Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault Secrets Operator Tutorial

ry
April 17, 2023

Vault Secrets Operator Tutorial

Vault Secrets Operatorの使用感について登壇した資料。

ry

April 17, 2023
Tweet

More Decks by ry

Other Decks in Technology

Transcript

  1. Vault Secrets Operator Tutorial
    Kubernetes Novice Tokyo #24


    Ryotaro Uwatsu

    View full-size slide

  2. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 2
    ࣗݾ঺հ
    Name: Ryotaro Uwatsu (Twitter: @URyo_0213)


    Title: Solutions Architect


    Community:


    - Kubernetes Meetup Novice ӡӦ


    - Kubenews

    View full-size slide

  3. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 3
    Table of Contents
    • What’s HashiCorp Vault


    • How to use Vault Secrets Operator

    View full-size slide

  4. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 4
    What’s HashiCorp Vault

    View full-size slide

  5. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 5
    HashiCorp Vault
    HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ
    ʔϧͰ͢ɻ


    ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ
    ηε͕ՄೳͰ͢ɻ


    ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ
    ͍·͢ɻ


    • γʔΫϨοτ؅ཧ


    • User identity؅ཧ


    • PKI


    • etc...

    View full-size slide

  6. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 6
    ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔
    Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ

    View full-size slide

  7. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 7
    ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔
    ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ
    ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ
    Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ


    AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ
    ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ

    View full-size slide

  8. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 8
    Kubernetes΁ͷγʔΫϨοτͷద༻
    (ެࣜ)


    • Agent Injector


    – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar
    Agent͕มߋΛ൓ө͠·͢ɻ


    • CSI Provider


    – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ


    (ίϛϡχςΟ)


    • External Secret


    – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

    View full-size slide

  9. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 9
    Kubernetes΁ͷγʔΫϨοτͷద༻
    (ެࣜ)


    • Agent Injector


    – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar
    Agent͕มߋΛ൓ө͠·͢ɻ


    • CSI Provider


    – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ


    (ίϛϡχςΟ)


    • External Secret


    – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

    View full-size slide

  10. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 10
    Kubernetes΁ͷγʔΫϨοτͷద༻
    (ެࣜ)


    • Agent Injector


    – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar
    Agent͕มߋΛ൓ө͠·͢ɻ


    • CSI Provider


    – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ


    (ίϛϡχςΟ)


    • External Secret


    – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

    View full-size slide

  11. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 11
    ৄ͘͠͸...
    Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ
    https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani

    View full-size slide

  12. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 12
    ͜Ε·Ͱͷ೉఺
    γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹...


    ྫ) Agent Injector


    templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ
    ΒͳΓ·ͤΜɻ

    View full-size slide

  13. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 13
    ͜Ε·Ͱͷ೉఺
    γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹...


    ྫ) CSI Provider


    ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ

    View full-size slide

  14. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 14
    Vault Secrets Operatorͷొ৔
    2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ


    ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ
    https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration

    View full-size slide

  15. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 15
    Vault Secrets Operator
    Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ


    Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ
    ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ


    ରԠύλʔϯ


    • Static Secret


    – Key-Valueܕ(ver1, ver2)


    • Dynamic Secret


    – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ


    • PKI


    – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ

    View full-size slide

  16. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 16
    How to use Vault Secrets Operator

    View full-size slide

  17. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 17
    έʔε
    ɾ໨ඪ


    γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ
    εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ


    ɾλεΫ


    0. ࣄલ४උ


    1. Vault Secrets OperatorͷΠϯετʔϧ


    2. VaultͷηοςΟϯά


    3. VaultConnectionͷ࡞੒


    4. VaultAuthͷ࡞੒


    5. VaultStaticSecretͷ࡞੒

    View full-size slide

  18. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 18
    0. ࣄલ४උ
    1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ

    View full-size slide

  19. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 19
    0. ࣄલ४උ
    2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ

    View full-size slide

  20. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 20
    1. Vault Secrets OperatorͷΠϯετʔϧ
    ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ

    View full-size slide

  21. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 21
    Vault Secrets Operator CRD
    Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ


    View full-size slide

  22. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 22
    2. VaultͷηοτΞοϓ
    1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ


    2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘


    ɹ࡞੒࣌ͷग़ྗͷSecret Path

    View full-size slide

  23. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 23
    2. VaultͷηοτΞοϓ
    3. RoleΛ࡞੒͠·͢ɻ


    • auth/kubernetes/role/vso-demo-role


    – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role]


    • bound_service_account_names: Service Account໊


    – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account


    – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount]


    • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace


    • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊

    View full-size slide

  24. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 24
    3. VaultConnectionͷ࡞੒
    ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ
    [Մมύϥϝʔλ]


    .spec.address


    => VaultʹΞΫηε͢ΔΞυϨε


    ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ
    ϥϝʔλ͕͋Γ·͢ɻ

    View full-size slide

  25. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 25
    4. VaultAuthͷ࡞੒
    Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ
    [Մมύϥϝʔλ]


    .spec.vaultConnectionRef


    => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊


    .spec.kubernetes.role


    => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole


    .spec.kubernetes.serviceAccount


    => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊

    View full-size slide

  26. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 26
    5. VaultStaticSecretͷ࡞੒
    Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ
    [Մมύϥϝʔλ]


    .spec.vaultAuthRef


    => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊


    .spec.destination.name


    => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊


    .spec.mount / .spec.name


    => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε


    mount name

    View full-size slide

  27. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 27
    5. VaultStaticSecretͷ࡞੒
    ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ

    View full-size slide

  28. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 28
    ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ
    ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ

    View full-size slide

  29. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 29
    ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ
    ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ

    View full-size slide

  30. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 30
    ·ͱΊ
    Sidecar Agent Injector CSI Provider Vault Secrets Operator
    γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume


    ؀ڥม਺
    Secret
    γʔΫϨοτλΠϓ Static


    Dynamic


    PKI
    Static


    Dynamic


    PKI
    Static


    Dynamic


    PKI
    ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺)
    γʔΫϨοτ


    ϩʔςʔγϣϯ
    ʓ × ʓ
    Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ


    ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ


    ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ


    View full-size slide