zdtsw · April 8, 2020 13:46 · zdtsw · Apr 8, 2020 · zdtsw · Apr 8, 2020
diff --git a/instruction.txt b/instruction.txt
 ~/GitHub/$ git clone https://github.com/hashicorp/vault-helm.git 


 /* create and set namespace wen-vault1 */
 ~/GitHub/vault-helm$ kubectl create namespace wen-vault1
 ~/GitHub/vault-helm$ kubectl config set-context --current --namespace=wen-vault1

 /* create serviceaccount serviceaccount-wen-vault1 will be used for below k8s deployment on pod to use */
 ~/GitHub/vault-helm/wen$ more serviceaccount.yaml 
 apiVersion: v1
 kind: ServiceAccount
 metadata:
    name: serviceaccount-wen-vault1 
    namespace: wen-vault1
    labels:
        app: component1 
        env: ci1
 ~/GitHub/vault-helm/wen$  kubectl apply -f serviceaccount.yaml 




 /* if no --set=server.dev.enabled=true set it would require pv to vault-wen-vault1-0 pod and this should only be done for non-prod case*/
 ~/GitHub/vault-helm$ helm install --name=vault-wen-vault1 ./
 /* if above not working, do a check and del purge old exisitng helm locally */
 ~/GitHub/vault-helm$ helm ls --al
 ~/GitHub/vault-helm$ helm del --purge vault-wen-vault1


 /* do a check you should see vault-0 and vault-agent-injector-* pods running */
 ~/GitHub/vault-helm$ kubectl get pod






 /* below vault actions need to be done in vault-0 pod */
 ~/GitHub/vault-helm/wen$ kubectl exec -it vault-0  -- sh

 /* create /home/vault/wen-vault1-component1.hcl with content, as */
 path "secret/wen-vault1/component1" {
    capabilities = [ "create", "read", "list" ]
 }
 path "secret/wen-vault1/component2" {
      capabilities = [ "read" ]
 }

 $ vault policy write wen-vault1-component1 /home/vault/wen-vault1-component1.hcl
 /* do a double check if it is updated, I spent quite time for troubleshooting later why it does not work, eventually it was the policy I forgot to write after changed hcl file */
 $ vault read sys/policy/wen-vault1-component1


 /* enable backend for k8s */
 $ vault auth enable kubernetes
 $ vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

 /* create a new role mapping to the policy you created above, also point which serviaccount and namespace in ks8 */
 $ vault write auth/kubernetes/role/wen-vault1-component1 \
   bound_service_account_names=serviceaccount-wen-vault1 \
   bound_service_account_namespaces=wen-vault1 \
   policies=wen-vault1-component1 \
   ttl=1h
 $ vault read auth/kubernetes/role/wen-vault1-component1

 /* create my secret kay-vaule pairs , in template use {{ .Data.data.username }}*/
 $ vault kv put secret/wen-vault1/component1 username=wen password=Zhou
 $ vault kv get secret/wen-vault1/component1
 ====== Metadata ======
 Key              Value
 ---              -----
 created_time     2020-04-07T19:32:48.071698011Z
 deletion_time    n/a
 destroyed        false
 version          2

 ====== Data ======
 Key         Value
 ---         -----
 password    Zhou
 username    wen

 /* create my secret as string , in template use {{ .Data.username }}*/
 ~ $ vault write secret/wen-vault1/component2 username="Wen" password="zhou"
 ~ $ vault read secret/wen-vault1//component2

 $ exit


 /* create normal k8s deploymenet but stated using service account serviceaccount-wen-vault1 to start pod */
 ~/GitHub/vault-helm/wen$ cat deployment-component1.yaml 
 apiVersion: apps/v1beta2
 kind: Deployment
 metadata:
  name: component1
  namespace: wen-vault1
  labels:
    app: component1 
    env: ci1
 spec:
  selector:
    matchLabels:
      app: component1 
      env: ci1
  replicas: 1 
  template:
    metadata:
      labels:
        app: component1 
        env: ci1
    spec:
      serviceAccountName: serviceaccount-wen-vault1
      containers:
      - name: component1-ci1
        image: portcheck:latest
        resources:           
          limits:             
            cpu: 100m
            memory: 50Mi

