:
      serviceAccountName: sa-demopostgres
      containers:
      - name: db-sonarqube
        image: postgres
        imagePullPolicy: "IfNotPresent"
        env:
        - name: POSTGRES_USER_FILE
          value: /vault/secrets/db-username
        - name: POSTGRES_PASSWORD_FILE
          value: /vault/secrets/db-password
        - name: POSTGRES_HOST_AUTH_METHOD
          value: "scram-sha-256"
        - name: POSTGRES_INITDB_ARGS
          value: --auth-host=scram-sha-256
        ports:
        - containerPort: 5432
        resources:
          requests:
            memory: "200Mi"
            cpu: "100m"
          limits:
            memory: "1Gi"
            cpu: "500m"
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          name: postgresql-data
      volumes:
      - name: postgresql-data
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: db-sonarqube
spec:
  selector:
    app: db-sonarqube
  ports:
  - protocol: TCP
    port: 5432
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: app-sonarqube
  name: app-sonarqube
spec:
  selector:
    matchLabels:
      app: app-sonarqube
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "demopostgres"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-cache-enable: "true"
        vault.hashicorp.com/agent-cache-use-auto-auth-token: "force"
        vault.hashicorp.com/auth-path: auth/kubernetes-ccs2-rd-shared
        vault.hashicorp.com/agent-inject-secret-sonar.properties: secret/demopostgres/db
        vault.hashicorp.com/secret-volume-path-sonar.properties: "/opt/sonarqube/conf/"
        vault.hashicorp.com/agent-inject-file-sonar.properties: "sonar.properties"
        vault.hashicorp.com/agent-inject-template-file-sonar.properties: /tmp/sonar.properties.tmpl
        vault.hashicorp.com/agent-copy-volume-mounts: app-sonarqube
      labels:
        app: app-sonarqube
    spec:
      serviceAccountName: sa-demopostgres
      containers:
        - name: app-sonarqube
          image: sonarqube:lts-community
          imagePullPolicy: "IfNotPresent"
          resources:
            requests:
              memory: "1200Mi"
              cpu: "100m"
            limits:
              memory: "2500Mi"
              cpu: "500m"
          volumeMounts:
          - mountPath: /opt/sonarqube/data/
            name: sonar-data
          - mountPath: /opt/sonarqube/extensions/
            name: sonar-extensions
          - mountPath: /opt/sonarqube/logs
            name: sonar-logs
          - mountPath: /opt/sonarqube/temp
            name: sonar-temp
          - name: properties
            mountPath: /tmp/sonar.properties.tmpl
            subPath: sonar.properties.tmpl
          ports:
          - containerPort: 9000
            protocol: TCP
      volumes:
      - name: sonar-data
        emptyDir: {}
      - name: sonar-extensions
        emptyDir: {}
      - name: sonar-logs
        emptyDir: {}
      - name: sonar-temp
        emptyDir: {}
      - name: properties
        configMap:
          name: app-sonarqube
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-sonarqube
data:
  sonar.properties.tmpl: |
    {{- with secret "secret/demopostgres/db" -}}
    ldap.url: {{ .Data.data.url }}
    ldap.bindDn: CN=sa_rd_automation,OU=Service Accounts,OU=Cegedim R&D,OU=BOU,OU=FR,OU=EMEA,DC=emea,DC=cegedim,DC=grp
    ldap.bindPassword: {{.Data.data.binddn }}
    ldap.group.baseDn: OU=EMEA,DC=emea,DC=cegedim,DC=grp
    ldap.user.baseDn: OU=EMEA,DC=emea,DC=cegedim,DC=grp
    ldap.user.request: (&(objectClass=user)(UserPrincipalName={login}))
    sonar.security.realm: LDAP
    sonar.jdbc.password: {{ .Data.data.password }}
    sonar.jdbc.url: jdbc:postgresql://db-sonarqube:5432/{{ .Data.data.username }}
    sonar.jdbc.username: {{ .Data.data.username }}
    {{- end }}
---
apiVersion: v1
kind: Service
metadata:
  name: app-sonarqube
spec:
  selector:
    app: app-sonarqube
  ports:
  - protocol: TCP
    port: 9000
    targetPort: 9000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-sonarqube
spec:
  rules:
  - host: sonardemo.ccs2-rd-shared.ccs.cegedim.cloud
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: app-sonarqube
            port:
              number: 9000

Deploy Vault SonarQube Demo

kubectl apply -f vault_demosonarqube.yaml --namespace vault-demopostgres

Control steps

Access to SonarQube

PreviousVault - Features NextGlusterFS

Last updated 4 months ago