Vault

Using Vault for your Secret storage

To be able to use Vault as the storage engine for your Secrets you need to specify --secret vault when creating your development git repository or configure vault via secretStorage: vault in your jx-requirements.yml:

cluster:
  provider: gke
environments:
- key: dev
- key: staging
- key: production
kaniko: true
secretStorage: vault
webhook: lighthouse

Installing Vault

Before you try to run the boot job you need to ensure your Vault installation is set up and the secrets are populated.

So please install the vault operator in some namespace such as vault-infra.

# Create a namespace for the vault operator
kubectl create namespace vault-infra
kubectl label namespace vault-infra name=vault-infra

# Install the vault-operator to the vault-infra namespace
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm upgrade --namespace vault-infra --install vault-operator banzaicloud-stable/vault-operator --wait

Now you need to create a vault custom resource instance in the namespace you are installing Jenkins X which is jx by default.

The following commands assumes you are using the jx namespace. If you wish to modify to use a different namespace please modify the operator/deploy/cr.yaml file appropriately (replacing jx with the namespace you are using).

# make sure we are in the jx namespace

jxl ns jx

git clone https://github.com/jenkins-x-labs/bank-vaults
cd bank-vaults

# Create a Vault instance
kubectl apply -f operator/deploy/rbac.yaml
kubectl apply -f operator/deploy/cr.yaml

Now you need to wait for the vault-0 pod to be ready:

kubectl wait --for=condition=Ready pod/vault-0

Now your vault can be used.

Using Vault

To be able to import, export or edit secrets from your laptop you need to make sure you are running the following command:

kubectl port-forward service/vault 8200

This will allow the jxl binary to access the Vault REST API.

You can now follow the instructions to populate secrets or import secrets.

Using the vault CLI

Download the vault CLI binary and add it to your $PATH.

You can now setup a shell to access vault as follows:

export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys -o jsonpath={.data.vault-root} | base64 --decode)

# Tell the CLI that the Vault Cert is signed by a custom CA
kubectl get secret vault-tls -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/vault-ca.crt
export VAULT_CACERT=$PWD/vault-ca.crt

# Tell the CLI where Vault is listening (the certificate has 127.0.0.1 as well as alternate names)
export VAULT_ADDR=https://127.0.0.1:8200

# Now we can use the vault CLI to list/read/write secrets...
                                           
# List all the current secrets
vault kv list secret

# Lets store a secert
vault kv put secret/mything foo=bar whatnot=cheese

Last modified June 2, 2020: release 0.0.1748 (a2ba8b8)