Vault on Kubernetes with PostgreSQL
ฝัง
- เผยแพร่เมื่อ 30 ก.ค. 2024
- Subscribe to show your support! goo.gl/1Ty1Q2 .
Patreon 👉🏽 / marceldempers
Folks! Today we're taking a look how to fully automate the secret lifecycle of a password, end to end with no user involved. We learn how to integrate HashiCorp Vault into Kubernetes, how to setup authentication and policies between Vault and PostgreSQL server. Finally we deploy an app that requires a password, which is generated by Vault and injected into our application.
Be sure to checkout the series below and links to the source code :)
Also if you want to support the channel further, become a member 😎
marceldempers.dev/join
Checkout "That DevOps Community" too
marceldempers.dev/community
Full playlist:
• Kubernetes Secret Mana...
Introduction to Vault:
• Introduction to HashiC...
TLS end to end Encryption:
• Get HashiCorp Vault ru...
Basic Secret Injection:
• Basic secret injection...
Running Kubernetes in a Docker Container with Kind:
• How to run Kubernetes ...
Source Code
--------------------------------------------------------------
github.com/marcel-dempers/doc...
If you are new to Kubernetes, check out my getting started playlist on Kubernetes below :)
Kubernetes Guide for Beginners:
---------------------------------------------------
• Kubernetes development...
Kubernetes Monitoring Guide:
-----------------------------------------------
• Kubernetes Monitoring ...
Kubernetes Secret Management Guide:
--------------------------------------------------------------
• Kubernetes Secret Mana...
Like and Subscribe for more :)
Follow me on socials!
marceldempers.dev
Twitter | / marceldempers
GitHub | github.com/marcel-dempers
Facebook | thatdevopsguy
LinkedIn | / marceldempers
Instagram | / thatdevopsguy
Music:
Track: Amine Maxwell - Take Control | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / take-control
Track: Fox Beat 2 - Johan Lilja - What's Your Name - Royalty Free Vlog Music [BUY=FREE] | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / johan-lilja-whats-your...
Track: SACHKO - ChillHop Instrumental - "Meant to be" | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / chillhop-instrumental-...
Track: Amine Maxwell - Night And The City | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / night-and-the-city
Track: souKo - souKo - Parallel | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / parallel - วิทยาศาสตร์และเทคโนโลยี
![[#SHORTS CLIP] ครูอึ้ง กรรมการอึ้ง ฮ่าๆ l ซานิเบาได้เบา l One Playground](http://i.ytimg.com/vi/qeBTuMJs4t0/mqdefault.jpg)
Nice job. I installed vault with helm and wanted to test it. I used your tutorial to connect posgresql to vault . Working perfect. I`d like to test it with mysql or some other as well. Thanks for the tutorial.
I've got the exact same Coffee Maker, and soon also a shiny new Vault in my Kubernetes Cluster
great job man!! I really appreciate the effort
The perfect video which I was looking for .. thanks devops guy ❤️
Can you please send me repo without tls .. thanks for advance
Thank you for super great tutorials, just what I was waiting for. If You will have time, please make tutorial with Istio and Kubernetes. How to setup and configure correctly. Thank you.
Interesting video, I’d liked to of seen you cover off what happens when the password expires.
Perfect. Thank you
RAD. This is going to be great!
Thanks a lot !
Thanks!
great videos! can you please do a video on vault with Azure? Thank you so. much!!
Hi Bro!! Nice.
Seems like vault could be used to generate certificates to sign json web tokens
Using it for AWS RDS and GCP Cloud Storage at the same time.
Managing applications in AWS accessing the DB in GCP.
Can you please guide us how can we rotate database secret for mongoDB and how to inject that into Spring boot service. I searched the whole internet but unable to find the solutions
Hey Hi.
How are you.
I need some help to auto unseal vault using shell script in kubernetes yaml files, can you please help me out, if you dont mind.
I'd like to se automated ways to get secrets into the vault
Hello
Thanks For the Video Can you please clarify my doubt
Suppose that my application (stateless) is running on an EKS cluster and I'm running the RDS database that is connected to that Stateless application
And I'm using java.properties file to defining the username and password
Now it is not good practice to add the password in the plain text format inside java.properties
How can I connect my stateless java application to the RDS database using vault?
Applications can only get their inputs from either environment variables or from files. For example, TLS certificates are stored on file and use Linux file permissions to secure it so only your application process is allowed to read that file.
You can store your password in a Kubernetes secret if running in K8s and inject it into your java properties file at runtime or store the entire file as a K8s secret. Or resort to getting your credentials from ENV variables and not store it in the java properties file.
Passwords are generally stored in configs, so it's not unusual to do so.
If you are are concerned about it, there are ways to encrypt passwords before storing them in configs too.
In this video, Vault simply automates the credential rotation and automates writing it to file.
If you want to go one step further and not store your credential in file, you can use the Vault SDK and write Java code to pull the secrets from Vault and authenticate using K8s service account.
Hope that helps
Hi, thanks for the video! But I wonder, what if our application still running but the postgres credentials has been expired, what will happend to the executed queries? Thanks!
It would be important to adapt the application code in order to detect that the secret file changed on disk and reload + establish a new SQL connection.
I would then play with the Vault settings to see if you can overlap the secret creation with the TTL in order to keep existing queries from finishing in time (drain old connections) and have all new queries go through the new connection with the new secret.
@@MarcelDempers it seems possible but would make a millisec downtime I think, since there'll be a transition period between old connection and new connection. But, thanks for the answer! Hope you make a video about the database static roles!
This is why you would drain old connections (let queries finish) and open new connection with the new secret. Having the old and new credential TTL overlap allows a smooth transition. Similar to how you drain web server traffic when doing a rolling deployment.
I've worked with folks who have implemented this successfully with other databases so depends how you configure it
@@MarcelDempers Got it, many thanks!
Hey Hi.
i have facing some issue after vault configuration on ibm kubernetes cluster, i have given Key shares and Key threshold numbers after that i clicked on intilize i got this below issue
"Error
failed to initialize barrier: failed to persist keyring: mkdir /vault/data/core: permission denied", can you please help me out for this one
"mkdir /vault/data/core: permission denied" states your vault process cannot access its data folder.
All volumes are mounted as root by default.
In the video, we ensure ownership to the vault user with an init container and chmod'ing /vault/data
@@MarcelDempers Can you please let me know in which video you ensure ownership to the vault user with an init container
It might be in the first one of the Vault series
th-cam.com/play/PLHq1uqvAteVtq-NRX3yd1ziA_wJSBu3Oj.html
@@MarcelDempers Thanks a lot yar..
i need some thing else also, can we do unseal process via shell script is that possible to do.
Noice!