Vault Secrets Operator Tutorial

Transcript

1. Vault Secrets Operator Tutorial
   Kubernetes Novice Tokyo #24
   
   
   Ryotaro Uwatsu
   

   View Slide

2. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 2
   ࣗݾ঺հ
   Name: Ryotaro Uwatsu (Twitter: @URyo_0213)
   
   
   Title: Solutions Architect
   
   
   Community:
   
   
   - Kubernetes Meetup Novice ӡӦ
   
   
   - Kubenews
   

   View Slide

3. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 3
   Table of Contents
   • What’s HashiCorp Vault
   
   
   • How to use Vault Secrets Operator
   

   View Slide

4. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 4
   What’s HashiCorp Vault
   

   View Slide

5. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 5
   HashiCorp Vault
   HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ
   ʔϧͰ͢ɻ
   
   
   ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ
   ηε͕ՄೳͰ͢ɻ
   
   
   ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ
   ͍·͢ɻ
   
   
   • γʔΫϨοτ؅ཧ
   
   
   • User identity؅ཧ
   
   
   • PKI
   
   
   • etc...
   

   View Slide

6. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 6
   ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔
   Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ
   

   View Slide

7. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 7
   ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔
   ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ
   ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ
   Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ
   
   
   AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ
   ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ
   

   View Slide

8. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 8
   Kubernetes΁ͷγʔΫϨοτͷద༻
   (ެࣜ)
   
   
   • Agent Injector
   
   
   – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar
   Agent͕มߋΛ൓ө͠·͢ɻ
   
   
   • CSI Provider
   
   
   – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ
   
   
   (ίϛϡχςΟ)
   
   
   • External Secret
   
   
   – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ
   

   View Slide

9. Copyright © Dell Inc. All Rights Reserved.
   Internal Use - Confidential 9
   Kubernetes΁ͷγʔΫϨοτͷద༻
   (ެࣜ)
   
   
   • Agent Injector
   
   
   – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar
   Agent͕มߋΛ൓ө͠·͢ɻ
   
   
   • CSI Provider
   
   
   – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ
   
   
   (ίϛϡχςΟ)
   
   
   • External Secret
   
   
   – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ
   

   View Slide

10. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 10
    Kubernetes΁ͷγʔΫϨοτͷద༻
    (ެࣜ)
    
    
    • Agent Injector
    
    
    – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar
    Agent͕มߋΛ൓ө͠·͢ɻ
    
    
    • CSI Provider
    
    
    – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ
    
    
    (ίϛϡχςΟ)
    
    
    • External Secret
    
    
    – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ
    

    View Slide

11. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 11
    ৄ͘͠͸...
    Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ
    https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani
    

    View Slide

12. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 12
    ͜Ε·Ͱͷ೉఺
    γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹...
    
    
    ྫ) Agent Injector
    
    
    templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ
    ΒͳΓ·ͤΜɻ
    

    View Slide

13. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 13
    ͜Ε·Ͱͷ೉఺
    γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹...
    
    
    ྫ) CSI Provider
    
    
    ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ
    

    View Slide

14. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 14
    Vault Secrets Operatorͷొ৔
    2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ
    
    
    ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ
    https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration
    

    View Slide

15. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 15
    Vault Secrets Operator
    Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ
    
    
    Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ
    ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ
    
    
    ରԠύλʔϯ
    
    
    • Static Secret
    
    
    – Key-Valueܕ(ver1, ver2)
    
    
    • Dynamic Secret
    
    
    – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ
    
    
    • PKI
    
    
    – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ
    

    View Slide

16. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 16
    How to use Vault Secrets Operator
    

    View Slide

17. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 17
    έʔε
    ɾ໨ඪ
    
    
    γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ
    εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ
    
    
    ɾλεΫ
    
    
    0. ࣄલ४උ
    
    
    1. Vault Secrets OperatorͷΠϯετʔϧ
    
    
    2. VaultͷηοςΟϯά
    
    
    3. VaultConnectionͷ࡞੒
    
    
    4. VaultAuthͷ࡞੒
    
    
    5. VaultStaticSecretͷ࡞੒
    

    View Slide

18. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 18
    0. ࣄલ४උ
    1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ
    

    View Slide

19. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 19
    0. ࣄલ४උ
    2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ
    

    View Slide

20. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 20
    1. Vault Secrets OperatorͷΠϯετʔϧ
    ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ
    

    View Slide

21. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 21
    Vault Secrets Operator CRD
    Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ
    
    
    

    View Slide

22. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 22
    2. VaultͷηοτΞοϓ
    1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ
    
    
    2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘
    
    
    ɹ࡞੒࣌ͷग़ྗͷSecret Path
    

    View Slide

23. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 23
    2. VaultͷηοτΞοϓ
    3. RoleΛ࡞੒͠·͢ɻ
    
    
    • auth/kubernetes/role/vso-demo-role
    
    
    – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role]
    
    
    • bound_service_account_names: Service Account໊
    
    
    – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account
    
    
    – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount]
    
    
    • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace
    
    
    • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊
    

    View Slide

24. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 24
    3. VaultConnectionͷ࡞੒
    ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ
    [Մมύϥϝʔλ]
    
    
    .spec.address
    
    
    => VaultʹΞΫηε͢ΔΞυϨε
    
    
    ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ
    ϥϝʔλ͕͋Γ·͢ɻ
    

    View Slide

25. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 25
    4. VaultAuthͷ࡞੒
    Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ
    [Մมύϥϝʔλ]
    
    
    .spec.vaultConnectionRef
    
    
    => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊
    
    
    .spec.kubernetes.role
    
    
    => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole
    
    
    .spec.kubernetes.serviceAccount
    
    
    => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊
    

    View Slide

26. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 26
    5. VaultStaticSecretͷ࡞੒
    Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ
    [Մมύϥϝʔλ]
    
    
    .spec.vaultAuthRef
    
    
    => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊
    
    
    .spec.destination.name
    
    
    => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊
    
    
    .spec.mount / .spec.name
    
    
    => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε
    
    
    mount name
    

    View Slide

27. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 27
    5. VaultStaticSecretͷ࡞੒
    ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ
    

    View Slide

28. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 28
    ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ
    ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ
    

    View Slide

29. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 29
    ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ
    ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ
    

    View Slide

30. Copyright © Dell Inc. All Rights Reserved.
    Internal Use - Confidential 30
    ·ͱΊ
    Sidecar Agent Injector CSI Provider Vault Secrets Operator
    γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume
    
    
    ؀ڥม਺
    Secret
    γʔΫϨοτλΠϓ Static
    
    
    Dynamic
    
    
    PKI
    Static
    
    
    Dynamic
    
    
    PKI
    Static
    
    
    Dynamic
    
    
    PKI
    ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺)
    γʔΫϨοτ
    
    
    ϩʔςʔγϣϯ
    ʓ × ʓ
    Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ
    
    
    ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ
    
    
    ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ
    
    
    

    View Slide

31. View Slide