Login Registration

Setup consul & vault on kubernetes helm

16 April 2023, by Goodman. Last update at 27 April 2023

devops
security
kubernetes

Use helm repo confluentinc

$ helm repo add confluentinc https://confluentinc.github.io/cp-helm-charts

Helm consul values

global:
  enabled: true
  logJSON: true

  # Configure ACLs.
  acls:
    # This requires Consul >= 1.4.
    manageSystemACLs: true
server:
  enabled: "-"
  replicas: 3
  storage: 20Gi
  resources:
    requests:
      memory: "100Mi"
      cpu: "100m"
    limits:
      memory: "100Mi"
      cpu: "100m"

ui:
  enabled: "-"
  service:
    enabled: true
  ingress:
    enabled: true
    ingressClassName: "nginx"
    pathType: Prefix
    hosts:
      - host: consul.devops.kiev.ua
        paths:
          - /
    tls:
      - hosts:
        - consul.devops.kiev.ua
        secretName: consul-tls
    annotations: |
      cert-manager.io/cluster-issuer: consul-tls

Helm vault values

server:
  enabled: "-"

  resources:
    requests:
      memory: 256Mi
      cpu: 250m
    limits:
      memory: 256Mi
      cpu: 250m

  ingress:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: vault-tls
    ingressClassName: "nginx"
    pathType: Prefix
    activeService: true
    hosts:
      - host: vault.devops.kiev.ua
        paths:
        - /
    tls:
     - secretName: vault-tls
       hosts:
         - vault.devops.kiev.ua

  dataStorage:
    enabled: false

  standalone:
    enabled: false

  ha:
    enabled: true
    replicas: 3

    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "consul" {
        path = "vault"
        address = "consul-consul-server.consul:8500"
        token = "${consulToken}"
      }

      service_registration "kubernetes" {}

      seal "awskms" {
        region     = "eu-central-1"
        kms_key_id = "${kmsID}"
      }

  serviceAccount:
    create: true
    annotations:
      'eks.amazonaws.com/role-arn': 'arn:aws:iam::<account id>:role/vault'

Post command installation

$ kubectl exec -ti vault-0 -- vault operator init

Install consul & vault

$ helm install consul 
$ helm install vault

Cousul policies for vault

{
  "key_prefix": {
    "vault": {
      "policy": "write"
    }
  },
  "service": {
    "vault": {
      "policy": "write"
    }
  },
  "agent_prefix": {
    "": {
      "policy": "read"
    }
  },
  "session_prefix": {
    "": {
      "policy": "write"
    }
  }
}

Update ingress

tcp:
  8500: "consul/consul-consul-server:8500"

setup vault client

$ export VAULT_ADDR="http://vault.devops.kiev.ua:8200"

Setup vault & microsoft azure ad

Enable oidc auth
# create file with permission
cat <<EOF > oidc.hcl
path "sys/*" {
 capabilities = ["deny"]
}
path "kv/*" {
 capabilities = ["list","create","read","update","delete"]
}
EOF

$ vault auth enable oidc
$ vault policy write oidc oidc.hcl

$ export AZURE_SECRET=""
$ export AZURE_CLIENT_ID=""
$ export AZURE_TENANT_ID=""
$ vault write auth/oidc/config oidc_discovery_url="https://login.microsoftonline.com/${ AZURE_TENANT_ID}/v2.0" oidc_client_id="${AZURE_CLIENT_ID}" oidc_client_secret="${AZURE_SECRET}" default_role="oidc"
vault write auth/oidc/role/oidc user_claim="email" allowed_redirect_uris="http://localhost:8250/oidc/callback,https://vault.devops.kiev.ua/ui/vault/auth/oidc/oidc/callback" groups_claim="groups" oidc_scopes="https://graph.microsoft.com/.default" policies=default,oidc