I need to populate my Azure Key Vault with the secrets available in HashiCorp Vault, for which I am looking for a best possible way. One thing I feel is using PowerShell it can be done but I am not getting any right reference or sample to follow. Terraform could also be a way.
Please share if any sample available to achieve the same.
Thanks
Related
I installed a Hasicorp Vault server via Helm with my custom values.yaml file (used this as a reference: https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration)
I know I can enable different secrets engines after I initialize and unseal Vault (via the UI, CLI or API).
However, I am wondering whether it is possible to enable secrets engines via the values.yaml before initializing and unsealing Vault - i.e., when I open the UI after initializing and unsealing Vault I would like to see these engines already enabled and on the list of secrets engines (without enabling them manually).
I searched online for a way to do this but my efforts were in vain. I would really appreciate any answer on this subject.
Thanks in advance!
how to create secrets and certs in hashivault?
How to pull those secrets into my octopus deploy?
Looking at the documentation, you can't write secrets in Vault from your pipeline. A part of your pipeline, maybe a Terraform or Ansible, will generate secrets and store them in Vault, for another part of the pipeline to retrieve them later.
Once you have secrets to retrieve, you will need to
Authenticate to Vault
Pull the secrets
I suggest that you start write and reading secrets and certificate from the command line first, to quickly get a sense of how Vault works. Something like:
vault kv put secret/octopus/dev/pipeline-1 my-secret=hello123
vault kv get secret/octopus/dev/pipeline-1
I'm totally new to Vault and what I want is to detect when a secret changes and execute some code in response. I've been googling for resources about how to do that but haven't found anything useful. From what I've read and learnt, I think the only way of achieving what I want is by implementing a custom secrets engine. Am I right? Do you know a better way of achieving what I want?
There is no event option in the vault as of now, so on changes, we get notified it's natively changing the Key/value pairs.
i would recommend using the polling method if you have any such scenario with the vault.
Here is one nice CRD which also does the polling option and syncs the vault secret to Kubernetes secret.
This might useful for reference : https://github.com/DaspawnW/vault-crd
There currently are no triggers that'll tell you when the secret has changed. If you're running kubernetes (sidecar) or using the Vault agent, this is minimized as the agent will auto-pull any new secrets down (configurable).
I have come across injectors/drivers/et cetera for Kubernetes for most major secret providers, but the common theme with those solutions are that these only sync one-way, i.e., only from the vault to the cluster. I want to be able to update the secrets too, from my Kubernetes cluster.
What is the recommended pattern for doing this? (Apart from the obvious solution of writing a custom service that communicates with the vault)
I'd say that this is an anti pattern, meaning you shouldn't do that.
If you create your secret in k8s from file, that would mean you either have it in version control, something you should never do. Or you don't have it in version control or create it from literal, which is good, but than you neither have a change history/log nor a real documentation of your secret. I guess that would explain, why the major secret providers don't support that.
You should set up the secret using the key vault and apply it to your cluster using Terraform for example.
Terraform supports both azure key vault secret https://www.terraform.io/docs/providers/azurerm/r/key_vault_secret.html and Kubernetes secrets https://www.terraform.io/docs/providers/kubernetes/r/secret.html
You can simply import the key vault secret and use it in the k8s secret. Every time you update the key vault secret, you apply the changes with Terraform.
I have a couple Charts which all need access to the same Kubernetes Secret. My initial plan was to create a Chart just for those Secrets but it seems Helm doesn't like that. I am thinking this must be a common problem and am wondering what folks generally do to solve this problem?
Thanks!
Best practice is, don't save any sensitive secrets in kubernetes clusters. kubernetes secret is encode, not encrypt.
You can reference the secret via aws ssm/secrets manager, hashicorp Vault or other similars.
https://github.com/aws-samples/aws-workshop-for-kubernetes/tree/master/04-path-security-and-networking/401-configmaps-and-secrets
Most charts that follow the common chart development practices allow you to use an existing secret instead of creating one for you. This way, you can create your common secrets normally (without helm), and refer to them from the charts that need them, via a reference like existingSecret config key.
Take minio helm chart for example: it accepts an existingSecret key as an alternative to passing an accessKey and a secretKey.
As you can see in the main charts repo, this is a pretty common practice.