 /* if you have below annotation defined in the k8s deploymenet yaml you can skip these */
 /* annotation vault.hashicorp.com/agent-inject-secret-wen-vault1-component1 only need to be a uniqu ID, does not mean it has to be exactly the same as the path value */
 ~/GitHub/vault-helm/wen$ cat patch-basic-annotations.yaml 
 spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-wen-vault1-component1: "secret/wen-vault1/component1"
        vault.hashicorp.com/role: "wen-vault1-component1"
        
 ~/GitHub/vault-helm/wen$ kubectl patch deployment  component1 --patch "$(cat patch-basic-annotations.yaml)"

 /* to make /vault/secrets/wen-vault1-component1 easy to read, we can format it to a string */
 ~/GitHub/vault-helm/wen$ cat  patch-template-annotation.yaml 
 spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-template-wen-vault1-component1: |
          BLOCK0]
          team = delivery
          [BLOCK1]
          common part
          {{- with secret "secret/wen-vault1/component1" -}}
          when we have secret  
          fuckshitlife-{{ .Data.data.username }}:{{ .Data.data.password }}
          {{- end }}
          [BLOCK2]
          company = mycompany
        vault.hashicorp.com/role: "wen-vault1-component1"
       
 ~/GitHub/vault-helm/wen$ kubectl patch deployment  component1 --patch "$(cat patch-template-annotation.yaml)"


 ~/GitHub/vault-helm/wen$ kubectl exec -it component1-* -n wen-vault1 -c component1-ci1 -- sh
 # cd /vault/secrets
 # ls
 wen-vault1-component1
 # cat wen-vault1-component1
 [BLOCK0]
 team = delivery
 [BLOCK1]
 common partwhen we have secret  
 fuckshitlife-wen:Zhou
 [BLOCK2]
 company = mycompany
	~/GitHub/$ git clone https://github.com/hashicorp/vault-helm.git


	/* create and set namespace wen-vault1 */
	~/GitHub/vault-helm$ kubectl create namespace wen-vault1
	~/GitHub/vault-helm$ kubectl config set-context --current --namespace=wen-vault1

	/* create serviceaccount serviceaccount-wen-vault1 will be used for below k8s deployment on pod to use */
	~/GitHub/vault-helm/wen$ more serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: serviceaccount-wen-vault1
	namespace: wen-vault1
	labels:
	app: component1
	env: ci1
	~/GitHub/vault-helm/wen$ kubectl apply -f serviceaccount.yaml




	/* if no --set=server.dev.enabled=true set it would require pv to vault-wen-vault1-0 pod and this should only be done for non-prod case*/
	~/GitHub/vault-helm$ helm install --name=vault-wen-vault1 ./
	/* if above not working, do a check and del purge old exisitng helm locally */
	~/GitHub/vault-helm$ helm ls --al
	~/GitHub/vault-helm$ helm del --purge vault-wen-vault1


	/* do a check you should see vault-0 and vault-agent-injector-* pods running */
	~/GitHub/vault-helm$ kubectl get pod






	/* below vault actions need to be done in vault-0 pod */
	~/GitHub/vault-helm/wen$ kubectl exec -it vault-0 -- sh

	/* create /home/vault/wen-vault1-component1.hcl with content, as */
	path "secret/wen-vault1/component1" {
	capabilities = [ "create", "read", "list" ]
	}
	path "secret/wen-vault1/component2" {
	capabilities = [ "read" ]
	}

	$ vault policy write wen-vault1-component1 /home/vault/wen-vault1-component1.hcl
	/* do a double check if it is updated, I spent quite time for troubleshooting later why it does not work, eventually it was the policy I forgot to write after changed hcl file */
	$ vault read sys/policy/wen-vault1-component1


