Created
August 9, 2019 21:08
-
-
Save TsuyoshiUshio/609f063a20df07d3ed302a23cf4698e8 to your computer and use it in GitHub Desktop.
Script to create sample secret and kubernetes authentication configration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Create a service account, 'vault-auth' | |
| kubectl create serviceaccount vault-auth | |
| # Update the 'vault-auth' service account | |
| kubectl apply --filename vault-auth-service-account.yml | |
| # Create a policy file, myapp-kv-ro.hcl | |
| # This assumes that the Vault server is running kv v1 (non-versioned kv) | |
| tee myapp-kv-ro.hcl <<EOF | |
| # For K/V v1 secrets engine | |
| path "secret/myapp/*" { | |
| capabilities = ["read", "list"] | |
| } | |
| # For K/V v2 secrets engine | |
| path "secret/data/myapp/*" { | |
| capabilities = ["read", "list"] | |
| } | |
| EOF | |
| # Create a policy named myapp-kv-ro | |
| vault policy write myapp-kv-ro myapp-kv-ro.hcl | |
| # Enable K/V v1 at secret/ if it's not already available | |
| # vault secrets enable -path=secret kv | |
| # Create test data in the `secret/myapp` path. | |
| vault kv put secret/myapp/config username='appuser' password='suP3rsec(et!' ttl='30s' | |
| # Enable userpass auth method | |
| vault auth enable userpass | |
| # Create a user named "test-user" | |
| vault write auth/userpass/users/test-user password=training policies=myapp-kv-ro | |
| # Set VAULT_SA_NAME to the service account you created earlier | |
| export VAULT_SA_NAME=$(kubectl get sa vault-auth -o jsonpath="{.secrets[*]['name']}") | |
| # Set SA_JWT_TOKEN value to the service account JWT used to access the TokenReview API | |
| export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo) | |
| # Set SA_CA_CRT to the PEM encoded CA cert used to talk to Kubernetes API | |
| export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo) | |
| # Set K8S_HOST to minikube IP address | |
| export K8S_HOST=https://tsushikeya-keyvaultaks-abcdefg01235.hcp.westus.azmk8s.io:443 | |
| # Enable the Kubernetes auth method at the default path ("auth/kubernetes") | |
| vault auth enable kubernetes | |
| # Tell Vault how to communicate with the Kubernetes (Minikube) cluster | |
| vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="$K8S_HOST" kubernetes_ca_cert="$SA_CA_CRT" | |
| # Create a role named, 'example' to map Kubernetes Service Account to | |
| # Vault policies and default token TTL | |
| vault write auth/kubernetes/role/example bound_service_account_names=vault-auth bound_service_account_namespaces=default policies=myapp-kv-ro ttl=24h |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment