How to deploy Vault for Kubernetes in 2022 and inject secrets

please make videos for consul

man please do consul tutorial

Hey Marcel, great to see this this 2022 kubernetes content refresh. Looking forward to more in the near future!

I have been watching this channel daily now. Awesome content. Definitely, Consul series would be sweeeeeeet

Thanks for the video ! But question. Here, you demonstrated how to inject the secret from vault to pod, but you didnt explain how the pod or the application can use the secret. Most of applications are running with ENV variable. The question is simple: how to inject thoses secret from /vault/secret/ to the env variable into the pod?
There is some trick to do this through the deployment manifest with command instruction
command: ['/bin/sh', '-c', 'source /vault/secrets/config; '']
But for my pov, it is ugly to do by this way. Do you have any suggestion or maybe cover this part in your next video please ? tyy !

Love your content mate, always on point with the explanations and overall flow.

Great content, ❤

Well done on this, such great content. Would LOVE to see a demo on hashicorp consul.

When do you launch your fitness channel? XD

Nicely explained. I want the process of auto unsealing. Incase the K8s cluster restarts. What are the possible ways of autounsealing vault ?

Like your Videos about the devops stuff! :)
Greetz from germany

Make video with auto-unseal Vault cluster via 2-nd (central cluster) with transit mode enabled and with self-signed certs.

Great content, thank you. I'm about to put Vault on production, and your video makes my job easier.

Great video, thank you

love your content.

As you asked for feedback, interested in , Terreform-sync consul. I also enjoy an architecture breakdown. Visual Whiteboard or something like that. Thanks for the content!

Hi Marcel. I try your tutorial in a OpenShift Cluster. My vault pods don't create because of the "tls-server" "tls-ca" information. What is the purpus of theses certificates within Vault? Thanks

thanks for a great content! One thing that maybe missing is information about motivation for all these dances with vaults, encryption, sealing/unsealing. On the first glance it seems like an over-engineering ... as I'm pretty sure that in most environments you may not need such involved procedure and levels of security. Let's take simplest case of secrets management: storing them in a private gitlab repo as an open text in yaml manifest. What kind of vulnerabilities this approach has? How severe those vulnerabilities are? How likely that those vulnerabilities may be exploited? I think it is also important to point out that hashicorp or other providers may be interested in steering ppl towards higher levels of security ... but there has to be some healthy scepticism to counteract that, as you said in your channel start video: software is complex, so we need to keep it simple.

I wonder if the deployment would be much different if Vault would run outside the K8s cluster in a dedicated VM

Hello Marcel, i m a bit confused in the tls.crt file you added in extra environment, how did you generate it and where it is used i checked the repo and i didnt find the userconfig, i dont know if i missed something please help

Hello,
I have unsealed it but still it is restarting and making vault sealed again. Will you suggest where am I going wrong.

This is the result, when the Hulk become a Devops. :) LOL

Thank you for the great tutorial! Albeit I get an error when deploying the example-app. " Error creating: pods "basic-secret-6b7587b7fd-" is forbidden: error looking up service account vault-example-app/basic-secret: serviceaccount "basic-secret" not found" - but the serviceaccount "basic-secret" does exist in the namespace vault-example-app.

Thx a lot :)
With -version=1 like shown all ok. :)
not work with: vault secrets enable -version=2 -path=secret/ kv - Do you know why ?

Excellent video as always mate. Thanks for sharing

Great video. I have a question is how could I automatically delete secrets file (vault/secret/etc ) are stored in Kubernetes after the pod is running up

Thanks for sharing, we implemented vault in our company long time ago but so far i had no idea it has so much unused potential. Thanks for sharing this i need to setup dynamic secure secrets injection. That is so awesome ;). Peace and please keep coming with new content.

As always Marcel, Big Thanks for your explanations and teaching in an understandable way. Love your content mate.

This is so informative! Like to see much of these videos ahead! Thanks so much! This clarifies so much!

Is it possible to automate the unsealing process of vault? In standalone or cluster? If not, is it due to security purposes?
Thanks in Advance!!

can I use Vault to encrypt helm values?

What a lecture. Congratulations!!! 👊

do you do any private tutoring?

conent rockerstar , powerpacked contents

yes to the consul guide please

How about secret env variable

im confused as to why you did all the work in a container like installing helm in a container with kubectl... you obviously had kubectl installed and working from your desktop system so why not just install helm on your desktop and do everything from there... this would reduce the complexity and the needs to mount your desktop to multiple containers. or use something like kubeapps to do the deployment.

Marcel, would it not be perfect if you have showed how to automatically unseal vault with AWS KMS?

did you end up making helm consul guide? That would be helpful. Thanks for the video.

Excellent video, but the main thing I learned from it is that the world desperately needs an official Vault operator 🤯

Sir I have one doubt..
If I have 10 microservices for all the microservices I have to write dockerfile and yaml manifest right? Also I need to keep it in a single github repo so that jenkins can clone it? Or there will be a seperate repo for each microservices? Then how jenkins will build 10 different microservices?
I would be greatful to you if clear this to me

Awesome playlist! Thanks for sharing your knowledge.

These were 30 intensives minutes with lots of concepts I need to land. TYVM!!

Thanks for video. can we have a video to unseal the vault automatically in case of vault pod restart. as of now we need to unseal pods manually.

awesome vault video

top notch playlists on vault and k8s. simple, to the point and all the need to knows.

Hello, amazing video. I did it and it works fine. I have a question about if it could be possible to generate environment variables from secrets into the pod. I tested some ways to do but i didn't work, because the session that starts with the variables i'ts other than the running application, it's so hard to explain that but it's not working. Did you experiment somthing like that? Thanks.

The content is really awesome .Great Learning for me. I would definitely look forward for consul video.

Did u create certificates needed inside a new folder vault/userconfig in root?

Great guide for me, it is so interesting and I learned some tips of real experiment for these stuffs.

Hey, I couldn't find anywhere that k8s 1.22 wasn't supported by vault. I just tried it out with 1.22.4 kind image, and it works as expected. Consul version 0.40, and same 0.19 vault version of helm. I was able to attach the sidecar and mount the basic secret on the pod.
Maybe I am missing something? Let me know your thoughts

Thanks for the update to your Vault series. Can you share pointers to steps for automating the Vault Unseal process? Also would like to learn more about vault + cert-manager integration.

consul is extremely powerful for multi cluster and even multi cloud! i would be very interested in those topics

Hi, your last cmd: kubectl -n example-app exec basic-secret-xxx -- sh -c "cat /vault/secret/helloworld", it will show plain-text pwd. Can you avoid this? like just show: "password":*******, the Ops login to that pod, he/she should not view the plain-text pwd.

This is beautiful!!!! All I need to know in a video!

Excellent man, Working good 👌

Great video (as always)!
And definitely like to see a Consul guid

Great job! Very interesting and useful.

Thank you veeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeery much..

Excellent clear explanations, wonderful docs, and videos.

would love to see a Vault CSI tutorial

I'm trying to figure out the next step, if I change the password on the vault how will the pods react to this change?
I know that by definition they will not update but there should be something that we could do to support key rotations on pods that require to update the secrets on vault

consul guide plz

Dude you Rock!

Supeeerr great tutorial

Thanks for sharing. I followed your guide, but I'm stuck adding a traefik IngressRoute, the vaults pods returns, `HTTP: TLS handshake error from internal_ip:51142: remote error: tls: bad certificate`, I guess is because of the mismatch between traefik and self-signed (cfssl), could you give me a hint to combine vault + traefilk.

Please don't cut out the silent bits from your videos. It makes the narration sound unnatural.