Enabling encryption with the Kubernetes authentication using HashiCorp Vault (manual part)

Configure Kubernetes settings in vault server

Procedure

  1. Get the VAULT_SA_SECRET_NAME in OpenShift® Container Platform:
    1. For OpenShift Container Platform 4.10, identify the secret name associated with the serviceaccount (SA) created previously.
      VAULT_SA_SECRET_NAME=$(oc -n openshift-storage get sa odf-vault-auth -o jsonpath="{.secrets[*]['name']}" | grep -o "[^[:space:]]*-token-[^[:space:]]*")
      
      Example output:
      
      [root@fu40 ~]# echo $VAULT_SA_SECRET_NAME
      odf-vault-auth-token-8kb2r
      
    2. For OpenShift Container Platform 4.12, assign a default value for `VAULT_SA_SECRET_NAME`"
      VAULT_SA_SECRET_NAME=odf-vault-auth-token
  2. Get the parameters from OpenShift Container Platform cluster.
    1. Get SA_JWT_TOKEN and SA_CA_CRT from the secret.
      SA_JWT_TOKEN=$(oc -n openshift-storage get secret "$VAULT_SA_SECRET_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo)
      
    2. Get SA_CA_CRT from the secret.
      SA_CA_CRT=$(oc -n openshift-storage get secret "$VAULT_SA_SECRET_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
      
    3. Retrieve the OpenShift Container Platform cluster endpoint OCP_HOST.
      OCP_HOST=$(oc config view --minify --flatten -o jsonpath="{.clusters[0].cluster.server}")
      
    4. Fetch the service account issuer:
      oc proxy &
      proxy_pid=$!
      issuer="$( curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)"
      kill $proxy_pid
      Example output:
      # oc proxy &
      # proxy_pid=$!
      # issuer="$( curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)"
      # echo $issuer
      https://kubernetes.default.svc
      #     kill $proxy_pid
  3. Apply the settings in the vault server.
    1. Use the information collected in the previous section to set up the Kubernetes authentication method in the vault server.
      vault auth enable kubernetes
      vault write auth/kubernetes/config \
                token_reviewer_jwt="$SA_JWT_TOKEN" \
                kubernetes_host="$OCP_HOST" \
                kubernetes_ca_cert="$SA_CA_CRT" \
                issuer="$issuer"
      Example output:
      # vault write auth/kubernetes/config \
      >           token_reviewer_jwt="$SA_JWT_TOKEN" \
      >           kubernetes_host="$OCP_HOST" \
      >           kubernetes_ca_cert="$SA_CA_CRT" \
      >           issuer="$issuer"
      Success! Data written to: auth/kubernetes/config
    2. Enable the Key/Value (KV) backend path in Vault. For the vault KV secret engine API, see version 2. Use a unique path name as the backend path. The name should not be changed, and it should be consistent with the value of Backend Path input that present in the user interface.
      vault secrets enable -path=<repalce-with-the-backend-path> kv-v2
      The example sample will use backend path odf.
      vault secrets enable -path=odf kv-v2
    3. Create a policy to restrict users to perform a write or delete operation on the secret using the following commands.
      echo '
      path "odf/*" {
        capabilities = ["create", "read", "update", "delete", "list"]
      }
      path "sys/mounts" {
      capabilities = ["read"]
      }'| vault policy write odf -
    4. Generate the odf-rook-ceph-op role using the following commands.
      vault write auth/kubernetes/role/odf-rook-ceph-op \
              bound_service_account_names=rook-ceph-system,rook-ceph-osd,noobaa \
              bound_service_account_namespaces=openshift-storage \
              policies=odf \
              ttl=1440h
      Example output:
      #     vault write auth/kubernetes/role/odf-rook-ceph-op \
      >             bound_service_account_names=rook-ceph-system,rook-ceph-osd,noobaa \
      >             bound_service_account_namespaces=openshift-storage \
      >             policies=odf \
      >             ttl=1440h
      Success! Data written to: auth/kubernetes/role/odf-rook-ceph-op
      The role odf-rook-ceph-op is previously input in the role field used when you configure the KMS connection details in the IBM Storage Fusion user interface.
    5. Generate the odf-rook-ceph-osd role using the following commands.
      vault write auth/kubernetes/role/odf-rook-ceph-osd \
              bound_service_account_names=rook-ceph-osd \
              bound_service_account_namespaces=openshift-storage \
              policies=odf \
              ttl=1440h
      Example output:
      #  vault write auth/kubernetes/role/odf-rook-ceph-osd \
      >         bound_service_account_names=rook-ceph-osd \
      >         bound_service_account_namespaces=openshift-storage \
      >         policies=odf \
      >         ttl=1440h
      Success! Data written to: auth/kubernetes/role/odf-rook-ceph-osd