Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Vault Secrets Operator Tutorial
Search
ry
April 17, 2023
Technology
0
470
Vault Secrets Operator Tutorial
Vault Secrets Operatorの使用感について登壇した資料。
ry
April 17, 2023
Tweet
Share
More Decks by ry
See All by ry
eBPF Tools on Kubernetes part1
ry
0
220
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
ry
0
970
明日から始められるKyvernoを用いたポリシー制御
ry
3
710
CNDT2022 k8snovice Community introduction
ry
0
120
Policy Engine on Kubernetes
ry
1
1.3k
ConfigMap and Secret
ry
0
320
Policy Manager試してみた!
ry
0
380
Kubernetes APIに Pod内からアクセスしてみた
ry
1
1.6k
AKS 101 in Kubernetes Novice Tokyo #1
ry
0
610
Other Decks in Technology
See All in Technology
君も受託系GISエンジニアにならないか
sudataka
2
430
リーダブルテストコード 〜メンテナンスしやすい テストコードを作成する方法を考える〜 #DevSumi #DevSumiB / Readable test code
nihonbuson
11
7.2k
Oracle Cloud Infrastructure:2025年2月度サービス・アップデート
oracle4engineer
PRO
1
210
プロセス改善による品質向上事例
tomasagi
2
2.6k
RSNA2024振り返り
nanachi
0
580
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
6
57k
人はなぜISUCONに夢中になるのか
kakehashi
PRO
6
1.7k
7日間でハッキングをはじめる本をはじめてみませんか?_ITエンジニア本大賞2025
nomizone
2
1.8k
Moved to https://speakerdeck.com/toshihue/presales-engineer-career-bridging-tech-biz-ja
toshihue
2
740
エンジニアのためのドキュメント力基礎講座〜構造化思考から始めよう〜(2025/02/15jbug広島#15発表資料)
yasuoyasuo
17
6.7k
株式会社EventHub・エンジニア採用資料
eventhub
0
4.3k
全文検索+セマンティックランカー+LLMの自然文検索サ−ビスで得られた知見
segavvy
2
110
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
410
Why Our Code Smells
bkeepers
PRO
336
57k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.6k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
174
51k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Rails Girls Zürich Keynote
gr2m
94
13k
Designing for Performance
lara
604
68k
A designer walks into a library…
pauljervisheath
205
24k
Producing Creativity
orderedlist
PRO
344
39k
How GitHub (no longer) Works
holman
314
140k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
Transcript
Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 2 ࣗݾհ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 4 What’s HashiCorp Vault
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 5 HashiCorp Vault HashiCorp VaultɺγʔΫϨοτΛηΩϡΞʹཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτཧ • User identityཧ • PKI • etc...
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ͕૿͑ͯ͠·ͬͨΓ͢Δͱཧ͕ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹཧ͠ͳ͚Εͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛཧ͍ͯͨ͠͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳΈ͋Δ͕ɺύϒϦοΫΫϥυͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍ใ͋Δ͔ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 8 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 9 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 10 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 11 ৄ͘͠... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 12 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφͰsourceίϚϯυΛ༻͍ͯద༻͠ͳ͚Εͳ ΒͳΓ·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 13 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠߹ʹөͯ͘͠Ε·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 14 Vault Secrets Operatorͷొ 2023/03/29ͷϒϩάʹͯΞφϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ͚ͳͷͰɺ༻͢Δࡍ͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 15 Vault Secrets Operator Vault Secrets Operator ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ OperatorɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞͠ɺ ιʔεʹՃ͑ΒΕͨͯ͢ͷมߋ͕ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥυDBͷΞΫηεΛ͢ΔͨΊͷظݶ͖ೝূใΛಈతʹੜ͢Δͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ͢Δ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 16 How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 17 έʔε ɾඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞ 4. VaultAuthͷ࡞ 5. VaultStaticSecretͷ࡞
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelmΛ༻͍ͯVaultΛ࡞͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճɺVaultΛHelmΛ༻͍ͯೖΕͨ߹Λجʹ͍ͯ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯཧ͞ΕΔCRDNamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞͠·͢ɻ 2. Policyͷ࡞͠·͢ɻ ※pathɺSecret࡞࣌ͷύεͰͳ͘ ɹ࡞࣌ͷग़ྗͷSecret Path
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞ͨ͠ϙϦγʔ໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 24 3. VaultConnectionͷ࡞ ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹɺHTTPϔομʔTLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 25 4. VaultAuthͷ࡞ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞ͨ͠Service Account໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 26 5. VaultStaticSecretͷ࡞ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞ͨ͠Vault্ͷγʔΫϨοτͷύε mount name
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 27 5. VaultStaticSecretͷ࡞ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 28 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰɺ2֊ͰͷγʔΫϨοτ࡞Λ͔ͨ͠Β͔Γ͔ͬͨ͢ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 29 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ֊͕૿͑ͯҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ڥม Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍͘͢ͳΓ·ͨ͠ɻ ࠓճհͨ͠ͷҎ֎ʹ༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱҎԼͷ௨ΓͰ͢ɻ
None