zdtsw/instruction.txt

## instruction.txt
~/GitHub/$ git clone https://github.com/hashicorp/vault-helm.git


/* create and set namespace wen-vault1 */
~/GitHub/vault-helm$ kubectl create namespace wen-vault1
~/GitHub/vault-helm$ kubectl config set-context --current --namespace=wen-vault1

/* create serviceaccount serviceaccount-wen-vault1 will be used for below k8s deployment on pod to use */
~/GitHub/vault-helm/wen$ more serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
    name: serviceaccount-wen-vault1
    namespace: wen-vault1
    labels:
        app: component1
        env: ci1
~/GitHub/vault-helm/wen$  kubectl apply -f serviceaccount.yaml


/* if no --set=server.dev.enabled=true set it would require pv to vault-wen-vault1-0 pod and this should only be done for non-prod case*/
~/GitHub/vault-helm$ helm install --name=vault-wen-vault1 ./
/* if above not working, do a check and del purge old exisitng helm locally */
~/GitHub/vault-helm$ helm ls --al
~/GitHub/vault-helm$ helm del --purge vault-wen-vault1


/* do a check you should see vault-0 and vault-agent-injector-* pods running */
~/GitHub/vault-helm$ kubectl get pod


/* below vault actions need to be done in vault-0 pod */
~/GitHub/vault-helm/wen$ kubectl exec -it vault-0  -- sh

/* create /home/vault/wen-vault1-component1.hcl with content, as */
path "secret/wen-vault1/component1" {
    capabilities = [ "create", "read", "list" ]
}
path "secret/wen-vault1/component2" {
      capabilities = [ "read" ]
}

$ vault policy write wen-vault1-component1 /home/vault/wen-vault1-component1.hcl
/* do a double check if it is updated, I spent quite time for troubleshooting later why it does not work, eventually it was the policy I forgot to write after changed hcl file */
$ vault read sys/policy/wen-vault1-component1


/* enable backend for k8s */
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

/* create a new role mapping to the policy you created above, also point which serviaccount and namespace in ks8 */
$ vault write auth/kubernetes/role/wen-vault1-component1 \
   bound_service_account_names=serviceaccount-wen-vault1 \
   bound_service_account_namespaces=wen-vault1 \
   policies=wen-vault1-component1 \
   ttl=1h
$ vault read auth/kubernetes/role/wen-vault1-component1

/* create my secret kay-vaule pairs , in template use {{ .Data.data.username }}*/
$ vault kv put secret/wen-vault1/component1 username=wen password=Zhou
$ vault kv get secret/wen-vault1/component1
====== Metadata ======
Key              Value
---              -----
created_time     2020-04-07T19:32:48.071698011Z
deletion_time    n/a
destroyed        false
version          2

====== Data ======
Key         Value
---         -----
password    Zhou
username    wen

/* create my secret as string , in template use {{ .Data.username }}*/
~ $ vault write secret/wen-vault1/component2 username="Wen" password="zhou"
~ $ vault read secret/wen-vault1//component2

$ exit


/* create normal k8s deploymenet but stated using service account serviceaccount-wen-vault1 to start pod */
~/GitHub/vault-helm/wen$ cat deployment-component1.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  name: component1
  namespace: wen-vault1
  labels:
    app: component1
    env: ci1
spec:
  selector:
    matchLabels:
      app: component1
      env: ci1
  replicas: 1
  template:
    metadata:
      labels:
        app: component1
        env: ci1
    spec:
      serviceAccountName: serviceaccount-wen-vault1
      containers:
      - name: component1-ci1
        image: portcheck:latest
        resources:
          limits:
            cpu: 100m
            memory: 50Mi

/* if you have below annotation defined in the k8s deploymenet yaml you can skip these */
/* annotation vault.hashicorp.com/agent-inject-secret-wen-vault1-component1 only need to be a uniqu ID, does not mean it has to be exactly the same as the path value */
~/GitHub/vault-helm/wen$ cat patch-basic-annotations.yaml
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-wen-vault1-component1: "secret/wen-vault1/component1"
        vault.hashicorp.com/role: "wen-vault1-component1"

~/GitHub/vault-helm/wen$ kubectl patch deployment  component1 --patch "$(cat patch-basic-annotations.yaml)"

/* to make /vault/secrets/wen-vault1-component1 easy to read, we can format it to a string */
~/GitHub/vault-helm/wen$ cat  patch-template-annotation.yaml
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-template-wen-vault1-component1: |
          BLOCK0]
          team = delivery
          [BLOCK1]
          common part
          {{- with secret "secret/wen-vault1/component1" -}}
          when we have secret
          fuckshitlife-{{ .Data.data.username }}:{{ .Data.data.password }}
          {{- end }}
          [BLOCK2]
          company = mycompany
        vault.hashicorp.com/role: "wen-vault1-component1"

~/GitHub/vault-helm/wen$ kubectl patch deployment  component1 --patch "$(cat patch-template-annotation.yaml)"


~/GitHub/vault-helm/wen$ kubectl exec -it component1-* -n wen-vault1 -c component1-ci1 -- sh
# cd /vault/secrets
# ls
 wen-vault1-component1
# cat wen-vault1-component1
[BLOCK0]
team = delivery
[BLOCK1]
common partwhen we have secret
fuckshitlife-wen:Zhou
[BLOCK2]
company = mycompany
	~/GitHub/$ git clone https://github.com/hashicorp/vault-helm.git


	/* create and set namespace wen-vault1 */
	~/GitHub/vault-helm$ kubectl create namespace wen-vault1
	~/GitHub/vault-helm$ kubectl config set-context --current --namespace=wen-vault1

	/* create serviceaccount serviceaccount-wen-vault1 will be used for below k8s deployment on pod to use */
	~/GitHub/vault-helm/wen$ more serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: serviceaccount-wen-vault1
	namespace: wen-vault1
	labels:
	app: component1
	env: ci1
	~/GitHub/vault-helm/wen$ kubectl apply -f serviceaccount.yaml




	/* if no --set=server.dev.enabled=true set it would require pv to vault-wen-vault1-0 pod and this should only be done for non-prod case*/
	~/GitHub/vault-helm$ helm install --name=vault-wen-vault1 ./
	/* if above not working, do a check and del purge old exisitng helm locally */
	~/GitHub/vault-helm$ helm ls --al
	~/GitHub/vault-helm$ helm del --purge vault-wen-vault1


	/* do a check you should see vault-0 and vault-agent-injector-* pods running */
	~/GitHub/vault-helm$ kubectl get pod






	/* below vault actions need to be done in vault-0 pod */
	~/GitHub/vault-helm/wen$ kubectl exec -it vault-0 -- sh

	/* create /home/vault/wen-vault1-component1.hcl with content, as */
	path "secret/wen-vault1/component1" {
	capabilities = [ "create", "read", "list" ]
	}
	path "secret/wen-vault1/component2" {
	capabilities = [ "read" ]
	}

	$ vault policy write wen-vault1-component1 /home/vault/wen-vault1-component1.hcl
	/* do a double check if it is updated, I spent quite time for troubleshooting later why it does not work, eventually it was the policy I forgot to write after changed hcl file */
	$ vault read sys/policy/wen-vault1-component1


	/* enable backend for k8s */
	$ vault auth enable kubernetes
	$ vault write auth/kubernetes/config \
	token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
	kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
	kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

	/* create a new role mapping to the policy you created above, also point which serviaccount and namespace in ks8 */
	$ vault write auth/kubernetes/role/wen-vault1-component1 \
	bound_service_account_names=serviceaccount-wen-vault1 \
	bound_service_account_namespaces=wen-vault1 \
	policies=wen-vault1-component1 \
	ttl=1h
	$ vault read auth/kubernetes/role/wen-vault1-component1

	/* create my secret kay-vaule pairs , in template use {{ .Data.data.username }}*/
	$ vault kv put secret/wen-vault1/component1 username=wen password=Zhou
	$ vault kv get secret/wen-vault1/component1
	====== Metadata ======
	Key Value
	--- -----
	created_time 2020-04-07T19:32:48.071698011Z
	deletion_time n/a
	destroyed false
	version 2

	====== Data ======
	Key Value
	--- -----
	password Zhou
	username wen

	/* create my secret as string , in template use {{ .Data.username }}*/
	~ $ vault write secret/wen-vault1/component2 username="Wen" password="zhou"
	~ $ vault read secret/wen-vault1//component2

	$ exit


	/* create normal k8s deploymenet but stated using service account serviceaccount-wen-vault1 to start pod */
	~/GitHub/vault-helm/wen$ cat deployment-component1.yaml
	apiVersion: apps/v1beta2
	kind: Deployment
	metadata:
	name: component1
	namespace: wen-vault1
	labels:
	app: component1
	env: ci1
	spec:
	selector:
	matchLabels:
	app: component1
	env: ci1
	replicas: 1
	template:
	metadata:
	labels:
	app: component1
	env: ci1
	spec:
	serviceAccountName: serviceaccount-wen-vault1
	containers:
	- name: component1-ci1
	image: portcheck:latest
	resources:
	limits:
	cpu: 100m
	memory: 50Mi

	/* if you have below annotation defined in the k8s deploymenet yaml you can skip these */
	/* annotation vault.hashicorp.com/agent-inject-secret-wen-vault1-component1 only need to be a uniqu ID, does not mean it has to be exactly the same as the path value */
	~/GitHub/vault-helm/wen$ cat patch-basic-annotations.yaml
	spec:
	template:
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/agent-inject-secret-wen-vault1-component1: "secret/wen-vault1/component1"
	vault.hashicorp.com/role: "wen-vault1-component1"

	~/GitHub/vault-helm/wen$ kubectl patch deployment component1 --patch "$(cat patch-basic-annotations.yaml)"

	/* to make /vault/secrets/wen-vault1-component1 easy to read, we can format it to a string */
	~/GitHub/vault-helm/wen$ cat patch-template-annotation.yaml
	spec:
	template:
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/agent-inject-status: "update"
	vault.hashicorp.com/agent-inject-template-wen-vault1-component1: \|
	BLOCK0]
	team = delivery
	[BLOCK1]
	common part
	{{- with secret "secret/wen-vault1/component1" -}}
	when we have secret
	fuckshitlife-{{ .Data.data.username }}:{{ .Data.data.password }}
	{{- end }}
	[BLOCK2]
	company = mycompany
	vault.hashicorp.com/role: "wen-vault1-component1"

	~/GitHub/vault-helm/wen$ kubectl patch deployment component1 --patch "$(cat patch-template-annotation.yaml)"


	~/GitHub/vault-helm/wen$ kubectl exec -it component1-* -n wen-vault1 -c component1-ci1 -- sh
	# cd /vault/secrets
	# ls
	wen-vault1-component1
	# cat wen-vault1-component1
	[BLOCK0]
	team = delivery
	[BLOCK1]
	common partwhen we have secret
	fuckshitlife-wen:Zhou
	[BLOCK2]
	company = mycompany
No results found