Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Vault Secrets Operator Tutorial
Search
ry
April 17, 2023
Technology
0
430
Vault Secrets Operator Tutorial
Vault Secrets Operatorの使用感について登壇した資料。
ry
April 17, 2023
Tweet
Share
More Decks by ry
See All by ry
eBPF Tools on Kubernetes part1
ry
0
170
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
ry
0
880
明日から始められるKyvernoを用いたポリシー制御
ry
3
680
CNDT2022 k8snovice Community introduction
ry
0
110
Policy Engine on Kubernetes
ry
1
1.3k
ConfigMap and Secret
ry
0
310
Policy Manager試してみた!
ry
0
360
Kubernetes APIに Pod内からアクセスしてみた
ry
1
1.5k
AKS 101 in Kubernetes Novice Tokyo #1
ry
0
590
Other Decks in Technology
See All in Technology
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Lexical Analysis
shigashiyama
1
150
日経電子版のStoreKit2フルリニューアル
shimastripe
1
110
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
140
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
100
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
250
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
Lambdaと地方とコミュニティ
miu_crescent
2
370
Oracle Cloud Infrastructureデータベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
13k
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
760
Featured
See All Featured
Designing for humans not robots
tammielis
250
25k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Why Our Code Smells
bkeepers
PRO
334
57k
Making Projects Easy
brettharned
115
5.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Statistics for Hackers
jakevdp
796
220k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Practical Orchestrator
shlominoach
186
10k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
For a Future-Friendly Web
brad_frost
175
9.4k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Transcript
Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 2 ࣗݾհ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 4 What’s HashiCorp Vault
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 5 HashiCorp Vault HashiCorp VaultɺγʔΫϨοτΛηΩϡΞʹཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτཧ • User identityཧ • PKI • etc...
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ͕૿͑ͯ͠·ͬͨΓ͢Δͱཧ͕ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹཧ͠ͳ͚Εͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛཧ͍ͯͨ͠͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳΈ͋Δ͕ɺύϒϦοΫΫϥυͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍ใ͋Δ͔ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 8 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 9 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 10 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 11 ৄ͘͠... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 12 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφͰsourceίϚϯυΛ༻͍ͯద༻͠ͳ͚Εͳ ΒͳΓ·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 13 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠߹ʹөͯ͘͠Ε·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 14 Vault Secrets Operatorͷొ 2023/03/29ͷϒϩάʹͯΞφϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ͚ͳͷͰɺ༻͢Δࡍ͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 15 Vault Secrets Operator Vault Secrets Operator ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ OperatorɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞͠ɺ ιʔεʹՃ͑ΒΕͨͯ͢ͷมߋ͕ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥυDBͷΞΫηεΛ͢ΔͨΊͷظݶ͖ೝূใΛಈతʹੜ͢Δͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ͢Δ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 16 How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 17 έʔε ɾඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞ 4. VaultAuthͷ࡞ 5. VaultStaticSecretͷ࡞
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelmΛ༻͍ͯVaultΛ࡞͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճɺVaultΛHelmΛ༻͍ͯೖΕͨ߹Λجʹ͍ͯ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯཧ͞ΕΔCRDNamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞͠·͢ɻ 2. Policyͷ࡞͠·͢ɻ ※pathɺSecret࡞࣌ͷύεͰͳ͘ ɹ࡞࣌ͷग़ྗͷSecret Path
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞ͨ͠ϙϦγʔ໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 24 3. VaultConnectionͷ࡞ ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹɺHTTPϔομʔTLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 25 4. VaultAuthͷ࡞ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞ͨ͠Service Account໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 26 5. VaultStaticSecretͷ࡞ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞ͨ͠Vault্ͷγʔΫϨοτͷύε mount name
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 27 5. VaultStaticSecretͷ࡞ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 28 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰɺ2֊ͰͷγʔΫϨοτ࡞Λ͔ͨ͠Β͔Γ͔ͬͨ͢ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 29 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ֊͕૿͑ͯҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ڥม Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍͘͢ͳΓ·ͨ͠ɻ ࠓճհͨ͠ͷҎ֎ʹ༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱҎԼͷ௨ΓͰ͢ɻ
None