Secret injection using vault

Shipa supports injecting secrets into your deployed applications using the HashiCorp Vault product.

Pre-requisite

HashiCorp vault version 1.5.4 or later must be installed in your Kubernetes cluster
Vault is configured to authenticate using the Kubernetes auth method. Enable the Kubernetes authentication method on the Kubernetes cluster
Follow vault tutorial up to creating policy step. Hold on to creating roles as we will discuss creating roles below with instruction as it needs app namespace and service account info

📘
Please refer to HashiCorp documentation for details on setting up vault as defined in the pre-requisite below

We will use the go-sample app and its vault branch to walk you thru how to inject DB username and secret into this app. It expects secret to be available at path: internal/data/database/config that follows up from setting up vault in the HashiCorp tutorial.

Take a look at shipa.yaml with vault annotations inside secret field

hooks:
    build:
        - 'sudo apt-get update'
security:
    vault:
        annotations:
            vault.hashicorp.com/agent-inject: true
            vault.hashicorp.com/role: "internal-app"
            vault.hashicorp.com/agent-inject-secret-config: "internal/data/database/config"
            vault.hashicorp.com/agent-inject-template-config: |
                {{- with secret "internal/data/database/config" -}}
                    postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
                {{- end -}}

Create application

Clone go-sample app

git clone [email protected]:shipa-corp/go-sample.git && cd go-sample && git checkout vault

Create application

shipa app create go-app -t shipa-admin-team -k shipa-framework

Get app service name and namespace

Application: go-app
Description:
Tags:
Dependency Files: app.yaml, app.yml, Procfile, shipa-ci.yml, shipa.yaml, shipa.yml, Gopkg.toml, Gopkg.lock, go.sum, go.mod
Teams: shipa-admin-team
Address: https://go-app.pandeys.me, http://go-app.34.82.208.251.shipa.cloud
Owner: [email protected]
Team owner: shipa-admin-team
Deploys: 2
Framework: shipa-framework
Quota: 1/10 units
Routing settings: 
   1 version => 1 weight

Namespace: shipa-system
Service Account: app-go-app
Internal DNS name: app-go-app.shipa-gke-pool.svc

Units [web]: 1
+---------+-------------------------------+---------+----------------+------+
| Version | Unit                          | Status  | Host           | Port |
+---------+-------------------------------+---------+----------------+------+
| 1       | go-app-web-584c558757-fbk6g   | started | 35.199.173.245 | 8888 |
+---------+-------------------------------+---------+----------------+------+

App Plan:
+------------+--------+------+-----------+---------+-------+
| Name       | Memory | Swap | Cpu Share | Default | Teams |
+------------+--------+------+-----------+---------+-------+
| shipa-plan | 0      | 0    | 100       | false   |       |
+------------+--------+------+-----------+---------+-------+

Ingress controllers:
+-------+-------+------+----------------------------------+--------+
| Name  | Type  | Opts | Address                          | Status |
+-------+-------+------+----------------------------------+--------+
|traefik|traefik|      | go-app.34.82.208.251.shipa.cloud |        |
+-------+-------+------+----------------------------------+--------+

Please note down Namespace shipa-system and Service Account app-go-app we need these to update vault role.

Create or update vault role
It assumes you have already created a policy internal-app and you have configured your vault with a secret as per vault tutorial

vault write auth/kubernetes/role/internal-app \
    bound_service_account_names=app-go-app \
    bound_service_account_namespaces=shipa-system \
    policies=internal-app \
    ttl=24h

Deploy app

shipa app deploy -a go-app .

Get URL of deployed application

shipa app list

+---------------------+-----------+-----------------------------------------------------+
| Application         | Status    | Address                                             |
+---------------------+-----------+-----------------------------------------------------+
| dashboard           | 1 running | http://dashboard.35.185.230.9.shipa.cloud           |
+---------------------+-----------+-----------------------------------------------------+
| go-app              | 1 running | http://go-app.34.82.208.251.shipa.cloud             |
+---------------------+-----------+-----------------------------------------------------+

Accessing the go-app in the browser should print DB URL with username and password. Please note, this is for demonstration purposes only to demonstrate secret injection using vault and not recommended for a production application.