Tweet
Tweet

Slide 1

Slide 1 text

Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu

Slide 2

Slide 2 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 2 ࣗݾ঺հ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews

Slide 3

Slide 3 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator

Slide 4

Slide 4 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 4 What’s HashiCorp Vault

Slide 5

Slide 5 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 5 HashiCorp Vault HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτ؅ཧ • User identity؅ཧ • PKI • etc...

Slide 6

Slide 6 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ

Slide 7

Slide 7 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ

Slide 8

Slide 8 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 8 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

Slide 9

Slide 9 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 9 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

Slide 10

Slide 10 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 10 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

Slide 11

Slide 11 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 11 ৄ͘͠͸... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani

Slide 12

Slide 12 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 12 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ ΒͳΓ·ͤΜɻ

Slide 13

Slide 13 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 13 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ

Slide 14

Slide 14 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 14 Vault Secrets Operatorͷొ৔ 2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration

Slide 15

Slide 15 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 15 Vault Secrets Operator Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ

Slide 16

Slide 16 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 16 How to use Vault Secrets Operator

Slide 17

Slide 17 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 17 έʔε ɾ໨ඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞੒ 4. VaultAuthͷ࡞੒ 5. VaultStaticSecretͷ࡞੒

Slide 18

Slide 18 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ

Slide 19

Slide 19 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ

Slide 20

Slide 20 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ

Slide 21

Slide 21 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ

Slide 22

Slide 22 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ 2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘ ɹ࡞੒࣌ͷग़ྗͷSecret Path

Slide 23

Slide 23 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞੒͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊

Slide 24

Slide 24 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 24 3. VaultConnectionͷ࡞੒ ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ

Slide 25

Slide 25 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 25 4. VaultAuthͷ࡞੒ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊

Slide 26

Slide 26 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 26 5. VaultStaticSecretͷ࡞੒ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε mount name

Slide 27

Slide 27 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 27 5. VaultStaticSecretͷ࡞੒ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ

Slide 28

Slide 28 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 28 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ

Slide 29

Slide 29 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 29 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ

Slide 30

Slide 30 text

Copyright © Dell Inc. All Rights Reserved. Internal Use - Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ؀ڥม਺ Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ

Slide 31

Slide 31 text

No content