jasonodonnell / vault-agent-demo Goto Github PK

View Code? Open in Web Editor NEW

29.0 2.0 25.0 21.85 MB

Shell 20.55% HCL 0.80% Makefile 4.92% Dockerfile 1.41% Go 67.23% Mustache 5.10%

vault-agent-demo's Introduction

Vault Agent Injector Example

This demo requires Helm V3 and jq to be installed.

Demo

Run the setup script that installs:

Vault
Vault Agent Injector
CSI Secret Store
Vault CSI Provider
PostgreSQL (for example)

./setup.sh

Vault will automatically init, unseal, load auth methods, load policies and setup roles.

To get the root token or unseal keys for Vault, look in the /tmp directory in the vault-0 pod.

Namespaces

The demo is running in three different namespaces: vault, postgres and app.

kubectl get pods -n vault

kubectl get pods -n postgres

# App won't have pods running into the examples are started
kubectl get pods -n app

Static Secret Demo:

cd ./examples/static-secrets
./run.sh

Observe no secrets/sidecars on the app pod:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

Dynamic Secret Demo:

cd ./examples/dynamic-secrets
./run.sh

Observe no secrets/sidecars on the app pod:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

Transit Demo:

cd ./examples/transit
./run.sh

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

vault-agent-demo's People

Contributors

Stargazers

Watchers

vault-agent-demo's Issues

Secrets are not being injected into pod

Hello,

I tried to walk through demo on my on-premise k8s cluster. Everything went fine until checking secrets in patched static-secrets directory:

kubectl exec -ti $( kubectl get pods -n app --field-selector=status.phase==Running -o jsonpath='{.items[0].metadata.name}' ) -n app -c app -- ls /vault/secrets

ls: /vault/secrets: No such file or directory
command terminated with exit code 1

There is no container on the pod besides the jodonnellhashi/static-secrets-app:1.0.0:

kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}"
jodonnellhashi/static-secrets-app:1.0.0

How to debug this issue?

Errors getting PostStartHook to work

Thanks for this demo repo!

I am facing some issues when automating the post-start tasks via k8s.

When I execute the following manually after pod creation, everything works

OUTPUT=/tmp/output.txt
export VAULT_ADDR=https://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

vault operator init >>${OUTPUT?}

unseal=$(cat ${OUTPUT?} | grep "Recovery Key 1:" | sed -e "s/Recovery Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")

[...]

However, when using postStart:, pods error right from the start (in the vault operator init call it seems):

 Warning  FailedPostStartHook  17m                kubelet            Exec lifecycle hook ([/bin/sh -c sleep 5 && cp /vault/userconfig/demo-vault/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh]) for Container "vault" in Pod "vault-0_vault(a37cdea2-9b4c-4b78-81e6-dd61db6e0e72)" failed - error: command '/bin/sh -c sleep 5 && cp /vault/userconfig/demo-vault/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh' exited with 2: Error initializing: Put "https://127.0.0.1:8200/v1/sys/init": dial tcp 127.0.0.1:8200: connect: connection refused

PS: I needed to change "Unseal" to "Recovery", I guess the naming has changed in the recent vault releases (using 1.8.3 atm).
I already added a sleep delay of 30s (instead of 5s) without success.

How to bootstrap in HA mode?

Thanks for this example repo!

When deploying in HA mode, multiple pods start at the same time and try to execute the bootstrap script.
One pod will be the fastest and the others will error and state "Vault has already been initialized" and will enter a reboot loop.
How does it work for this repo, for which HA mode seems off but still three replicas are being used judging from the default helm chart values.

x509: certificate signed by unknown authority

Hi Jason,
I could deploy the solution to a minikube one-node cluster
$ kubectl -n vault get pods
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 0 48m
vault-agent-injector-7dcf474d9b-hwpl5 1/1 Running 0 49m

However, I experienced the "x509: certificate signed by unknown authority" error

$ kubectl -n vault exec -it vault-0 -- vault status
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: x509: certificate signed by unknown authority
command terminated with exit code 1

I have been across this error before?

Thank you,
Philip

jasonodonnell / vault-agent-demo Goto Github PK

vault-agent-demo's Introduction

Vault Agent Injector Example

Demo

Namespaces

Static Secret Demo:

Dynamic Secret Demo:

Transit Demo:

vault-agent-demo's People

Contributors

Stargazers

Watchers

Forkers

vault-agent-demo's Issues

Secrets are not being injected into pod

Errors getting PostStartHook to work

How to bootstrap in HA mode?

x509: certificate signed by unknown authority

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent