Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault Secrets Operator Tutorial

Avatar for ry ry
April 17, 2023
Technology
0
590

Vault Secrets Operator Tutorial

Vault Secrets Operatorの使用感について登壇した資料。

Avatar for ry

ry

April 17, 2023
Tweet

More Decks by ry

See All by ry
Kubernetesにおける推論基盤
Avatar for ry ry
1
410
eBPF Tools on Kubernetes part1
Avatar for ry ry
0
340
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
Avatar for ry ry
0
1.2k
明日から始められるKyvernoを用いたポリシー制御
Avatar for ry ry
4
900
CNDT2022 k8snovice Community introduction
Avatar for ry ry
0
170
Policy Engine on Kubernetes
Avatar for ry ry
1
1.4k
ConfigMap and Secret
Avatar for ry ry
0
400
Policy Manager試してみた!
Avatar for ry ry
0
450
Kubernetes APIに Pod内からアクセスしてみた
Avatar for ry ry
1
2k

Other Decks in Technology

See All in Technology
AI時代のSaaSとETL
Avatar for Shu Suzuki shoe116
1
180
複数クラスタ運用と検索の高度化:ビズリーチにおけるElastic活用事例 / ElasticON Tokyo2026
Avatar for Visional Engineering & Design visional_engineering_and_design
0
170
CyberAgentの生成AI戦略 〜変わるものと変わらないもの〜
Avatar for katayan katayan
0
260
AWSの資格って役に立つの?
Avatar for Hiroki Takatsuka tk3fftk
2
360
JAWSDAYS2026_A-6_現場SEが語る 回せるセキュリティ運用~設計で可視化、AIで加速する「楽に回る」運用設計のコツ~
Avatar for s-hata shoki_hata
0
3k
AI時代の「本当の」ハイブリッドクラウド — エージェントが実現した、あの頃の夢
Avatar for Masahiko Ebisuda ebibibi
0
150
Yahoo!ショッピングのレコメンデーション・システムにおけるML実践の一例 
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
1
220
Claude Code のコード品質がばらつくので AI に品質保証させる仕組みを作った話 / A story about building a mechanism to have AI ensure quality, because the code quality from Claude Code was inconsistent
Avatar for nrs nrslib
13
8.6k
20260311 ビジネスSWG活動報告(デジタルアイデンティティ人材育成推進WG Ph2 活動報告会)
Avatar for OpenID Foundation Japan oidfj
0
350
モジュラモノリス導入から4年間の総括:アーキテクチャと組織の相互作用について / Architecture and Organizational Interaction
Avatar for Satoshi Kawashima nazonohito51
1
190
システム標準化PMOから ガバメントクラウドCoEへ
Avatar for 高橋広和 techniczna
1
130
A Casual Introduction to RISC-V
Avatar for Masanori Ogino omasanori
0
320

Featured

See All Featured
Design in an AI World
Avatar for tapps tapps
0
170
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
183
10k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
140
The innovator’s Mindset - 
Leading Through an Era of Exponential Change - McGill University 2025
Avatar for Jean-Marc De Jonghe jdejongh
PRO
1
130
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
290
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
74
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
360
30k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
310
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.9k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.8k

Transcript

  1. Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu

  2. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 2 ࣗݾ঺հ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews

  3. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator

  4. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 4 What’s HashiCorp Vault

  5. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 5 HashiCorp Vault HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτ؅ཧ • User identity؅ཧ • PKI • etc...

  6. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ

  7. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ

  8. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 8 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  9. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 9 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  10. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 10 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  11. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 11 ৄ͘͠͸... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani

  12. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 12 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ ΒͳΓ·ͤΜɻ

  13. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 13 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ

  14. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 14 Vault Secrets Operatorͷొ৔ 2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration

  15. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 15 Vault Secrets Operator Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ

  16. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 16 How to use Vault Secrets Operator

  17. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 17 έʔε ɾ໨ඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞੒ 4. VaultAuthͷ࡞੒ 5. VaultStaticSecretͷ࡞੒

  18. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ

  19. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ

  20. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ

  21. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ

  22. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ 2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘ ɹ࡞੒࣌ͷग़ྗͷSecret Path

  23. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞੒͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊

  24. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 24 3. VaultConnectionͷ࡞੒ ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ

  25. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 25 4. VaultAuthͷ࡞੒ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊

  26. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 26 5. VaultStaticSecretͷ࡞੒ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε mount name

  27. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 27 5. VaultStaticSecretͷ࡞੒ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ

  28. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 28 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ

  29. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 29 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ

  30. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ؀ڥม਺ Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ
  31. None