Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault Secrets Operator Tutorial

Avatar for ry ry
April 17, 2023
Technology
610
0

Vault Secrets Operator Tutorial

Vault Secrets Operatorの使用感について登壇した資料。

Avatar for ry

ry

April 17, 2023

More Decks by ry

See All by ry
Kubernetesにおける推論基盤
Avatar for ry ry
3
830
eBPF Tools on Kubernetes part1
Avatar for ry ry
0
370
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
Avatar for ry ry
0
1.3k
明日から始められるKyvernoを用いたポリシー制御
Avatar for ry ry
4
950
CNDT2022 k8snovice Community introduction
Avatar for ry ry
0
180
Policy Engine on Kubernetes
Avatar for ry ry
1
1.5k
ConfigMap and Secret
Avatar for ry ry
0
420
Policy Manager試してみた!
Avatar for ry ry
0
460
Kubernetes APIに Pod内からアクセスしてみた
Avatar for ry ry
1
2k

Other Decks in Technology

See All in Technology
Databricks 月刊サービスアップデート 2026年05月号
Avatar for ちょし tyosi1212
0
120
関西に縁あるMicrosoft MVPsが語るCopilotの未来
Avatar for Kaz Asada | しがない情シス kasada
0
590
AI時代から振り返るTerraform drift運用の歴史 / AI Age Reflections on the History of Terraform Drift Operations
Avatar for AEON aeonpeople
0
610
Datadog 認定試験の概要と対策
Avatar for Uechi Shingo uechishingo
0
200
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
2.7k
プラットフォームエンジニア ワークショップ/ platform-workshop
Avatar for Databricks Japan databricksjapan
0
140
A Harness for Behaviour: how to get AI to generate code that does what we intend, or "TDD in the age of AI"
Avatar for Matteo Vaccari xpmatteo
1
520
はじめてのDatadog
Avatar for KairiM kairim0
0
240
イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス
Avatar for syobochim syobochim
7
980
Dynamic Workersについて
Avatar for Yusuke Wada yusukebe
2
500
ルールやカスタム機能、どう使う?理想の出力を引き出すために今知りたいIBM Bob 5つの機能
Avatar for mu (Mizuho Uehara) muehara
0
150
oracle-to-databricks-migration-with-llm-and-dbt
Avatar for case-k-git casek
1
380

Featured

See All Featured
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
2
280
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
3.5k
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
5.3k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.5k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
82
6.3k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
190
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
370
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
Avatar for Marco Roth marcoroth
1
130
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
930
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.7k

Transcript

  1. Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu

  2. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 2 ࣗݾ঺հ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews

  3. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator

  4. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 4 What’s HashiCorp Vault

  5. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 5 HashiCorp Vault HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτ؅ཧ • User identity؅ཧ • PKI • etc...

  6. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ

  7. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ

  8. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 8 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  9. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 9 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  10. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 10 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  11. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 11 ৄ͘͠͸... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani

  12. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 12 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ ΒͳΓ·ͤΜɻ

  13. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 13 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ

  14. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 14 Vault Secrets Operatorͷొ৔ 2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration

  15. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 15 Vault Secrets Operator Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ

  16. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 16 How to use Vault Secrets Operator

  17. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 17 έʔε ɾ໨ඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞੒ 4. VaultAuthͷ࡞੒ 5. VaultStaticSecretͷ࡞੒

  18. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ

  19. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ

  20. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ

  21. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ

  22. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ 2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘ ɹ࡞੒࣌ͷग़ྗͷSecret Path

  23. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞੒͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊

  24. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 24 3. VaultConnectionͷ࡞੒ ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ

  25. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 25 4. VaultAuthͷ࡞੒ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊

  26. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 26 5. VaultStaticSecretͷ࡞੒ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε mount name

  27. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 27 5. VaultStaticSecretͷ࡞੒ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ

  28. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 28 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ

  29. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 29 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ

  30. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ؀ڥม਺ Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ
  31. None