Kubernetes store sensitive information in vault as persistent storage

Overview

In the kubernetes environment, many people may be wondering how to store sensitive information such as passwords and access tokens when trying to automate by CI/CD.

I think that there is resistance to pushing the manifest with the password written on GitHub etc. This time, we will verify the operation of secrets-store-csi-driver , which mounts the confidential information stored in vault , which is provided by hashicorp for managing confidential information, as storage on kuberntes .

Verification environment

  • Governors v1.14.1
  • secrets-store-csi-driver v0.0.11

Advance preparation

As a preliminary preparation, start up the vault server used for operation verification.

Download

Download secrets-store-csi-driver from the GitHub repository .

Deploying a verification vault

Next, deploy the vault used for verification on kubernetes. Since this vault does not have persistent data, all the stored data will be deleted when the pod is deleted. Please use it only for verification.

When deployed, vault pods will start as shown below.

$ kubectl get service -l app=vault
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
vault NodePort 10.21.21.12 <none> 8200:31899/TCP 17m

Port forward to make vault accessible from outside the kubernetes cluster.

In fact, go to vault and make sure it is up.

This completes the setup of the vault server used for verification.

Operation verification

After setting authentication to vault so that kubernetes can access it, deploy secrets-store-csi-driver. In this verification, defaultwe will use the Kubernetes namespace.

Creating a service account in kubernetes

First, create a service account on kubernetes for accessing vault.

Set kubernetes credentials in Vault

Next, set the kubernetes credentials in the vault. First of all, get the required information such as certificates and tokens from various kubernetes resources.

Some values ​​are obtained from kuberntes’ config information. If multiple kubernetes clusters are registered in the config information, check if the correct kubernetes cluster information is acquired. Then kubernetesenable it in vault authentication .

Next kubernetes, set the previously acquired certificate and token information as the authentication information of.

Next, set the access policy of the confidential information used in this operation verification to vault.

This completes the vault credential settings. Next, example store the confidential information of the sample used in the operation verification .

Deploy secrets-store-csi-driver

Deploy the secrets-store-csi-driver.

defaultWhen deploying to a namespace other than the namespace, you need to edit the manifest. Verify that the secrets-store-csi-driver has been deployed.

Mount sensitive information stored in Vault with PV or PVC

Create manifest to mount sensitive information stored in vault.

Now deploy this manifest

Next, create pvc-manifest

Deploy manifest

Make you sure that pvc & pv are done.

Now we can create pod that mounts the deployed pv & pvc.

Deploy pod

Finally, make sure the so pod is able to mount sensitive information stored in vault, let’s check if it mounted correctly

As a result we should see example as a value of the path where sensitive Vault information is stored.

At the end

We verified the operation of mounting the data stored in vault, which is a repository for storing some confidential information, as persistent storage (PVC, PV) with kubernetes. This allow to easily read some passwords, tokens which is stored in kubernetes vault.