Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Vault Secrets Operator Tutorial
Search
ry
April 17, 2023
Technology
0
540
Vault Secrets Operator Tutorial
Vault Secrets Operatorの使用感について登壇した資料。
ry
April 17, 2023
Tweet
Share
More Decks by ry
See All by ry
eBPF Tools on Kubernetes part1
ry
0
290
KyvernoとRed Hat ACMを用いたマルチクラスターの一元的なポリシー制御
ry
0
1.1k
明日から始められるKyvernoを用いたポリシー制御
ry
3
800
CNDT2022 k8snovice Community introduction
ry
0
140
Policy Engine on Kubernetes
ry
1
1.4k
ConfigMap and Secret
ry
0
360
Policy Manager試してみた!
ry
0
410
Kubernetes APIに Pod内からアクセスしてみた
ry
1
1.8k
AKS 101 in Kubernetes Novice Tokyo #1
ry
0
660
Other Decks in Technology
See All in Technology
20250910_障害注入から効率的復旧へ_カオスエンジニアリング_生成AIで考えるAWS障害対応.pdf
sh_fk2
3
260
【NoMapsTECH 2025】AI Edge Computing Workshop
akit37
0
200
今!ソフトウェアエンジニアがハードウェアに手を出すには
mackee
12
4.8k
企業の生成AIガバナンスにおけるエージェントとセキュリティ
lycorptech_jp
PRO
2
180
S3アクセス制御の設計ポイント
tommy0124
3
200
研究開発と製品開発、両利きのロボティクス
youtalk
1
530
5年目から始める Vue3 サイト改善 #frontendo
tacck
PRO
3
220
Webブラウザ向け動画配信プレイヤーの 大規模リプレイスから得た知見と学び
yud0uhu
0
230
現場で効くClaude Code ─ 最新動向と企業導入
takaakikakei
1
250
AWSを利用する上で知っておきたい名前解決のはなし(10分版)
nagisa53
10
3.1k
生成AI時代のデータ基盤設計〜ペースレイヤリングで実現する高速開発と持続性〜 / Levtech Meetup_Session_2
sansan_randd
1
150
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
2
570
Featured
See All Featured
How to Ace a Technical Interview
jacobian
279
23k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
We Have a Design System, Now What?
morganepeng
53
7.8k
Building Applications with DynamoDB
mza
96
6.6k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Building Adaptive Systems
keathley
43
2.7k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Transcript
Vault Secrets Operator Tutorial Kubernetes Novice Tokyo #24 Ryotaro Uwatsu
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 2 ࣗݾհ Name: Ryotaro Uwatsu (Twitter: @URyo_0213) Title: Solutions Architect Community: - Kubernetes Meetup Novice ӡӦ - Kubenews
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 3 Table of Contents • What’s HashiCorp Vault • How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 4 What’s HashiCorp Vault
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 5 HashiCorp Vault HashiCorp VaultɺγʔΫϨοτΛηΩϡΞʹཧ͢Δ͜ͱ͕Մೳͳπ ʔϧͰ͢ɻ ༷ʑͳΞΫηεํࣜΛ༻͍ͯɺϙϦγʔʹԊͬͨγʔΫϨοτͷΞΫ ηε͕ՄೳͰ͢ɻ ҎԼͷΑ͏ʹ༷ʑͳܗࣜͷγʔΫϨοτΛཧ͢Δ͜ͱ͕Մೳͱͳͬͯ ͍·͢ɻ • γʔΫϨοτཧ • User identityཧ • PKI • etc...
