Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Vault Secrets Operator Tutorial
Search
ry
April 17, 2023
Technology
0
530
Vault Secrets Operator Tutorial
Vault Secrets Operatorの使用感について登壇した資料。
ry
April 17, 2023
Tweet
Share
More Decks by ry
See All by ry
eBPF Tools on Kubernetes part1
ry
0
280
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
ry
0
1.1k
明日から始められるKyvernoを用いたポリシー制御
ry
3
780
CNDT2022 k8snovice Community introduction
ry
0
140
Policy Engine on Kubernetes
ry
1
1.4k
ConfigMap and Secret
ry
0
350
Policy Manager試してみた!
ry
0
410
Kubernetes APIに Pod内からアクセスしてみた
ry
1
1.8k
AKS 101 in Kubernetes Novice Tokyo #1
ry
0
660
Other Decks in Technology
See All in Technology
自分がLinc’wellで提供しているプロダクトを理解するためにやったこと
murabayashi
1
160
手動からの解放!!Strands Agents で実現する総合テスト自動化
ideaws
2
270
会社もクラウドも違うけど 通じたコスト削減テクニック/Cost optimization strategies effective regardless of company or cloud provider
aeonpeople
2
140
ecspressoの設計思想に至る道 / sekkeinight2025
fujiwara3
7
680
DATA+AI SummitとSnowflake Summit: ユーザから見た共通点と相違点 / DATA+AI Summit and Snowflake Summit
nttcom
0
190
AI Ready API ─ AI時代に求められるAPI設計とは?/ AI-Ready API - Designing MCP and APIs in the AI Era
yokawasa
20
5.7k
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
7k
(HackFes)米国国防総省のDevSecOpsライフサイクルをAWSのセキュリティサービスとOSSで実現
syoshie
5
660
Ktor + Google Cloud Tasks/PubSub におけるOTel Messaging計装の実践
sansantech
PRO
1
230
機械学習を「社会実装」するということ 2025年夏版 / Social Implementation of Machine Learning July 2025 Version
moepy_stats
1
480
複数のGemini CLIが同時開発する狂気 - Jujutsuが実現するAIエージェント協調の新世界
gunta
11
3.1k
組織内、組織間の資産保護に必要なアイデンティティ基盤と関連技術の最新動向
fujie
0
500
Featured
See All Featured
How GitHub (no longer) Works
holman
314
140k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
RailsConf 2023
tenderlove
30
1.2k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
The Invisible Side of Design
smashingmag
301
51k
We Have a Design System, Now What?
morganepeng
53
7.7k
Automating Front-end Workflow
addyosmani
1370
200k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
108
19k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Transcript
Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 2 ࣗݾհ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 4 What’s HashiCorp Vault
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 5 HashiCorp Vault HashiCorp VaultɺγʔΫϨοτΛηΩϡΞʹཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτཧ • User identityཧ • PKI • etc...
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ͕૿͑ͯ͠·ͬͨΓ͢Δͱཧ͕ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹཧ͠ͳ͚Εͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛཧ͍ͯͨ͠͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳΈ͋Δ͕ɺύϒϦοΫΫϥυͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍ใ͋Δ͔ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 8 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 9 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 10 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 11 ৄ͘͠... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 12 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφͰsourceίϚϯυΛ༻͍ͯద༻͠ͳ͚Εͳ ΒͳΓ·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 13 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠߹ʹөͯ͘͠Ε·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 14 Vault Secrets Operatorͷొ 2023/03/29ͷϒϩάʹͯΞφϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ͚ͳͷͰɺ༻͢Δࡍ͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 15 Vault Secrets Operator Vault Secrets Operator ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ OperatorɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞͠ɺ ιʔεʹՃ͑ΒΕͨͯ͢ͷมߋ͕ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥυDBͷΞΫηεΛ͢ΔͨΊͷظݶ͖ೝূใΛಈతʹੜ͢Δͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ͢Δ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 16 How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 17 έʔε ɾඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞ 4. VaultAuthͷ࡞ 5. VaultStaticSecretͷ࡞
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelmΛ༻͍ͯVaultΛ࡞͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճɺVaultΛHelmΛ༻͍ͯೖΕͨ߹Λجʹ͍ͯ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯཧ͞ΕΔCRDNamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞͠·͢ɻ 2. Policyͷ࡞͠·͢ɻ ※pathɺSecret࡞࣌ͷύεͰͳ͘ ɹ࡞࣌ͷग़ྗͷSecret Path
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞ͨ͠ϙϦγʔ໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 24 3. VaultConnectionͷ࡞ ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹɺHTTPϔομʔTLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 25 4. VaultAuthͷ࡞ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞ͨ͠Service Account໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 26 5. VaultStaticSecretͷ࡞ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞ͨ͠Vault্ͷγʔΫϨοτͷύε mount name
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 27 5. VaultStaticSecretͷ࡞ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 28 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰɺ2֊ͰͷγʔΫϨοτ࡞Λ͔ͨ͠Β͔Γ͔ͬͨ͢ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 29 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ֊͕૿͑ͯҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ڥม Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍͘͢ͳΓ·ͨ͠ɻ ࠓճհͨ͠ͷҎ֎ʹ༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱҎԼͷ௨ΓͰ͢ɻ
None