vault+k8s
vault-agent workflow
我們通過vault的secret(version1 kv)backend來進行管理secret中的key/value际看,通過我們的vault-agent來動態(tài)(每隔SECRET_REFRESH_TIME秒來獲取這些既定路徑的secret,并寫到K8S的secret中歪今。
比如我們寫入以下key/value
vault write secret/projects/georgesreinc-test/services/foo/defaults/test1 value=value1
vault write secret/projects/georgesreinc-test/services/bar/defaults/test1 value=value1
vault write secret/projects/georgesreinc-test/services/bar/defaults/test2 value=value2
vault write secret/projects/georgesreinc-test/services/baz/namespaces/ops/apikey value=secret
kubectl create namespace ops
kubectl create namespace stable
kubectl create namespace all-apps
kubectl create namespace foo
kubectl create namespace wrong
kubectl apply -f - <<-EOF
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-agent.app-config
namespace: ops
data:
apps: |-
- baz
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-agent.app-config
namespace: all-apps
data:
apps: ALL
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-agent.app-config
namespace: foo
data:
apps: foo
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-agent.app-config
namespace: wrong
data:
apps: |-
- baz
- ALL
EOF
我們的k8s中自動創(chuàng)建出來的secret條目如下所示:
kubectl get secret --all-namespaces | grep service-secrets should yield something that looks like:
all-apps bar.service-secrets Opaque 2 19m
all-apps foo.service-secrets Opaque 1 19m
foo foo.service-secrets Opaque 1 19m
ops baz.service-secrets Opaque 1 19m
stable bar.service-secrets Opaque 2 19m
stable foo.service-secrets Opaque 1 19m
wrong bar.service-secrets Opaque 2 19m
wrong foo.service-secrets Opaque 1 19m
vault-agent基本上可以實現(xiàn):
- 控制某個secret只能創(chuàng)建在某個/些指定的namespaces中
- 動態(tài)更新secret中的key/value值
- 每隔SECRET_REFRESH_TIME秒更新一次secret
先決條件
- 已經(jīng)存在了一個k8s(本文用docker for mac自帶的Kubernetes,設置的教程見https://docs.docker.com/docker-for-mac/#kubernetes)
- k8s已經(jīng)安裝集成helm
- 已經(jīng)存在了一個vault(我們會在mac本地系統(tǒng)起一個測試vault)
設置用于測試的vault server
符合生產(chǎn)環(huán)境的vault搭建會寫在以后的文章中恋日,本文直接在mac上啟動一個dev版本的vault server并且做最簡單的設置
我們按照官方的學習文檔來啟動一個dev vault server祟偷,簡單的步驟如下:
https://learn.hashicorp.com/vault/getting-started/dev-server
安裝vault server
brew install vault啟動vault server
georgehe@Sha-51664-Mbp ~ vault server -dev -dev-listen-address=0.0.0.0:8200
==> Vault server configuration:
Api Address: http://0.0.0.0:8200
Cgo: disabled
Cluster Address: https://0.0.0.0:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Storage: inmem
Version: Vault v1.1.2
Version Sha: 0082501623c0b704b87b1fbc84c2d725994bac54
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://0.0.0.0:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: x4np0Bh3/h5xfxw1hqV0JCdz7QUbpVu90G4YJZ1GdSo=
Root Token: s.w8c22AWPXvyqS7d9cZDdw9Lu
Development mode should NOT be used in production installations!
==> Vault server started! Log data will stream in below:
- 訪問vault server
我們要得到mac的IP地址(DHCP)
ifconfig en0 | grep "inet "
inet 192.168.31.185 netmask 0xffffff00 broadcast 192.168.31.255
我們的vault訪問地址為:http://192.168.31.185:8200
- 測試vault的可用性芹橡,及寫入兩個用于測試的k/v
$ export VAULT_ADDR=http://192.168.31.185:8200
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.1.2
Cluster Name vault-cluster-79c802fc
Cluster ID 26bef5d1-febd-0319-6170-07808889b9b7
HA Enabled false
$ vault login token=s.w8c22AWPXvyqS7d9cZDdw9Lu
$ vault secrets disable secret
$ vault secrets enable -path=secret kv
$ vault write secret/projects/georgeinc/services/test-app/defaults/key1 value=value1
$ vault list secret/projects/georgeinc/services/test-app/defaults/
Keys
----
key1
$ vault read secret/projects/georgeinc/services/test-app/defaults/key1
Key Value
--- -----
refresh_interval 768h
value value1
Using dev mode with KV v1 by default #111
我們用的dev模式,默認secret是version2版本有勾,所以我們先disable secret再重新啟用version1的secret backend
后面我們期待生成的secret名字為test-app.service-secrets疹启,里面有key1=value1的內(nèi)容,此secret將默認出現(xiàn)在所有的namespaces下蔼卡。
使用helm安裝vault
- 加載
george-srehelm repo
helm repo add george-sre 'https://raw.githubusercontent.com/george-sre/helm-repo-in-github/master/'
helm repo update
helm search vault-agent
- 安裝
vault-agentChart
helm install --debug george-sre/vault-agent \
--name vault-agent \
--set project=georgeinc \
--set vault_addr=http://192.168.31.185:8200 \
--set vault_token=s.w8c22AWPXvyqS7d9cZDdw9Lu
- 驗證helm的安裝
helm list
NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE
vault-agent 1 Mon May 27 15:39:56 2019 DEPLOYED vault-agent-0.1.0 1.0 default
kubectl get pod
NAME READY STATUS RESTARTS AGE
vault-agent-77964b9fbb-xfbkt 1/1 Running 0 34s
- 驗證secret的創(chuàng)建
kubectl get secret --all-namespaces | grep test-app
docker test-app.service-secrets Opaque 1 14m
kubectl get secret test-app.service-secrets -n docker -o yaml --export
apiVersion: v1
data:
key1: dmFsdWUx
kind: Secret
metadata:
creationTimestamp: null
labels:
app: test-app
name: test-app.service-secrets
selfLink: /api/v1/namespaces/docker/secrets/test-app.service-secrets
type: Opaque
更多關于vault-agent的用法喊崖,請移步https://github.com/george-sre/vault-agent
鏈接
- https://github.com/george-sre/vault-agent
- https://github.com/george-sre/helm-repo-in-github
- https://learn.hashicorp.com/vault/getting-started/dev-server
云平臺開發(fā)運維解決方案@george.sre
GitHub: https://github.com/george-sre
歡迎交流~
