Vault

Using Vault for your Secret storage

To be able to use Vault as the storage engine for your Secrets you need to configure vault via secretStorage: vault in your jx-requirements.yml:

cluster:
  provider: gke
environments:
- key: dev
- key: staging
- key: production
kaniko: true
secretStorage: vault
webhook: lighthouse

Installing Vault

Make sure that your helmfile.yaml file has the necessary vault charts included such as…

apps:
- name: external-secrets/kubernetes-external-secrets
- name: banzaicloud-stable/vault-operator
- name: jx-labs/vault-instance   
...

which ensures that:

You can wait for the vault-0 pod in namespace secret-infra to be ready via jx secret vault wait command:

jx secret vault wait

Now your vault can be used.

Using Vault

To be able to import, export or edit secrets from your laptop you need to make sure you are running the jx secret vault portforward command to port forward the 8200 port on your laptop to the vault service:

jx secret vault portforward

This will allow the jx 3.x binary to access the Vault REST API.

You can now follow the instructions to edit secrets or import secrets.

You can also access the vault web UI at https://localhost:8200

Using the vault CLI directly

Someday we might have a nice jx secret vault shell command to automate all of this but until then…

Download the vault CLI binary and add it to your $PATH.

You can now setup a shell to access vault as follows:

export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys  -n secret-infra -o jsonpath={.data.vault-root} | base64 --decode)

# Tell the CLI that the Vault Cert is signed by a custom CA
kubectl get secret vault-tls -n secret-infra -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/vault-ca.crt
export VAULT_CACERT=$PWD/vault-ca.crt

# Tell the CLI where Vault is listening (the certificate has 127.0.0.1 as well as alternate names)
export VAULT_ADDR=https://127.0.0.1:8200

# Now we can use the vault CLI to list/read/write secrets...
                                           
# List all the current secrets
vault kv list secret

# Lets store a secert
vault kv put secret/mything foo=bar whatnot=cheese

Last modified September 21, 2020: release 0.0.1895 (3145738)