Vault

Using Vault for your Secret storage

Installing Vault

Internal vault (vault inside kubernetes cluster)

If you are using Terraform with one of the Cloud Providers then your Vault will be installed automatically via Terraform.

Otherwise please see the On-Premises Vault Install Guide

whichever apporoach take you should have:

Kubernetes External Secrets is installed to populate Secrets from vault
the vault operator is installed for operating vault
a vault instance is created in the jx-vault namespace

You can wait for the vault-0 pod in namespace jx-vault to be ready via jx secret vault wait command:

jx secret vault wait

External vault

External vault is only supported for jx versions greater than 3.2.203

Configure external vault to support kubernetes auth method. This step needs to be done before any jenkinsx related changes are made.

Set vault_url to the url of the external vault in the terraform module. Add vault_url to the main.tf file (replace https://external-vault.com with the actual vault url):

...
module "eks-jx" {
  source               = "jenkins-x/eks-jx/aws"
  ...
  vault_url            = "https://external-vault.com"
  ....
}
....

This will prevent the terraform module from creating any vault resources in the kubernetes cluster and the cloud (AWS/GCP/Azure) account.

Next, in the cluster git repository (the one generated from https://github.com/jx3-gitops-repositories/jx3-eks-vault ), modify the Makefile to add 2 extra environment variables (replace https://external-vault.com with the actual vault url):

VAULT_ADDR=http://external-vault.com
EXTERNAL_VAULT=true

and modify the secrets-populate target to

-VAULT_ADDR=$(VAULT_ADDR) EXTERNAL_VAULT=$(EXTERNAL_VAULT) VAULT_NAMESPACE=$(VAULT_NAMESPACE) jx secret populate --secret-namespace $(VAULT_NAMESPACE) --no-wait

Now your vault can be used.

Configuration

To indicate that Vault is being used as the storage engine for your Secrets you need to configure vault via secretStorage: vault in your jx-requirements.yml. Note that this is usually done automatically for Cloud providers and Terraform:

cluster:
  provider: gke
environments:
  - key: dev
  - key: staging
  - key: production
kaniko: true
secretStorage: vault
webhook: lighthouse

Using Vault

To be able to import, export or edit secrets from your laptop you need to make sure you are running the jx secret vault portforward command to port forward the 8200 port on your laptop to the vault service:

jx secret vault portforward

This will allow the jx 3.x binary to access the Vault REST API.

You can now follow the instructions to edit secrets or import secrets.

Using the vault web UI

Once you are running the jx secret vault portforward command described above you can access the vault web UI at https://localhost:8200

Using the vault CLI directly

Someday we might have a nice jx secret vault shell command to automate all of this but until then…

Download the vault CLI binary and add it to your $PATH.

You can now setup a shell to access vault as follows:

export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys  -n jx-vault -o jsonpath={.data.vault-root} | base64 --decode)

# Tell the CLI that the Vault Cert is signed by a custom CA
kubectl get secret vault-tls -n jx-vault -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/vault-ca.crt
export VAULT_CACERT=$PWD/vault-ca.crt

# Tell the CLI where Vault is listening (the certificate has 127.0.0.1 as well as alternate names)
export VAULT_ADDR=https://127.0.0.1:8200

# Now we can use the vault CLI to list/read/write secrets...

# List all the current secrets
vault kv list secret

# Lets store a secret
vault kv put secret/mything foo=bar whatnot=cheese

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified October 5, 2021: feat: add documentation around external vault (67014a757b)