Home GitHub

Installing the HashiCorp Vault Secret CSI Driver

The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. kubectl
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

     oc new-project k8s-secrets-store-csi
    
  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

     oc adm policy add-scc-to-user privileged \
       system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver
    
  3. Add the Secrets Store CSI Driver to your Helm Repositories

     helm repo add secrets-store-csi-driver \
       https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
    
  4. Update your Helm Repositories

     helm repo update
    
  5. Install the secrets store csi driver

     helm install -n k8s-secrets-store-csi csi-secrets-store \
       secrets-store-csi-driver/secrets-store-csi-driver
    
  6. Check that the Daemonsets is running

     kubectl --namespace=k8s-secrets-store-csi get pods -l "app=secrets-store-csi-driver"
    

    You should see the following

     NAME                                               READY   STATUS    RESTARTS   AGE
     csi-secrets-store-secrets-store-csi-driver-cl7dv   3/3     Running   0          57s
     csi-secrets-store-secrets-store-csi-driver-gbz27   3/3     Running   0          57s
    

Install HashiCorp Vault with CSI driver enabled

  1. Add the HashiCorp Helm Repository

     helm repo add hashicorp https://helm.releases.hashicorp.com
    
  2. Update your Helm Repositories

     helm repo update
    
  3. Create a namespace for Vault

     oc new-project hashicorp-vault
    
  4. Create a SCC for the CSI driver

     oc adm policy add-scc-to-user privileged \
       system:serviceaccount:hashicorp-vault:vault-csi-provider
    
  5. Create a values file for Helm to use

     cat << EOF > values.yaml
     global:
       openshift: true
     csi:
       enabled: true
     injector:
       enabled: false
     server:
       image:
         repository: "registry.connect.redhat.com/hashicorp/vault"
         tag: "1.8.0-ubi"
       dev:
         enabled: true
     EOF
    
  6. Install Hashicorp Vault with CSI enabled

     helm install -n hashicorp-vault vault \
       hashicorp/vault --values values.yaml
    
  7. Patch the CSI daemonset

    Currently the CSI has a bug in its manifest which we need to patch

     kubectl patch daemonset vault-csi-provider --type='json' \
         -p='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'
    

Configure Hashicorp Vault

  1. Get a bash prompt inside the Vault pod

     oc exec -it vault-0 -- bash
    
  2. Create a Secret in Vault

     vault kv put secret/db-pass password="hunter2"
    
  3. Configure Vault to use Kubernetes Auth

     vault auth enable kubernetes
    
  4. Check your Cluster’s token issuer

     oc get authentication.config cluster \
       -o json | jq -r .spec.serviceAccountIssuer
    
  5. Configure Kubernetes auth method

    If the issuer here does not match the above, update it.

     vault write auth/kubernetes/config \
     issuer="https://kubernetes.default.svc.cluster.local" \
     token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    
  6. Create a policy for our app

     vault policy write internal-app - <<EOF
     path "secret/data/db-pass" {
       capabilities = ["read"]
     }
     EOF
    
  7. Create an auth role to access it

     vault write auth/kubernetes/role/database \
       bound_service_account_names=webapp-sa \
       bound_service_account_namespaces=default \
       policies=internal-app \
       ttl=20m
    
  8. exit from the vault-0 pod

     exit
    

Deploy a sample application

  1. Create a SecretProviderClass in the default namespace

     cat <<EOF | kubectl apply -f -
     apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
     kind: SecretProviderClass
     metadata:
       name: vault-database
       namespace: default
     spec:
       provider: vault
       parameters:
         vaultAddress: "http://vault.hashicorp-vault:8200"
         roleName: "database"
         objects: |
           - objectName: "db-password"
             secretPath: "secret/data/db-pass"
             secretKey: "password"
     EOF
    
  2. Create a service account webapp-sa

     kubectl create serviceaccount -n default webapp-sa
    
  3. Create a Pod to use the secret

     cat << EOF | kubectl apply -f -
     kind: Pod
     apiVersion: v1
     metadata:
       name: webapp
       namespace: default
     spec:
       serviceAccountName: webapp-sa
       containers:
       - image: jweissig/app:0.0.1
         name: webapp
         volumeMounts:
         - name: secrets-store-inline
           mountPath: "/mnt/secrets-store"
           readOnly: true
       volumes:
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
               secretProviderClass: "vault-database"
     EOF
    
  4. Check the Pod has the secret

     kubectl -n default exec webapp \
       -- cat /mnt/secrets-store/db-password
    

    The output should match

     hunter2
    

Uninstall HashiCorp Vault with CSI driver enabled

  1. Delete the pod and

     kubectl delete -n default pod webapp
     kubectl delete -n default secretproviderclass vault-database
     kubectl delete -n default serviceaccount webapp-sa
    
  2. Delete the Hashicorp Vault Helm

     helm delete -n hashicorp-vault vault
    
  3. Delete the SCC for Hashicorp Vault

     oc adm policy remove-scc-from-user privileged \
       system:serviceaccount:hashicorp-vault:vault-csi-provider
    
  4. Delete the Hashicorp vault project

     oc delete project hashicorp-vault
    

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

     helm delete -n k8s-secrets-store-csi csi-secrets-store
    
  2. Delete the SecurityContextConstraints

     oc adm policy remove-scc-from-user privileged \
       system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver