Secret injection using vault
Shipa supports secret injection using HashiCorp vault
Shipa supports injecting secrets into your deployed applications using the HashiCorp Vault product.
Pre-requisite
- HashiCorp vault version 1.5.4 or later must be installed in your Kubernetes cluster
- Vault is configured to authenticate using the Kubernetes auth method. Enable the Kubernetes authentication method on the Kubernetes cluster
- Follow vault tutorial up to creating policy step. Hold on to creating roles as we will discuss creating roles below with instruction as it needs app namespace and service account info
Please refer to HashiCorp documentation for details on setting up vault as defined in the pre-requisite below
We will use the go-sample app and its vault branch to walk you thru how to inject DB username and secret into this app. It expects secret to be available at path: internal/data/database/config that follows up from setting up vault in the HashiCorp tutorial.
Take a look at shipa.yaml with vault annotations inside secret field
hooks:
build:
- 'sudo apt-get update'
security:
vault:
annotations:
vault.hashicorp.com/agent-inject: true
vault.hashicorp.com/role: "internal-app"
vault.hashicorp.com/agent-inject-secret-config: "internal/data/database/config"
vault.hashicorp.com/agent-inject-template-config: |
{{- with secret "internal/data/database/config" -}}
postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
{{- end -}}
Create application
Clone go-sample app
git clone [email protected]:shipa-corp/go-sample.git && cd go-sample && git checkout vault
Create application
shipa app create go-app -t shipa-admin-team -k shipa-framework
Get app service name and namespace
Application: go-app
Description:
Tags:
Dependency Files: app.yaml, app.yml, Procfile, shipa-ci.yml, shipa.yaml, shipa.yml, Gopkg.toml, Gopkg.lock, go.sum, go.mod
Teams: shipa-admin-team
Address: https://go-app.pandeys.me, http://go-app.34.82.208.251.shipa.cloud
Owner: [email protected]
Team owner: shipa-admin-team
Deploys: 2
Framework: shipa-framework
Quota: 1/10 units
Routing settings:
1 version => 1 weight
Namespace: shipa-system
Service Account: app-go-app
Internal DNS name: app-go-app.shipa-gke-pool.svc
Units [web]: 1
+---------+-------------------------------+---------+----------------+------+
| Version | Unit | Status | Host | Port |
+---------+-------------------------------+---------+----------------+------+
| 1 | go-app-web-584c558757-fbk6g | started | 35.199.173.245 | 8888 |
+---------+-------------------------------+---------+----------------+------+
App Plan:
+------------+--------+------+-----------+---------+-------+
| Name | Memory | Swap | Cpu Share | Default | Teams |
+------------+--------+------+-----------+---------+-------+
| shipa-plan | 0 | 0 | 100 | false | |
+------------+--------+------+-----------+---------+-------+
Ingress controllers:
+-------+-------+------+----------------------------------+--------+
| Name | Type | Opts | Address | Status |
+-------+-------+------+----------------------------------+--------+
|traefik|traefik| | go-app.34.82.208.251.shipa.cloud | |
+-------+-------+------+----------------------------------+--------+
Please note down Namespace
shipa-system and Service Account
app-go-app we need these to update vault role.
Create or update vault role
It assumes you have already created a policy internal-app and you have configured your vault with a secret as per vault tutorial
vault write auth/kubernetes/role/internal-app \
bound_service_account_names=app-go-app \
bound_service_account_namespaces=shipa-system \
policies=internal-app \
ttl=24h
Deploy app
shipa app deploy -a go-app .
Get URL of deployed application
shipa app list
+---------------------+-----------+-----------------------------------------------------+
| Application | Status | Address |
+---------------------+-----------+-----------------------------------------------------+
| dashboard | 1 running | http://dashboard.35.185.230.9.shipa.cloud |
+---------------------+-----------+-----------------------------------------------------+
| go-app | 1 running | http://go-app.34.82.208.251.shipa.cloud |
+---------------------+-----------+-----------------------------------------------------+
Accessing the go-app in the browser should print DB URL with username and password. Please note, this is for demonstration purposes only to demonstrate secret injection using vault and not recommended for a production application.
Updated over 1 year ago