	/* enable backend for k8s */
	$ vault auth enable kubernetes
	$ vault write auth/kubernetes/config \
	token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
	kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
	kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

	/* create a new role mapping to the policy you created above, also point which serviaccount and namespace in ks8 */
	$ vault write auth/kubernetes/role/wen-vault1-component1 \
	bound_service_account_names=serviceaccount-wen-vault1 \
	bound_service_account_namespaces=wen-vault1 \
	policies=wen-vault1-component1 \
	ttl=1h
	$ vault read auth/kubernetes/role/wen-vault1-component1

	/* create my secret kay-vaule pairs , in template use {{ .Data.data.username }}*/
	$ vault kv put secret/wen-vault1/component1 username=wen password=Zhou
	$ vault kv get secret/wen-vault1/component1
	====== Metadata ======
	Key Value
	--- -----
	created_time 2020-04-07T19:32:48.071698011Z
	deletion_time n/a
	destroyed false
	version 2

	====== Data ======
	Key Value
	--- -----
	password Zhou
	username wen

	/* create my secret as string , in template use {{ .Data.username }}*/
	~ $ vault write secret/wen-vault1/component2 username="Wen" password="zhou"
	~ $ vault read secret/wen-vault1//component2

	$ exit


	/* create normal k8s deploymenet but stated using service account serviceaccount-wen-vault1 to start pod */
	~/GitHub/vault-helm/wen$ cat deployment-component1.yaml
	apiVersion: apps/v1beta2
	kind: Deployment
	metadata:
	name: component1
	namespace: wen-vault1
	labels:
	app: component1
	env: ci1
	spec:
	selector:
	matchLabels:
	app: component1
	env: ci1
	replicas: 1
	template:
	metadata:
	labels:
	app: component1
	env: ci1
	spec:
	serviceAccountName: serviceaccount-wen-vault1
	containers:
	- name: component1-ci1
	image: portcheck:latest
	resources:
	limits:
	cpu: 100m
	memory: 50Mi

	/* if you have below annotation defined in the k8s deploymenet yaml you can skip these */
	/* annotation vault.hashicorp.com/agent-inject-secret-wen-vault1-component1 only need to be a uniqu ID, does not mean it has to be exactly the same as the path value */
	~/GitHub/vault-helm/wen$ cat patch-basic-annotations.yaml
	spec:
	template:
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/agent-inject-secret-wen-vault1-component1: "secret/wen-vault1/component1"
	vault.hashicorp.com/role: "wen-vault1-component1"

	~/GitHub/vault-helm/wen$ kubectl patch deployment component1 --patch "$(cat patch-basic-annotations.yaml)"

	/* to make /vault/secrets/wen-vault1-component1 easy to read, we can format it to a string */
	~/GitHub/vault-helm/wen$ cat patch-template-annotation.yaml
	spec:
	template:
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/agent-inject-status: "update"
	vault.hashicorp.com/agent-inject-template-wen-vault1-component1: \|
	BLOCK0]
	team = delivery
	[BLOCK1]
	common part
	{{- with secret "secret/wen-vault1/component1" -}}
	when we have secret
	fuckshitlife-{{ .Data.data.username }}:{{ .Data.data.password }}
	{{- end }}
	[BLOCK2]
	company = mycompany
	vault.hashicorp.com/role: "wen-vault1-component1"

	~/GitHub/vault-helm/wen$ kubectl patch deployment component1 --patch "$(cat patch-template-annotation.yaml)"


	~/GitHub/vault-helm/wen$ kubectl exec -it component1-* -n wen-vault1 -c component1-ci1 -- sh
	# cd /vault/secrets
	# ls
	wen-vault1-component1
	# cat wen-vault1-component1
	[BLOCK0]
	team = delivery
	[BLOCK1]
	common partwhen we have secret
	fuckshitlife-wen:Zhou
	[BLOCK2]
	company = mycompany