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 6 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ Secretͷσʔλɺbase64ͰΤϯίʔυ͞Ε͍ͯΔ͚ͩͰɺ͙͢ʹղಡͰ͖ͯ͠·͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 7 ͳΜͰVault͕͋Δͱ͏Ε͍͠ͷ͔ ηΩϡΞʹSecretΛཧ͢Δํ๏ʹɺSealed Secretͱ͍ͬͨιϦϡʔγϣϯ͕͋ͬͨΓ͢Δ͕ɺ ͕૿͑ͯ͠·ͬͨΓ͢Δͱཧ͕ࡶʹͳͬͯ͠·ͬͨΓɺΫϥελʔຖʹཧ͠ͳ͚Εͳ Βͳ͔ͬͨΓ͢ΔͷͰɺҰݩతʹγʔΫϨοτΛཧ͍ͯͨ͠͠ͱײͯ͡͠·͏Ͱ͠ΐ͏ɻ AWSͷSecret ManagerͷΑ͏ͳΈ͋Δ͕ɺύϒϦοΫΫϥυͳͲʹΞΫηεͰ͖ͳ͔ͬ ͨΓɺͦ͜ʹஔ͘͜ͱͷͰ͖ͳ͍ใ͋Δ͔ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 8 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 9 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 10 KubernetesͷγʔΫϨοτͷద༻ (ެࣜ) • Agent Injector – Init ContainerͰγʔΫϨοτΛಛఆͷσΟϨΫτϦʹૠೖ͠ɺҎޙมߋ͕͋ͬͨ߹Sidecar Agent͕มߋΛө͠·͢ɻ • CSI Provider – CSIΛ༻͍ͯɺVolumeͱͯ͠SecretΛPodʹ༩͑·͢ɻ (ίϛϡχςΟ) • External Secret – ExternalSecret(CRD)Λ༻͍ͨSecretϦιʔεͷ࡞Λ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 11 ৄ͘͠... Kubernetes Novice Tokyo #15 ͰɺHashiCorpͷؒ͞Μ͕ൃද͍͍ͯͨͩͨ͠ࢿྉΛࢀর͍ͩ͘͞ɻ https://speakerdeck.com/jacopen/k8stovaultwozu-mihe-wasetesikuretutowomotutosekiyuani
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 12 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) Agent Injector templateʹ͓͍ͯexport͢ΔΑ͏ʹॻ͖ɺίϯςφͰsourceίϚϯυΛ༻͍ͯద༻͠ͳ͚Εͳ ΒͳΓ·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 13 ͜Ε·Ͱͷ γʔΫϨοτใΛڥมͳͲʹద༻͍ͨ͠߹... ྫ) CSI Provider ઃఆՄೳ͕ͩɺߋ৽ͨ͠߹ʹөͯ͘͠Ε·ͤΜɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 14 Vault Secrets Operatorͷొ 2023/03/29ͷϒϩάʹͯΞφϯε͞Ε·ͨ͠ɻ ※ ·ͩϕʔλͱ͍͏ݐ͚ͳͷͰɺ༻͢Δࡍ͔ͬ͠Γͱݕ౼͍ͯͩ͘͠͞ɻ https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 15 Vault Secrets Operator Vault Secrets Operator ɺ֤छCRDΛ༻͍ͯVaultͱKubernetesΛ࿈ܞͤ͞·͢ɻ OperatorɺVault্ʹ͋ΔγʔΫϨοτσʔλΛλʔήοτͷKubernetes্ʹSecretϦιʔεͱͯ͠࡞͠ɺ ιʔεʹՃ͑ΒΕͨͯ͢ͷมߋ͕ө͞ΕΔΑ͏ʹͯ͘͠Ε·͢ɻ ରԠύλʔϯ • Static Secret – Key-Valueܕ(ver1, ver2) • Dynamic Secret – ύϒϦοΫΫϥυDBͷΞΫηεΛ͢ΔͨΊͷظݶ͖ೝূใΛಈతʹੜ͢Δͷ • PKI – ಈతͳ X.509 ূ໌ॻΛੜ͢Δ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 16 How to use Vault Secrets Operator
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 17 έʔε ɾඪ γʔΫϨοτΛVault͔Βऔಘ͠ɺ default ωʔϜεϖʔεʹSecretϦιʔ εͱͯ͠࡞Ͱ͖ΔΑ͏ʹ͢Δɻ ɾλεΫ 0. ࣄલ४උ 1. Vault Secrets OperatorͷΠϯετʔϧ 2. VaultͷηοςΟϯά 3. VaultConnectionͷ࡞ 4. VaultAuthͷ࡞ 5. VaultStaticSecretͷ࡞
