$30 off During Our Annual Pro Sale. View Details »

Vault Secrets Operator Tutorial

Avatar for ry ry
April 17, 2023
Technology
0
560

Vault Secrets Operator Tutorial

Vault Secrets Operatorの使用感について登壇した資料。

Avatar for ry

ry

April 17, 2023
Tweet

More Decks by ry

See All by ry
eBPF Tools on Kubernetes part1
Avatar for ry ry
0
310
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
Avatar for ry ry
0
1.2k
明日から始められるKyvernoを用いたポリシー制御
Avatar for ry ry
3
850
CNDT2022 k8snovice Community introduction
Avatar for ry ry
0
150
Policy Engine on Kubernetes
Avatar for ry ry
1
1.4k
ConfigMap and Secret
Avatar for ry ry
0
370
Policy Manager試してみた!
Avatar for ry ry
0
420
Kubernetes APIに Pod内からアクセスしてみた
Avatar for ry ry
1
1.9k
AKS 101 in Kubernetes Novice Tokyo #1
Avatar for ry ry
0
670

Other Decks in Technology

See All in Technology
命名から始めるSpec Driven
Avatar for Kurowi kuruwic
3
830
Oracle Cloud Infrastructure:2025年11月度サービス・アップデート
Avatar for oracle4engineer oracle4engineer
PRO
1
120
eBPFとwaruiBPF
Avatar for Satoru Takeuchi sat
PRO
3
1.2k
Bakuraku Engineering Team Deck
Avatar for LayerX layerx
PRO
11
5.7k
“決まらない”NSM設計への処方箋 〜ビットキーにおける現実的な指標デザイン事例〜 / A Prescription for "Stuck" NSM Design: Bitkey’s Practical Case Study
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
1
350
事業部のプロジェクト進行と開発チームの改善の “時間軸" のすり合わせ
Avatar for konifar konifar
9
2.9k
生成AI時代の自動E2Eテスト運用とPlaywright実践知_引持力哉
Avatar for LegalOn Technologies, Inc legalontechnologies
PRO
0
100
A Compass of Thought: Guiding the Future of Test Automation ( #jassttokai25 , #jassttokai )
Avatar for teyamagu teyamagu
PRO
1
190
AI (LLM) を活用する上で必須級のMCPをAmazon Q Developerで学ぼう / 20251127 Ikuma Yamashita
Avatar for SHIFT EVOLVE shift_evolve
PRO
2
100
セキュリティAIエージェントの現在と未来 / PSS #2 Takumi Session
Avatar for GMO Flatt Security flatt_security
3
1.4k
Master Dataグループ紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
4k
バグハンター視点によるサプライチェーンの脆弱性
Avatar for morioka12 scgajge12
2
470

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.5k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
120
20k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
8
1.2k
Docker and Python
Avatar for Tania Allard trallard
46
3.7k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.5k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
514
110k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
31
2.7k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
54
7.9k

Transcript

  1. Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu

  2. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 2 ࣗݾ঺հ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews

  3. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator

  4. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 4 What’s HashiCorp Vault

  5. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 5 HashiCorp Vault HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτ؅ཧ • User identity؅ཧ • PKI • etc...

  6. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ

  7. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ

  8. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 8 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  9. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 9 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  10. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 10 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  11. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 11 ৄ͘͠͸... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani

  12. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 12 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ ΒͳΓ·ͤΜɻ

  13. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 13 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ

  14. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 14 Vault Secrets Operatorͷొ৔ 2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration

  15. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 15 Vault Secrets Operator Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ

  16. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 16 How to use Vault Secrets Operator

  17. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 17 έʔε ɾ໨ඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞੒ 4. VaultAuthͷ࡞੒ 5. VaultStaticSecretͷ࡞੒

  18. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ

  19. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ

  20. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ

  21. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ

  22. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ 2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘ ɹ࡞੒࣌ͷग़ྗͷSecret Path

  23. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞੒͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊

  24. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 24 3. VaultConnectionͷ࡞੒ ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ

  25. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 25 4. VaultAuthͷ࡞੒ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊

  26. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 26 5. VaultStaticSecretͷ࡞੒ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε mount name

  27. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 27 5. VaultStaticSecretͷ࡞੒ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ

  28. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 28 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ

  29. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 29 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ

  30. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ؀ڥม਺ Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ
  31. None