TABLE OF CONTENT
1. Overview2. What is a Secret3? What is a HashiCorp vault? Deployment Diagram5. How Hashicorp Vault solves real life problems6. Prerequisites7. Kubernetes Components8. Step-by-Step Guide9. Conclusion10. CloudThat11. FAQs
Overview
This blog provides a deep dive into Hashi-Corp Vault and its integration with Kubernetes. It also explains its use cases.
HashiCorp Vault, the newest feature launched by HashiCorp to address management issues and securely inject secrets into Kubernetes clusters, is HashiCorp’s newest feature. It is an invaluable tool, especially for entities such as databases that require credentials to be inserted into the Frontend pod of the Kubernetes cluster.
Kubernetes’ credentials can be secured by creating a Kubernetes Secret object and embedding data or other credentials within it. These Secrets were encoded in Kubernetes secret objects in base64 format. Anyone could decode them using base64 encryption data.
What is a Secret?
Secrets are the credentials that we use to authenticate or authorize. They must be protected.
What is a HashiCorp vault?
HashiCorp Vault is an application that manages secrets. It was specifically designed to protect confidential data in any environment. It can be used to store sensitive values and, at the same time, dynamically generate access for specific services/applications on lease.
Diagram of deployment
How Hashicorp vault solves real life problems
We use Kubernetes to implement Vault.
You might be curious as to how the vault agent injects secrets into the pod from vault server.”
There are two ways to inject traffic into the pod.
Static approach:
Step 1: The vault administrator will manually insert credentials into the vault in a key-value format.
Step 2: Create a service account and attach it to the pod. The Hashi-Corp vault must also define the same service account.
Step 3: Vault will retrieve the credentials and mount them into the pod automatically
Dynamic approach
Step 1: Vault will generate temporary credentials from the database.
Step 2: The pod authenticates with the vault using the service account.
Step 3: The vault agent will automatically mount the credentials into your pod.
This secret can be used by the pod to extend its life span.
If the pod is deleted, the vault will immediately go back to the database to remove any temporary credentials it has created.
The database user does not need to be maintained by any operational team.
Prerequisites
An AWS account
Kubernetes knowledge
Helm chart
EKS cluster
Kubernetes Components
Deployment
Stateful set
Services
Secrets
Volumes
Step-by-Step Guide
We will perform the static approach to inject the secrets in pods.
Step 1: Create an EKS cluster in AWS. Or, you can create a Kubeadm Cluster.
Deploying A WordPress Application In Kubernetes Cluster Using Kubeadm Tool In AWS EC2 Instances
Step 2: Install Helm.
1: Run the wget command using the tar file that was provided by the lab to install Helm.
$ wget https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz1$ wget https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz2: Run the ls command to ensure the tar file is downloaded.
3: Run the tar-xzf and ls–l commands to extract the linux-amd64 directory.
$ tar -xzf helm-v3.9.0-linux-amd64.tar.gz1$ tar -xzf helm-v3.9.0-linux-amd64.tar.gz4: Run the mv command to move the helm executable folder to the /usr/local/bin/ directory.
$ mv./linux amd64/helm/usr/local/bin/ $ Helm version123 $.mv./linux amd64/helm/usr/local/bin/$ helm versionStep 3 – Deploy Vault Head Chart with the following code
$ helm repo add hashicorp https://helm.releases.hashicorp.com$ helm repo update$ Helm install vault hashicorp/vault –set “server.dev.enabled=true”12345$ helm repo add hashicorp https://helm.releases.hashicorp.com$ helm repo update$ Helm install vault