Skip to content

Vault

This are some quick notes I took on how to setup a simple Vault for usage with heqet. For a more detailed documentation on how to configure Vault, check out the Official Vault Docs.

Note: Most of this commands can be executed either using the vault command on your local device or the inside the vault pod itself.

Init Vault using GPG

Copy GPG Public Key

cat > nold.pub << EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGBXTjkBCAC7qZU1cz7RWYbAb838ypRLJZKLWfVBvry4XYwWPN0Rcj55dPN+
...
5of4H66FzNwJxYrunmM5KTeUxZiLPC1JoKMF5uvKoo59TD0IuAPq735QDjWbS4vb
dMtSqTCinZSd
=wuZw
-----END PGP PUBLIC KEY BLOCK-----
EOF

Init Vault

vault operator init -key-shares=1 -key-threshold=1 -pgp-keys="nold.pub"

Save Unseal Key somewhere sage e.g. Keepass

Decode Unseal Key

$ echo $unseal-key | base64 -d | gpg -dq

Unseal Vault

vault operator unseal

Enable Kubernetes Auth

vault auth enable kubernetes

vault write auth/kubernetes/config \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
    disable_iss_validation=true

Create Secret Store

vault secrets enable -path=heqet kv-v2

Add Secrets-Operator Role & Policy

Create Policy

vault policy write heqet-app << EOF
path "heqet/+/*" {
  capabilities = ["read"]
}
EOF

Add Auth Role

vault write auth/kubernetes/role/heqet-app \
  bound_service_account_names=vault-secrets-operator \
  bound_service_account_namespaces=vault-secrets-operator \
  policies=heqet-app \
  ttl=6h

Add Secrets

Remember, Secret path: heqet/<APP-NAME>/<SECRET-NAME>

vault kv put heqet/argocd/argocd-secret admin.password='$2y$12$FP8OlsVj5pOOqRAhI4XPoev1STaW01uUEZGcNPQtVZmpacebNhj9i' server.secretkey="pDYAWK2mHa68GwwVPAsQOsG/SUT8iIo3S3FXYUWf2qM="
vault kv put heqet/loki-stack/loki-stack-grafana admin-user=admin admin-password='grafana'
vault kv put heqet/pihole/pihole-admin password=pihole
vault kv put heqet/minio/minio-secret secret-key=secret access-key=access

Vault-Issuer Cert-Manager via Kubernetes Service Account

We expect you already have setup a PKI & Intermediate PKI. You will need a policy to allow your approle to create new certs:

And a role: [dc = my local domain]

vault write pki_int/roles/dc \
    allowed_domains=dc \
    allow_subdomains=true \
    require_cn=false \
    max_ttl=72h

Policy:

vault policy write pki_int - <<EOF
path "pki_int*" { capabilities = ["read", "list"] }
path "pki_int/roles/dc"   { capabilities = ["create", "update"] }
path "pki_int/sign/dc"    { capabilities = ["create", "update"] }
path "pki_int/issue/dc"   { capabilities = ["create"] }
EOF

Authorize Service Account

vault write auth/kubernetes/role/vault-issuer \
  bound_service_account_names=vault-issuer \
  bound_service_account_namespaces=cert-manager \
  policies=pki_int \
  ttl=6h