how to create secrets and certs in hashivault?
How to pull those secrets into my octopus deploy?
Looking at the documentation, you can't write secrets in Vault from your pipeline. A part of your pipeline, maybe a Terraform or Ansible, will generate secrets and store them in Vault, for another part of the pipeline to retrieve them later.
Once you have secrets to retrieve, you will need to
Authenticate to Vault
Pull the secrets
I suggest that you start write and reading secrets and certificate from the command line first, to quickly get a sense of how Vault works. Something like:
vault kv put secret/octopus/dev/pipeline-1 my-secret=hello123
vault kv get secret/octopus/dev/pipeline-1
Related
Hi i'm working on task that is in regards which one we should implement for Kubernets secrets Vault or github secrets.
i'm still very new to kubernets so i need help with this, if anyone can help me with some references that explain how we can store secrets and credentials in guthub secrets and use those github credentials in kubernets as secrets.
We are running
on-prem kubernetes
github enterprise
i have configure secrets through github and trying to use in kubernets but i have no idea how to do that just blank here.
You can use Sealed Secret to manage your k8s secrets in github.
Sealed Secrets is composed of two parts:
A cluster-side controller / operator
A client-side utility: kubeseal
The kubeseal utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.
To learn more, head over to sealed-secret github repo
I need to populate my Azure Key Vault with the secrets available in HashiCorp Vault, for which I am looking for a best possible way. One thing I feel is using PowerShell it can be done but I am not getting any right reference or sample to follow. Terraform could also be a way.
Please share if any sample available to achieve the same.
Thanks
We are trying to create an environment using crossplane and argocd. Once Crossplane generates the database and saves the credentials to a secret on the management cluster. After we are deploying the credentials from management cluster to our destination cluster to a secret.
Now we need to pass the credentials from secret a to secret B which the application knows about. The issue starts when argo do not use helm install but template thus lookup function don't work. We thought about using vault as a middle man but we are not sure how to load values from secret to vault.
Anyway if you encounter such an issue or have some sort of a solution we'll be very happy to hear.
Thank you
You need to commit the (encrypted) secrets somewhere for ArgoCD to pick them up. That is the whole point of GitOps.
Alternatively you can try using https://argo-cd.readthedocs.io/en/stable/user-guide/parameters/ but this is considered a temporary workaround
I have come across injectors/drivers/et cetera for Kubernetes for most major secret providers, but the common theme with those solutions are that these only sync one-way, i.e., only from the vault to the cluster. I want to be able to update the secrets too, from my Kubernetes cluster.
What is the recommended pattern for doing this? (Apart from the obvious solution of writing a custom service that communicates with the vault)
I'd say that this is an anti pattern, meaning you shouldn't do that.
If you create your secret in k8s from file, that would mean you either have it in version control, something you should never do. Or you don't have it in version control or create it from literal, which is good, but than you neither have a change history/log nor a real documentation of your secret. I guess that would explain, why the major secret providers don't support that.
You should set up the secret using the key vault and apply it to your cluster using Terraform for example.
Terraform supports both azure key vault secret https://www.terraform.io/docs/providers/azurerm/r/key_vault_secret.html and Kubernetes secrets https://www.terraform.io/docs/providers/kubernetes/r/secret.html
You can simply import the key vault secret and use it in the k8s secret. Every time you update the key vault secret, you apply the changes with Terraform.
i want to populate configmaps from data inside vault in kubernetes. I just complete setup of vault and auth method as kubernetes(Service account) and userpass.
Can someone suggest easy way to integrate variables for application ? what to add in yaml file ? if i can populate configmap then i can easily use it to yaml.
how to changes will be affected if variable change on vault.
you can try using Vault CRD, when you create a custom resource of type vault, it will create a secrets using a data from the vault
You can use Vault CRD as Xavier Adaickalam mentioned.
Regarding the subject of variable changes, you have 2 ways of exposing variables inside Pods, using volumes and using environment variables. Volumes are updated automatically when the secrets are modified. Unfortunately, environment variables do not receive updates even if you modify your secrets. You have to restart your container if the values are modified.