Skip to content

hashicorp-dach/vault-agent-demo

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
configs
configs
 
 
examples
examples
 
 
postgres
postgres
 
 
src
src
 
 
tls
tls
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
cleanup.sh
cleanup.sh
 
 
commands
commands
 
 
setup.sh
setup.sh
 
 
values.yaml
values.yaml
 
 

Repository files navigation

Vault Agent Injector Example

This demo requires Helm V3 and jq to be installed.

Script: Jason O'Donnell - Vault & Kubernetes: Better Together

Demo

Run the setup script that installs:

  • Vault
  • Vault Agent Injector
  • CSI Secret Store
  • Vault CSI Provider
  • PostgreSQL (for example)

⚠️ kubectl needs to be available for this (for example Minikube minikube start --driver=docker or minikube start --driver-virtualbox)

./setup.sh

Vault will automatically init, unseal, load auth methods, load policies and setup roles.

To get the root token or unseal keys for Vault, look in the /tmp directory in the vault-0 pod.

kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh

cat /tmp/outputs

To access the Vault GUI you have to port-forward 8200. This is best done in a new Terminal Window.

kubectl port-forward vault-0 -n vault 8200:8200

Namespaces

The demo is running in three different namespaces: vault, postgres and app.

kubectl get pods -n vault

kubectl get pods -n postgres

# App won't have pods running into the examples are started
kubectl get pods -n app

Static Secret Demo:

cd ./examples/static-secrets
./run.sh

Observe no secrets/sidecars on the app pod:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

Dynamic Secret Demo:

cd ./examples/dynamic-secrets
./run.sh

Observe no secrets/sidecars on the app pod:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

Transit Demo:

cd ./examples/transit
./run.sh

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 67.3%
  • Shell 20.5%
  • Mustache 5.1%
  • Makefile 4.9%
  • Dockerfile 1.4%
  • HCL 0.8%