Enabling encryption with the Kubernetes authentication using HashiCorp Vault (manual part)
Configure Kubernetes settings in vault server
Procedure
- Get the
VAULT_SA_SECRET_NAME
in OpenShift® Container Platform:- For OpenShift Container Platform 4.10, identify the secret name
associated with the
serviceaccount
(SA) created previously.VAULT_SA_SECRET_NAME=$(oc -n openshift-storage get sa odf-vault-auth -o jsonpath="{.secrets[*]['name']}" | grep -o "[^[:space:]]*-token-[^[:space:]]*")
Example output:[root@fu40 ~]# echo $VAULT_SA_SECRET_NAME odf-vault-auth-token-8kb2r
- For OpenShift Container Platform 4.12, assign a default value for
`VAULT_SA_SECRET_NAME`"
VAULT_SA_SECRET_NAME=odf-vault-auth-token
- For OpenShift Container Platform 4.10, identify the secret name
associated with the
- Get the parameters from OpenShift Container Platform cluster.
- Get
SA_JWT_TOKEN
andSA_CA_CRT
from the secret.SA_JWT_TOKEN=$(oc -n openshift-storage get secret "$VAULT_SA_SECRET_NAME" -o jsonpath="{.data.token}" | base64 --decode; echo)
- Get
SA_CA_CRT
from the secret.SA_CA_CRT=$(oc -n openshift-storage get secret "$VAULT_SA_SECRET_NAME" -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
- Retrieve the OpenShift Container Platform cluster endpoint
OCP_HOST
.OCP_HOST=$(oc config view --minify --flatten -o jsonpath="{.clusters[0].cluster.server}")
- Fetch the service account issuer:
oc proxy & proxy_pid=$! issuer="$( curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)" kill $proxy_pid
Example output:# oc proxy & # proxy_pid=$! # issuer="$( curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)" # echo $issuer https://kubernetes.default.svc # kill $proxy_pid
- Get
- Apply the settings in the vault server.
- Use the information collected in the previous section to set up the Kubernetes authentication
method in the vault
server.
vault auth enable kubernetes
vault write auth/kubernetes/config \ token_reviewer_jwt="$SA_JWT_TOKEN" \ kubernetes_host="$OCP_HOST" \ kubernetes_ca_cert="$SA_CA_CRT" \ issuer="$issuer"
Example output:# vault write auth/kubernetes/config \ > token_reviewer_jwt="$SA_JWT_TOKEN" \ > kubernetes_host="$OCP_HOST" \ > kubernetes_ca_cert="$SA_CA_CRT" \ > issuer="$issuer" Success! Data written to: auth/kubernetes/config
- Enable the Key/Value (KV) backend path in Vault. For the vault KV secret engine API, see
version 2. Use a unique path name as the backend path. The name should not be changed, and it should
be consistent with the value of Backend Path input that present in the user
interface.
vault secrets enable -path=<repalce-with-the-backend-path> kv-v2
The example sample will use backend path odf.vault secrets enable -path=odf kv-v2
- Create a policy to restrict users to perform a write or delete operation on the secret using the
following commands.
echo ' path "odf/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "sys/mounts" { capabilities = ["read"] }'| vault policy write odf -
- Generate the
odf-rook-ceph-op
role using the following commands.vault write auth/kubernetes/role/odf-rook-ceph-op \ bound_service_account_names=rook-ceph-system,rook-ceph-osd,noobaa \ bound_service_account_namespaces=openshift-storage \ policies=odf \ ttl=1440h
Example output:
The role# vault write auth/kubernetes/role/odf-rook-ceph-op \ > bound_service_account_names=rook-ceph-system,rook-ceph-osd,noobaa \ > bound_service_account_namespaces=openshift-storage \ > policies=odf \ > ttl=1440h Success! Data written to: auth/kubernetes/role/odf-rook-ceph-op
odf-rook-ceph-op
is previously input in the role field used when you configure the KMS connection details in the IBM Storage Fusion user interface. - Generate the
odf-rook-ceph-osd
role using the following commands.vault write auth/kubernetes/role/odf-rook-ceph-osd \ bound_service_account_names=rook-ceph-osd \ bound_service_account_namespaces=openshift-storage \ policies=odf \ ttl=1440h
Example output:# vault write auth/kubernetes/role/odf-rook-ceph-osd \ > bound_service_account_names=rook-ceph-osd \ > bound_service_account_namespaces=openshift-storage \ > policies=odf \ > ttl=1440h Success! Data written to: auth/kubernetes/role/odf-rook-ceph-osd
- Use the information collected in the previous section to set up the Kubernetes authentication
method in the vault
server.