Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Vault Secrets Operator Tutorial
Search
ry
April 17, 2023
Technology
0
410
Vault Secrets Operator Tutorial
Vault Secrets Operatorの使用感について登壇した資料。
ry
April 17, 2023
Tweet
Share
More Decks by ry
See All by ry
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
ry
0
780
明日から始められるKyvernoを用いたポリシー制御
ry
3
640
CNDT2022 k8snovice Community introduction
ry
0
97
Policy Engine on Kubernetes
ry
1
1.2k
ConfigMap and Secret
ry
0
290
Policy Manager試してみた!
ry
0
340
Kubernetes APIに Pod内からアクセスしてみた
ry
1
1.4k
AKS 101 in Kubernetes Novice Tokyo #1
ry
0
570
meetup_topic__1.pdf
ry
0
660
Other Decks in Technology
See All in Technology
AOAI Dev Day LLMシステム開発 Tips集
hirosatogamo
15
3.6k
[NIKKEI Tech Talk] KDDI/KAG Scrum & Community for Engineering Training
curanosuke
2
220
AutomatedLabを使って内部ペンテストを勉強しよう! -やられ社内ネットワークの自動構築-
n_etupirka
1
610
AOAI Dev Day - Opening Session
yoshidashingo
2
430
クラウド利用者の「責任」をどう果たす?AWSセキュリティ対策のススメ #AWSSummit
hiashisan
0
270
How to Think Like a Performance Engineer
csswizardry
4
590
CEL(Common Expression Language)で書いた条件にマッチしたIAM Policyを見つける / iam-policy-finder
fujiwara3
0
710
Amazon FSx for NetApp ONTAPのパフォーマンスチューニング要素をまとめてみた #cm_odyssey #devio2024
non97
0
220
ACRiルーム最新情報とAMD GPUサーバーのご紹介
anjn
0
150
プレイドにおけるDatadog APMの活用方法
plaidtech
PRO
2
120
可視化プラットフォームGrafanaの基本と活用方法の全て
hamadakoji
0
230
AIエージェントを現場に導入する目線とは
masahiro_nishimi
1
1.5k
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
291
20k
How To Stay Up To Date on Web Technology
chriscoyier
784
250k
Into the Great Unknown - MozCon
thekraken
20
1.3k
Being A Developer After 40
akosma
72
580k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
245
1.2M
The World Runs on Bad Software
bkeepers
PRO
63
11k
Build your cross-platform service in a week with App Engine
jlugia
227
17k
Debugging Ruby Performance
tmm1
71
11k
Ruby is Unlike a Banana
tanoku
96
10k
In The Pink: A Labor of Love
frogandcode
139
22k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.4k
5 minutes of I Can Smell Your CMS
philhawksworth
200
19k
Transcript
Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 2 ࣗݾհ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 4 What’s HashiCorp Vault
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 5 HashiCorp Vault HashiCorp VaultɺγʔΫϨοτΛηΩϡΞʹཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτཧ • User identityཧ • PKI • etc...
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ͕૿͑ͯ͠·ͬͨΓ͢Δͱཧ͕ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹཧ͠ͳ͚Εͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛཧ͍ͯͨ͠͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳΈ͋Δ͕ɺύϒϦοΫΫϥυͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍ใ͋Δ͔ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 8 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 9 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 10 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 11 ৄ͘͠... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 12 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφͰsourceίϚϯυΛ༻͍ͯద༻͠ͳ͚Εͳ ΒͳΓ·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 13 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠߹ʹөͯ͘͠Ε·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 14 Vault Secrets Operatorͷొ 2023/03/29ͷϒϩάʹͯΞφϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ͚ͳͷͰɺ༻͢Δࡍ͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 15 Vault Secrets Operator Vault Secrets Operator ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ OperatorɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞͠ɺ ιʔεʹՃ͑ΒΕͨͯ͢ͷมߋ͕ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥυDBͷΞΫηεΛ͢ΔͨΊͷظݶ͖ೝূใΛಈతʹੜ͢Δͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ͢Δ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 16 How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 17 έʔε ɾඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞ 4. VaultAuthͷ࡞ 5. VaultStaticSecretͷ࡞
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelmΛ༻͍ͯVaultΛ࡞͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճɺVaultΛHelmΛ༻͍ͯೖΕͨ߹Λجʹ͍ͯ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯཧ͞ΕΔCRDNamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞͠·͢ɻ 2. Policyͷ࡞͠·͢ɻ ※pathɺSecret࡞࣌ͷύεͰͳ͘ ɹ࡞࣌ͷग़ྗͷSecret Path
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞ͨ͠ϙϦγʔ໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 24 3. VaultConnectionͷ࡞ ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹɺHTTPϔομʔTLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 25 4. VaultAuthͷ࡞ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞ͨ͠Service Account໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 26 5. VaultStaticSecretͷ࡞ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞ͨ͠Vault্ͷγʔΫϨοτͷύε mount name
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 27 5. VaultStaticSecretͷ࡞ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 28 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰɺ2֊ͰͷγʔΫϨοτ࡞Λ͔ͨ͠Β͔Γ͔ͬͨ͢ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 29 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ֊͕૿͑ͯҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ڥม Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍͘͢ͳΓ·ͨ͠ɻ ࠓճհͨ͠ͷҎ֎ʹ༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱҎԼͷ௨ΓͰ͢ɻ
None