Vault
To be able to use Vault as the storage engine for your Secrets you need to configure vault via secretStorage: vault
in your jx-requirements.yml
:
cluster:
provider: gke
environments:
- key: dev
- key: staging
- key: production
kaniko: true
secretStorage: vault
webhook: lighthouse
Installing Vault
Make sure that your helmfile.yaml
file has the necessary vault charts included such as…
releases:
- chart: external-secrets/kubernetes-external-secrets
- chart: banzaicloud-stable/vault-operator
- chart: jx-labs/vault-instance
...
which ensures that:
- Kubernetes External Secrets is installed to populate Secrets from vault
- the vault operator is installed for operating vault
- a vault instance is created in the
secret-infra
namespace
You can wait for the vault-0
pod in namespace secret-infra
to be ready via jx secret vault wait command:
jx secret vault wait
Now your vault can be used.
Using Vault
To be able to import, export or edit secrets from your laptop you need to make sure you are running the jx secret vault portforward command to port forward the 8200 port on your laptop to the vault service:
jx secret vault portforward
This will allow the jx 3.x binary to access the Vault REST API.
You can now follow the instructions to edit secrets or import secrets.
Using the vault web UI
Once you are running the jx secret vault portforward
command described above you can access the vault web UI at https://localhost:8200
Using the vault CLI directly
Someday we might have a nice jx secret vault shell command to automate all of this but until then…
Download the vault CLI binary and add it to your $PATH
.
You can now setup a shell to access vault as follows:
export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys -n secret-infra -o jsonpath={.data.vault-root} | base64 --decode)
# Tell the CLI that the Vault Cert is signed by a custom CA
kubectl get secret vault-tls -n secret-infra -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/vault-ca.crt
export VAULT_CACERT=$PWD/vault-ca.crt
# Tell the CLI where Vault is listening (the certificate has 127.0.0.1 as well as alternate names)
export VAULT_ADDR=https://127.0.0.1:8200
# Now we can use the vault CLI to list/read/write secrets...
# List all the current secrets
vault kv list secret
# Lets store a secret
vault kv put secret/mything foo=bar whatnot=cheese
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.