README
¶
Vault
Setting up K8S authentication
To set up authentication between Vault & Kubernetes, you need:
- Kubectl
- Hashicorp vault server - a dev server can be started with
vault server -dev
If you already have a vault server running somewhere (e.g dev-util or mini-vms), you can use the cli in the downloaded vault. Export the following env variables:
export VAULT_ADDR=http://localhost:8200 // whereever vault is
export VAULT_TOKEN=replace_with_token_value
Create a service account, secret & ClusterRoleBinding
cat <<EOF | kubectl create -f -
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
---
apiVersion: v1
kind: Secret
metadata:
name: vault-auth
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
EOF
Enable k8s authentication in vault
vault auth enable kubernetes
(if you're using the dev-util version, this is already enabled)
Save the JWT, Cert & Host URL & configure the auth method
TOKEN_REVIEW_JWT=$(kubectl get secret vault-auth -o go-template='{{ .data.token }}' | base64 --decode)
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 --decode)
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')
vault write auth/kubernetes/config token_reviewer_jwt="$TOKEN_REVIEW_JWT" kubernetes_host="$KUBE_HOST" kubernetes_ca_cert="$KUBE_CA_CERT" disable_local_ca_jwt="true"
Create a named role - devweb-app & associate it with the account
vault write auth/kubernetes/role/devweb-app \
bound_service_account_names=vault-auth \
bound_service_account_namespaces=default \
ttl=24h
You will be able to authenticate and get a client token via:
vault write auth/kubernetes/login role=devweb-app jwt=$TOKEN_REVIEW_JWT
Useful Links:
Documentation
¶
Index ¶
- Constants
- type AuthMethod
- type Client
- func (c *Client) AddHooks(_ context.Context, hooks ...Hook)
- func (c *Client) Authenticate() error
- func (c *Client) AutoRenewToken(ctx context.Context)
- func (c *Client) Clone(opts ...Options) (*Client, error)
- func (c *Client) Close() error
- func (c *Client) Logical(ctx context.Context) *Logical
- func (c *Client) Sys(ctx context.Context) *Sys
- func (c *Client) TokenRenewer() (*api.Renewer, error)
- type ClientAuthentication
- type ClientConfig
- type ConnectionProperties
- type Hook
- type KeyOption
- type KeyOptions
- type KubernetesClient
- type KubernetesConfig
- type Logical
- func (l *Logical) Post(path string, data interface{}) (ret *api.Secret, err error)
- func (l *Logical) Read(path string) (ret *api.Secret, err error)
- func (l *Logical) ReadWithData(path string, data map[string][]string) (ret *api.Secret, err error)
- func (l *Logical) WithContext(ctx context.Context) *Logical
- func (l *Logical) Write(path string, data interface{}) (ret *api.Secret, err error)
- func (l *Logical) WriteWithMethod(method, path string, data interface{}) (ret *api.Secret, err error)
- type Options
- type SSLProperties
- type Sys
- type TokenClientAuthentication
- type TokenRefresher
- type TransitEngine
Constants ¶
View Source
const ( Token = AuthMethod("token") Kubernetes = AuthMethod("kubernetes") )
View Source
const (
PropertyPrefix = "cloud.vault"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthMethod ¶
type AuthMethod string
func (*AuthMethod) UnmarshalText ¶
func (a *AuthMethod) UnmarshalText(data []byte) error
UnmarshalText encoding.TextUnmarshaler
type Client ¶
func (*Client) Authenticate ¶
func (*Client) AutoRenewToken ¶
AutoRenewToken start a TokenRefresher to automatically manage and renew vault token
type ClientAuthentication ¶
ClientAuthentication interface represents a vault auth method https://www.vaultproject.io/docs/auth
type ClientConfig ¶
type ClientConfig struct {
// Config raw config of vault driver
*api.Config
// Properties from bootstrap.BootstrapConfig. Typically set via WithProperties()
Properties ConnectionProperties
// ClientAuth used by the client and internal token refresher to authenticate with Vault server
ClientAuth ClientAuthentication
// Hooks instrumentation points
Hooks []Hook
}
type ConnectionProperties ¶
type ConnectionProperties struct {
Host string `json:"host"`
Port int `json:"port"`
Scheme string `json:"scheme"`
Authentication AuthMethod `json:"authentication"`
SSL SSLProperties `json:"ssl"`
Kubernetes KubernetesConfig `json:"kubernetes"`
Token string `json:"token"`
}
func (ConnectionProperties) Address ¶
func (p ConnectionProperties) Address() string
type KeyOptions ¶
type KeyOptions func(opt *KeyOption)
type KubernetesClient ¶
type KubernetesClient struct {
// contains filtered or unexported fields
}
func TokenKubernetesAuthentication ¶
func TokenKubernetesAuthentication(kubernetesConfig KubernetesConfig) *KubernetesClient
type KubernetesConfig ¶
type Logical ¶
func (*Logical) ReadWithData ¶
ReadWithData override api.Logical with proper hooks Note: data is sent as HTTP parameters
func (*Logical) WithContext ¶
WithContext make a copy of current Logical with a new context
type Options ¶
type Options func(cfg *ClientConfig) error
func WithProperties ¶
func WithProperties(p ConnectionProperties) Options
type SSLProperties ¶
type TokenClientAuthentication ¶
type TokenClientAuthentication string
type TokenRefresher ¶
type TokenRefresher struct {
// contains filtered or unexported fields
}
TokenRefresher performs renewal & refreshment of a client's token renewal can occur when a token's ttl is completed, refresh occurs when a token cannot be renewed (e.g max TTL is reached)
func NewTokenRefresher ¶
func NewTokenRefresher(client *Client) *TokenRefresher
func (*TokenRefresher) Start ¶
func (r *TokenRefresher) Start(ctx context.Context)
Start will begin the processes of token renewal & refreshing
func (*TokenRefresher) Stop ¶
func (r *TokenRefresher) Stop()
Stop will stop the token renewal/refreshing processes
type TransitEngine ¶
type TransitEngine interface {
PrepareKey(ctx context.Context, kid string) error
Encrypt(ctx context.Context, kid string, plaintext []byte) ([]byte, error)
Decrypt(ctx context.Context, kid string, cipher []byte) ([]byte, error)
}
func NewTransitEngine ¶
func NewTransitEngine(client *Client, opts ...KeyOptions) TransitEngine
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.