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 18 0. ࣄલ४උ 1. ࣄલʹHelmΛ༻͍ͯVaultΛ࡞͓ͯ͘͠ඞཁ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 19 0. ࣄલ४උ 2. γʔΫϨοτΛVault͔Βऔಘ͢ΔࡍͷService AccountΛ࡞͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 20 1. Vault Secrets OperatorͷΠϯετʔϧ ࠓճɺVaultΛHelmΛ༻͍ͯೖΕͨ߹Λجʹ͍ͯ͠·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 21 Vault Secrets Operator CRD Vault Secret OperatorʹΑͬͯཧ͞ΕΔCRDNamespacedͳϦιʔεͱͯ͠ద༻͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 22 2. VaultͷηοτΞοϓ 1. Key-Value ver2Λ༗ޮԽ͠ɺSecretΛ࡞͠·͢ɻ 2. Policyͷ࡞͠·͢ɻ ※pathɺSecret࡞࣌ͷύεͰͳ͘ ɹ࡞࣌ͷग़ྗͷSecret Path
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 23 2. VaultͷηοτΞοϓ 3. RoleΛ࡞͠·͢ɻ • auth/kubernetes/role/vso-demo-role – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.role] • bound_service_account_names: Service Account໊ – (P.1*) 0-2Ͱ࡞ͨ͠Service Account – ͜ͷޙɺVaultAuthͰࢦఆ͠·͢[.spec.kubernetes.serviceAccount] • bound_service_account_namespaces: γʔΫϨοτΛ࡞͢ΔNamespace • policies: (P.1*) 1-2Ͱ࡞ͨ͠ϙϦγʔ໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 24 3. VaultConnectionͷ࡞ ଓઌͱ͢ΔVaultΛࢦఆ͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.address => VaultʹΞΫηε͢ΔΞυϨε ͜ͷଞʹɺHTTPϔομʔTLSͷઃఆΛ͢Δύ ϥϝʔλ͕͋Γ·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 25 4. VaultAuthͷ࡞ Vaultʹରͯ͠ɺೝূ͢ΔͨΊʹඞཁͳใΛهड़͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultConnectionRef => (P.1*) 3 Ͱ࡞ͨ͠VaultConnectionϦιʔε໊ .spec.kubernetes.role => (P.1*) 2-3 Ͱ࡞ͨ͠Vault্ͷrole .spec.kubernetes.serviceAccount => (P.1*) 0-2 Ͱ࡞ͨ͠Service Account໊
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 26 5. VaultStaticSecretͷ࡞ Vault͔Βऔಘͨ͠γʔΫϨοτΛɺKubernetes্ʹSecretͱͯ͠࡞͢ΔϦιʔεͰ͢ɻ [Մมύϥϝʔλ] .spec.vaultAuthRef => (P.1*) 4 Ͱ࡞ͨ͠VaultAuthϦιʔε໊ .spec.destination.name => Kubernetes্ʹ࡞͢ΔSecretϦιʔε໊ .spec.mount / .spec.name => (P.1*) 2-1 Ͱ࡞ͨ͠Vault্ͷγʔΫϨοτͷύε mount name
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 27 5. VaultStaticSecretͷ࡞ ҎԼͷΑ͏ʹɺSecretϦιʔε͕࡞͞Ε·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 28 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ઌ΄ͲͷྫͰɺ2֊ͰͷγʔΫϨοτ࡞Λ͔ͨ͠Β͔Γ͔ͬͨ͢ͱࢥ͍·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 29 ͠֊͕ਂ͘ͳͬͨ߹Ͳ͏ͨ͠Β͍͍ʁ ֊͕૿͑ͯҎԼͷ௨Γʹద༻͢Δ͜ͱ͕Ͱ͖·͢ɻ
Copyright © Dell Inc. All Rights Reserved. Internal Use -
Confidential 30 ·ͱΊ Sidecar Agent Injector CSI Provider Vault Secrets Operator γʔΫϨοτͷఏڙํ๏ Volume (emptyDir) Volume ڥม Secret γʔΫϨοτλΠϓ Static Dynamic PKI Static Dynamic PKI Static Dynamic PKI ςϯϓϨʔτ ʓ × × (2023/04/17࣌) γʔΫϨοτ ϩʔςʔγϣϯ ʓ × ʓ Vault Secrets OperatorΛ༻͍ͯɺ͜Ε·ͰҎ্ʹγʔΫϨοτΛѻ͍͘͢ͳΓ·ͨ͠ɻ ࠓճհͨ͠ͷҎ֎ʹ༷ʑͳར༻ํ๏͕͋ΔͷͰɺͥͻࢼͯ͠Έ͍ͯͩ͘͞ɻ ଞͷKubernetesͱͷ࿈ܞํ๏ͱͷ؆୯ͳൺֱҎԼͷ௨ΓͰ͢ɻ
None