Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose TLS endpoint to communicate with Hashicorp Vault #1338

Closed
erzetpe opened this issue Jun 4, 2020 · 1 comment · Fixed by #1353 or #1393
Closed

Expose TLS endpoint to communicate with Hashicorp Vault #1338

erzetpe opened this issue Jun 4, 2020 · 1 comment · Fixed by #1353 or #1393
Assignees
@sk4zuzu @ar3ndt
Labels
area/security area/vault
Milestone
Hashicorp Vault

Comments

@erzetpe
Copy link
Contributor

erzetpe commented Jun 4, 2020
edited
Loading

We want to expose TLS endpoint with usage of provided and generation of self-signed certificate according this to Hashicorp Vault tcp configuration documentation:
https://www.vaultproject.io/docs/configuration/listener/tcp

e.g.:
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/path/to/fullchain.pem"
tls_key_file = "/path/to/privkey.pem"
tls_disable = false
}

Parameters in configuration file should allow to work with existing previous non-TLS configuration. TLS support for version 1.2.
@erzetpe erzetpe added this to the Hashicorp Vault milestone Jun 4, 2020
@ar3ndt ar3ndt self-assigned this Jun 8, 2020
@erzetpe erzetpe linked a pull request Jun 22, 2020 that will close this issue
Vault MVP #1353
Merged
@erzetpe erzetpe reopened this Jun 29, 2020
@erzetpe erzetpe linked a pull request Jun 29, 2020 that will close this issue
Feature/vault documentation #1393
Merged
@erzetpe
Copy link
Contributor Author

erzetpe commented Jun 30, 2020
edited
Loading

Test scenario:

  1. Build new cluster from scratch with turned on TLS
  2. Login to Vault using root token from /opt/vault/init.txt:
vault login
  1. Add secret to path secret/devwebapp/config:
vault kv put secret/devwebapp/config username='giraffe' password='salsa'
  1. Apply test deployment created base on busybox:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: devwebapp
  labels:
    app: devwebapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: devwebapp
  template:
    metadata:
      labels:
        app: devwebapp
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "devweb-app"
        vault.hashicorp.com/agent-inject-secret-credentials.txt: "secret/data/devwebapp/config"
        vault.hashicorp.com/tls-skip-verify: "true"
    spec:
      serviceAccountName: internal-app
      containers:
      - name: app
        image: busybox
        command:
        - sleep
        - "3600"
        imagePullPolicy: IfNotPresent
  1. Check if init container has finished it's work with command:
kubectl logs -f $(kubectl get pods | grep devwebapp | awk '{ print $1 }') -c vault-agent-init

and look for output similar to the one below:

2020/06/25 09:24:49.417623 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/credentials.txt"
2020/06/25 09:24:49.417657 [INFO] (runner) stopping
2020-06-25T09:24:49.417Z [INFO]  template.server: template server stopped
2020/06/25 09:24:49.417729 [INFO] (runner) received finish
  1. Check existence of file /vault/secrets/credentials.txt in container with command:
kubectl exec -ti $(kubectl get pods | grep devwebapp | awk '{ print $1 }') -c app -- cat /vault/secrets/credentials.txt

@przemyslavic przemyslavic mentioned this issue Aug 20, 2020
Closed
This was referenced Oct 7, 2020
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sk4zuzu sk4zuzu

@ar3ndt ar3ndt

Labels
area/security area/vault
Projects
None yet
Milestone
Hashicorp Vault
Development

Successfully merging a pull request may close this issue.

Vault MVP hitachienergy/epiphany
Feature/vault documentation erzetpe/epiphany
3 participants
@erzetpe @sk4zuzu @ar3ndt