Scribd Logo
Upload

Welcome to Scribd!

  • Integrating Vault To Helm-Chart

    Uploaded by

    Muhammad Yasin
    13 views4 pages
    This document provides instructions for integrating Vault secrets management with a Kubernetes Helm chart. It describes creating a Vault template file, adding required annotations and commands to statefulset configurations, and defining values for the appName, environment and team. It also explains how to login to Vault, create secrets at the defined path, create a policy and role, and run helm upgrade to deploy with the new Vault integration.

    Original Description:

    Vault for secrets managent

    Original Title

    Integrating_Vault_to_helm-chart

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for integrating Vault secrets management with a Kubernetes Helm chart. It describes creating a Vault template file, adding required annotations and commands to statefulset configurations, and defining values for the appName, environment and team. It also explains how to login to Vault, create secrets at the defined path, create a policy and role, and run helm upgrade to deploy with the new Vault integration.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    13 views4 pages

    Integrating Vault To Helm-Chart

    Uploaded by

    Muhammad Yasin
    This document provides instructions for integrating Vault secrets management with a Kubernetes Helm chart. It describes creating a Vault template file, adding required annotations and commands to statefulset configurations, and defining values for the appName, environment and team. It also explains how to login to Vault, create secrets at the defined path, create a policy and role, and run helm upgrade to deploy with the new Vault integration.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    Integrating Vault to helm chart

    Create a vault template file in the templates folder. Below sample can be used as _vault.tpl

    {{- define "sync.vaultAgentRoleName" }}


    vault.hashicorp.com/role: "{{ .Values.team }}-{{ .Values.appName }}-{{ .
    Values.environment }}"
    {{- end -}}

    {{- define "sync.vaultAgentBasics" }}


    vault.hashicorp.com/agent-image: "vault:1.5.4"
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-limits-cpu: "500m"
    vault.hashicorp.com/agent-limits-mem: "128Mi"
    vault.hashicorp.com/agent-requests-cpu: "250m"
    vault.hashicorp.com/agent-requests-mem: "64Mi"
    {{- end -}}

    {{- define "commons.vaultPrePopulateOnly" }}


    vault.hashicorp.com/agent-pre-populate-only: "true"
    {{- end -}}

    {{- define "sync.vaultAgentSecretsLoad" }}


    vault.hashicorp.com/agent-inject-secret-paths.yaml: "auth/token/lookup-
    self"
    vault.hashicorp.com/agent-inject-template-paths.yaml: |
    app:
    envs: "kv/data/{{ .Values.team }}/{{ .Values.environment }}/{{ .
    Values.appName }}"
    vault.hashicorp.com/agent-inject-secret-variables: "auth/token/lookup-
    self"
    vault.hashicorp.com/agent-inject-template-variables: |
    {{` {{- /* Read Key-Value Secret Data */ -}}
    {{- define "tpl.config" -}}
    {{- with secret . -}}
    {{ range $key, $val := .Data.data }}
    export {{ $key }}="{{ $val }}"
    {{- end -}}
    {{- end -}}
    {{- end -}}

    {{- /* MAIN CONFIGURATION */ -}}


    {{- with file "/vault/secrets/paths.yaml" | parseYAML -}}
    {{- $config := .app -}}
    {{ executeTemplate "tpl.config" $config.envs }}
    {{- end -}}`}}
    {{- end -}}

    Add required annotations and your required commands with vault secret command added to your statefulset configurations:
    template:
    metadata:
    annotations:
    {{- include "sync.vaultAgentBasics" . | nindent 8 }}
    {{- include "commons.vaultPrePopulateOnly" . | nindent 8 }}
    {{- include "sync.vaultAgentSecretsLoad" . | nindent 8 }}
    {{- include "sync.vaultAgentRoleName" . | nindent 8 }}

    ----------

    command: ["/bin/bash"]
    args: ["-c", "source /vault/secrets/variables; /bin/bash /docker-
    entrypoint.sh; python web2py.py -a ua123 -i 0.0.0.0 -p 8001"]

    Add required below parameters to your values file:

    appName: sync
    environment: "dev"
    team: "sms"

    Now login to your Vault account https://vault.dev.unifonic.com

    Create your secrets to your defined path from vault template file

    After that create policy for your newly created secrets


    Create role for your policy. Name should be similar to syntax mention your template file

    Access > Kubernetes > view configurations > roles > create role
    Then finally run helm upgrade to your application to deploy new changes.

    To verify secrets, ssh into your app and run

    cat /vault/secrets/variables

    You might also like