Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault Secrets Operator Tutorial

Avatar for ry ry
April 17, 2023
Technology
0
540

Vault Secrets Operator Tutorial

Vault Secrets Operatorの使用感について登壇した資料。

Avatar for ry

ry

April 17, 2023
Tweet

More Decks by ry

See All by ry
eBPF Tools on Kubernetes part1
Avatar for ry ry
0
290
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
Avatar for ry ry
0
1.1k
明日から始められるKyvernoを用いたポリシー制御
Avatar for ry ry
3
790
CNDT2022 k8snovice Community introduction
Avatar for ry ry
0
140
Policy Engine on Kubernetes
Avatar for ry ry
1
1.4k
ConfigMap and Secret
Avatar for ry ry
0
360
Policy Manager試してみた!
Avatar for ry ry
0
410
Kubernetes APIに Pod内からアクセスしてみた
Avatar for ry ry
1
1.8k
AKS 101 in Kubernetes Novice Tokyo #1
Avatar for ry ry
0
660

Other Decks in Technology

See All in Technology
MCPサーバーを活用したAWSコスト管理
Avatar for Kaisei Arimura arie0703
0
130
家族の思い出を形にする 〜 1秒動画の生成を支えるインフラアーキテクチャ
Avatar for Ojima Hikaru ojima_h
3
1.3k
AIが住民向けコンシェルジュに? Amazon Connectと生成AIで実現する自治体AIエージェント!
Avatar for yuyeah yuyeah
0
210
AIは変更差分からユニットテスト_結合テスト_システムテストでテストすべきことが出せるのか?
Avatar for Matsu mineo_matsuya
3
2.2k
AIと描く、未来のBacklog 〜プロジェクト管理の次の10年を想像し、創造するセッション〜
Avatar for Hiromi Ouchi hrm_o25
0
110
あとはAIに任せて人間は自由に生きる
Avatar for Kentaro Kuribayashi kentaro
2
180
[OCI Technical Deep Dive] OracleのAI戦略(2025年8月5日開催)
Avatar for oracle4engineer oracle4engineer
PRO
1
250
自治体職員がガバクラの AWS 閉域ネットワークを理解するのにやって良かった個人検証環境
Avatar for Ushida takeda_h
0
310
形式手法特論:位相空間としての並行プログラミング #kernelvm / Kernel VM Study Tokyo 18th
Avatar for y_taka_23 ytaka23
3
1.5k
Claude Codeは仕様駆動の夢を見ない
Avatar for Gota gotalab555
23
7.1k
Engineering Failure-Resilient Systems
Avatar for Mark Irozuru infraplumber0
0
130
はじめての転職講座/The Guide of First Career Change
Avatar for Hiromu Shioya kwappa
5
4.4k

Featured

See All Featured
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
70
11k
Fireside Chat
Avatar for paigeccino paigeccino
39
3.6k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
73
5k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7.1k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
21k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
Making Projects Easy
Avatar for Brett Harned brettharned
117
6.3k

Transcript

  1. Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu

  2. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 2 ࣗݾ঺հ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews

  3. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator

  4. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 4 What’s HashiCorp Vault

  5. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 5 HashiCorp Vault HashiCorp Vault͸ɺγʔΫϨοτΛηΩϡΞʹ؅ཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτ΁ͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛ؅ཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτ؅ཧ • User identity؅ཧ • PKI • etc...

  6. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλ͸ɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ

  7. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛ؅ཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ਺͕૿͑ͯ͠·ͬͨΓ͢Δͱ؅ཧ͕൥ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹ؅ཧ͠ͳ͚Ε͹ͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛ؅ཧͯ͠഑෍͍ͨ͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳ࢓૊Έ΋͋Δ͕ɺύϒϦοΫΫϥ΢υͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍৘ใ΋͋Δ͔ͱࢥ͍·͢ɻ

  8. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 8 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  9. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 9 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  10. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 10 Kubernetes΁ͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ৔߹͸Sidecar Agent͕มߋΛ൓ө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞੒Λ͠·͢ɻ

  11. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 11 ৄ͘͠͸... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷ૲ؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani

  12. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 12 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφ಺ͰsourceίϚϯυ౳Λ༻͍ͯద༻͠ͳ͚Ε͹ͳ ΒͳΓ·ͤΜɻ

  13. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 13 ͜Ε·Ͱͷ೉఺ γʔΫϨοτ৘ใΛ؀ڥม਺ͳͲʹద༻͍ͨ͠৔߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠৔߹ʹ൓өͯ͘͠Ε·ͤΜɻ

  14. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 14 Vault Secrets Operatorͷొ৔ 2023/03/29ͷϒϩάʹͯΞφ΢ϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ෇͚ͳͷͰɺ࢖༻͢Δࡍ͸͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration

  15. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 15 Vault Secrets Operator Vault Secrets Operator ͸ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ Operator͸ɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞੒͠ɺ ιʔεʹՃ͑ΒΕͨ͢΂ͯͷมߋ͕൓ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥ΢υ΍DB΁ͷΞΫηεΛ͢ΔͨΊͷظݶ෇͖ೝূ৘ใΛಈతʹੜ੒͢Δ΋ͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ੒͢Δ

  16. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 16 How to use Vault Secrets Operator

  17. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 17 έʔε ɾ໨ඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞੒Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞੒ 4. VaultAuthͷ࡞੒ 5. VaultStaticSecretͷ࡞੒

  18. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelm౳Λ༻͍ͯVaultΛ࡞੒͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ

  19. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞੒͠·͢ɻ

  20. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճ͸ɺVaultΛHelmΛ༻͍ͯೖΕͨ৔߹Λجʹ͍ͯ͠·͢ɻ

  21. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯ؅ཧ͞ΕΔCRD͸NamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ

  22. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞੒͠·͢ɻ 2. Policyͷ࡞੒͠·͢ɻ ※path͸ɺSecret࡞੒࣌ͷύεͰ͸ͳ͘ ɹ࡞੒࣌ͷग़ྗͷSecret Path

  23. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞੒͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞੒ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞੒͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞੒ͨ͠ϙϦγʔ໊

  24. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 24 3. VaultConnectionͷ࡞੒ ઀ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹ΋ɺHTTPϔομʔ΍TLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ

  25. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 25 4. VaultAuthͷ࡞੒ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳ৘ใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞੒ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞੒ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞੒ͨ͠Service Account໊

  26. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 26 5. VaultStaticSecretͷ࡞੒ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞੒͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞੒ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞੒͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞੒ͨ͠Vault্ͷγʔΫϨοτͷύε mount name

  27. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 27 5. VaultStaticSecretͷ࡞੒ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞੒͞Ε·͢ɻ

  28. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 28 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰ͸ɺ2֊૚ͰͷγʔΫϨοτ࡞੒Λ͔ͨ͠Β෼͔Γ΍͔ͬͨ͢ͱࢥ͍·͢ɻ

  29. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 29 ΋͠֊૚͕ਂ͘ͳͬͨ৔߹Ͳ͏ͨ͠Β͍͍ʁ ֊૚͕૿͑ͯ΋ҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ

  30. Copyright © Dell Inc. All Rights Reserved. Internal Use -

    Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ؀ڥม਺ Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌఺) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍΍͘͢ͳΓ·ͨ͠ɻ ࠓճ঺հͨ͠΋ͷҎ֎ʹ΋༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱ͸ҎԼͷ௨ΓͰ͢ɻ
  31. None