Vault をTanzu Kubernetes Grid(TKGm) にインストールする

-

 自分備忘録用メモ。前の記事でデプロイしたTKGm 環境にVault をデプロイした際の手順です。


前提条件

こちらの手順と同じ様な形で、Tanzu Kubernetes Grid(TKGm) 上に、Contour がTKGm 上にデプロイ済であること。

手順

HashiCorp Chart のダウンロード

こちらのガイドに従って準備していきます。まずは、Vault 用のNamespace を作成します。

k create ns vault

HashiCorp Repo を追加していきます。
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
$ helm search repo hashicorp/vault
NAME           	CHART VERSION	APP VERSION	DESCRIPTION
hashicorp/vault	0.13.0       	1.7.3      	Official HashiCorp Vault Chart

Vault 用values.yml の作成/Vault のデプロイ

Ingress としてContour を利用したいと思うので、それに合わせてVault のvaules.yml を作成していきます。先ずは、Contour のIngress 用TLS シークレットを登録します。

$ k -n vault create secret tls vault-tls-secret \
    --cert=./lab-certs/<CLUSTER_NAME>/cfg/live/<CLUSTER_NAME>.<MYDOMAIN>/fullchain.pem \
    --key=./lab-certs/<CLUSTER_NAME>/cfg/live/<CLUSTER_NAME>.<MYDOMAIN>/privkey.pem

values.yml を以下の様に作成します。vault-helm/values.yaml を参考にしています。
server:
  ingress:
    enabled: true
    labels: {}
      # traffic: external
    annotations:
      # |
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
      ingress.kubernetes.io/force-ssl-redirect: "true"     # force https, even if http is requested
      kubernetes.io/ingress.class: contour                 # using Contour for ingress
      kubernetes.io/tls-acme: "true"                       # using ACME certificates for TLS
    hosts:
      - host: vault.<CLUSTER_NAME>.<MYDOMAIN>
        paths: []
    ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
    extraPaths: []
    # - path: /*
    #   backend:
    #     serviceName: ssl-redirect
    #     servicePort: use-annotation
    tls:
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
      - secretName: vault-tls-secret
        hosts:
          - vault.<CLUSTER_NAME>.<MYDOMAIN>
# Vault UI
ui:
  # True if you want to create a Service entry for the Vault UI.
  #
  # serviceType can be used to control the type of service created. For
  # example, setting this to "LoadBalancer" will create an external load
  # balancer (for supported K8S installations) to access the UI.
  enabled: true
  publishNotReadyAddresses: true
  # The service should only contain selectors for active Vault pod
  activeVaultPodOnly: false
  serviceType: "ClusterIP"
  serviceNodePort: null
  externalPort: 8200
  targetPort: 8200

  # loadBalancerSourceRanges:
  #   - 10.0.0.0/16
  #   - 1.78.23.3/32

  # loadBalancerIP:

  # Extra annotations to attach to the ui service
  # This can either be YAML or a YAML-formatted multi-line templated string map
  # of the annotations to apply to the ui service
  annotations: {}

準備が出来たので、Vault をTKGm 上にデプロイしていきます。
$ helm upgrade --install vault hashicorp/vault -f override-values.yml --namespace vault
Release "vault" does not exist. Installing it now.
W0620 12:40:05.800815  111508 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
W0620 12:40:05.916355  111508 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME: vault
LAST DEPLOYED: Sun Jun 20 12:40:05 2021
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/


Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault

起動状態を確認します。
$ kubectl get pods --selector='app.kubernetes.io/name=vault' --namespace=vault
NAME      READY   STATUS    RESTARTS   AGE
vault-0   0/1     Running   0          56s

Unseal 処理を行い、後続のオペレーションが出来る様にしていきます。
$ kubectl -n vault exec --stdin=true --tty=true vault-0 -- vault operator init
Unseal Key 1:
Unseal Key 2:
Unseal Key 3:
Unseal Key 4:
Unseal Key 5:

Initial Root Token:

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

$ k -n vault exec --stdin=true --tty=true vault-0 -- vault operator unseal
Unseal Key (will be hidden):
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       4595bf37-0e1f-7063-cbaf-a1cddd17d830
Version            1.7.3
Storage Type       file
HA Enabled         false

$ k -n vault exec --stdin=true --tty=true vault-0 -- vault operator unseal
Unseal Key (will be hidden):
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       4595bf37-0e1f-7063-cbaf-a1cddd17d830
Version            1.7.3
Storage Type       file
HA Enabled         false

$ k -n vault exec --stdin=true --tty=true vault-0 -- vault operator unseal
Unseal Key (will be hidden):
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.7.3
Storage Type    file
Cluster Name    vault-cluster-e9eba0c2
Cluster ID      82ad2290-1235-a380-ae71-6c37ea54c89f
HA Enabled      false

Pod vault-01/1 Running になっている事を確認します。
$ k -n vault get pods --selector='app.kubernetes.io/name=vault'
NAME      READY   STATUS    RESTARTS   AGE
vault-0   1/1     Running   0          3m14s

確認 

TKGm 上で稼働しているVault で操作をしていきます。ログイン時には、Root Token を利用します。
k -n vault exec -it vault-0 -- /bin/sh

/ $ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

試しにKey-Value を登録してみます。
/ $ vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_2ee6ec5c    per-token private secret storage
identity/     identity     identity_aa2c916e     identity store
sys/          system       system_f47f3a33       system endpoints used for control, policy and debugging

/ $ vault secrets enable -path=secret kv
Success! Enabled the kv secrets engine at: secret/

/ $ vault kv put secret/kv/tanzu user=tanzu password=tanzu
Success! Data written to: secret/kv/tanzu

/ $ vault kv get secret/kv/tanzu
====== Data ======
Key         Value
---         -----
password    tanzu
user        tanzu

無事に登録出来ました。また、Vault UI も確認してみます。vault.<CLUSTER_NAME>.<MYDOMAIN> でWeb ブラウザからアクセスしてみます。Vault UI でも登録したKey-Value が確認出来ました。




このブログの人気の投稿