#Lab: HashiCorp Vault with Kubernetes
Integrate Vault for secrets management in Kubernetes.
#๐ฏ Objectives
- Deploy Vault in Kubernetes
- Store and retrieve secrets
- Inject secrets into pods
#๐ Prerequisites
- Kubernetes cluster
- Helm installed
#โฑ๏ธ Duration: 30 minutes
#Task 1: Install Vault (5 min)
bash
1# Add Helm repo
2helm repo add hashicorp https://helm.releases.hashicorp.com
3helm repo update
4
5# Install Vault in dev mode
6helm install vault hashicorp/vault \
7 --set server.dev.enabled=true \
8 --set injector.enabled=true
9
10# Wait for pod
11kubectl wait --for=condition=Ready pod/vault-0 --timeout=120s
12
13# Get root token (dev mode)
14kubectl logs vault-0 | grep "Root Token"#Task 2: Configure Vault (10 min)
bash
1# Exec into vault pod
2kubectl exec -it vault-0 -- sh
3
4# Inside vault pod:
5# Enable KV secrets engine
6vault secrets enable -path=secret kv-v2
7
8# Store secret
9vault kv put secret/myapp/config \
10 username="admin" \
11 password="supersecret123"
12
13# Read secret
14vault kv get secret/myapp/config
15
16# Enable Kubernetes auth
17vault auth enable kubernetes
18
19vault write auth/kubernetes/config \
20 kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
21
22# Create policy
23vault policy write myapp-policy - <<EOF
24path "secret/data/myapp/*" {
25 capabilities = ["read"]
26}
27EOF
28
29# Create role
30vault write auth/kubernetes/role/myapp \
31 bound_service_account_names=myapp-sa \
32 bound_service_account_namespaces=default \
33 policies=myapp-policy \
34 ttl=1h
35
36exit#Task 3: Deploy App with Secrets (10 min)
bash
1# Create service account
2kubectl create serviceaccount myapp-sa
3
4# Deploy app with vault annotations
5cat << 'EOF' | kubectl apply -f -
6apiVersion: apps/v1
7kind: Deployment
8metadata:
9 name: myapp
10spec:
11 replicas: 1
12 selector:
13 matchLabels:
14 app: myapp
15 template:
16 metadata:
17 labels:
18 app: myapp
19 annotations:
20 vault.hashicorp.com/agent-inject: "true"
21 vault.hashicorp.com/role: "myapp"
22 vault.hashicorp.com/agent-inject-secret-config: "secret/data/myapp/config"
23 spec:
24 serviceAccountName: myapp-sa
25 containers:
26 - name: app
27 image: nginx
28 command: ["/bin/sh", "-c"]
29 args: ["cat /vault/secrets/config && sleep 3600"]
30EOF
31
32# Check for secrets
33kubectl logs deployment/myapp -c vault-agent-init
34kubectl exec deployment/myapp -- cat /vault/secrets/config#Task 4: Verify (5 min)
bash
1# Check secret injection
2kubectl exec deployment/myapp -- cat /vault/secrets/config
3
4# Output should contain:
5# data: map[password:supersecret123 username:admin]#โ Success Criteria
- Vault running in Kubernetes
- Secrets stored in Vault
- Kubernetes auth configured
- Secrets injected into pod
#๐งน Cleanup
bash
kubectl delete deployment myapp
kubectl delete serviceaccount myapp-sa
helm uninstall vault