Vault on Kubernetes with PostgreSQL
Ғылым және технология
Subscribe to show your support! goo.gl/1Ty1Q2 .
Patreon 👉🏽 / marceldempers
Folks! Today we're taking a look how to fully automate the secret lifecycle of a password, end to end with no user involved. We learn how to integrate HashiCorp Vault into Kubernetes, how to setup authentication and policies between Vault and PostgreSQL server. Finally we deploy an app that requires a password, which is generated by Vault and injected into our application.
Be sure to checkout the series below and links to the source code :)
Also if you want to support the channel further, become a member 😎
marceldempers.dev/join
Checkout "That DevOps Community" too
marceldempers.dev/community
Full playlist:
• Kubernetes Secret Mana...
Introduction to Vault:
• Introduction to HashiC...
TLS end to end Encryption:
• Get HashiCorp Vault ru...
Basic Secret Injection:
• Basic secret injection...
Running Kubernetes in a Docker Container with Kind:
• How to run Kubernetes ...
Source Code
--------------------------------------------------------------
github.com/marcel-dempers/doc...
If you are new to Kubernetes, check out my getting started playlist on Kubernetes below :)
Kubernetes Guide for Beginners:
---------------------------------------------------
• Kubernetes development...
Kubernetes Monitoring Guide:
-----------------------------------------------
• Kubernetes Monitoring ...
Kubernetes Secret Management Guide:
--------------------------------------------------------------
• Kubernetes Secret Mana...
Like and Subscribe for more :)
Follow me on socials!
marceldempers.dev
Twitter | / marceldempers
GitHub | github.com/marcel-dempers
Facebook | thatdevopsguy
LinkedIn | / marceldempers
Instagram | / thatdevopsguy
Music:
Track: Amine Maxwell - Take Control | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / take-control
Track: Fox Beat 2 - Johan Lilja - What's Your Name - Royalty Free Vlog Music [BUY=FREE] | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / johan-lilja-whats-your...
Track: SACHKO - ChillHop Instrumental - "Meant to be" | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / chillhop-instrumental-...
Track: Amine Maxwell - Night And The City | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / night-and-the-city
Track: souKo - souKo - Parallel | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / parallel
Пікірлер: 33
Nice job. I installed vault with helm and wanted to test it. I used your tutorial to connect posgresql to vault . Working perfect. I`d like to test it with mysql or some other as well. Thanks for the tutorial.
I've got the exact same Coffee Maker, and soon also a shiny new Vault in my Kubernetes Cluster
Interesting video, I’d liked to of seen you cover off what happens when the password expires.
great job man!! I really appreciate the effort
The perfect video which I was looking for .. thanks devops guy ❤️
@pratikbhandari5649
3 жыл бұрын
Can you please send me repo without tls .. thanks for advance
Thank you for super great tutorials, just what I was waiting for. If You will have time, please make tutorial with Istio and Kubernetes. How to setup and configure correctly. Thank you.
Using it for AWS RDS and GCP Cloud Storage at the same time. Managing applications in AWS accessing the DB in GCP.
Perfect. Thank you
I'd like to se automated ways to get secrets into the vault
RAD. This is going to be great!
Thanks a lot !
Thanks!
great videos! can you please do a video on vault with Azure? Thank you so. much!!
Seems like vault could be used to generate certificates to sign json web tokens
Hi Bro!! Nice.
Hello Thanks For the Video Can you please clarify my doubt Suppose that my application (stateless) is running on an EKS cluster and I'm running the RDS database that is connected to that Stateless application And I'm using java.properties file to defining the username and password Now it is not good practice to add the password in the plain text format inside java.properties How can I connect my stateless java application to the RDS database using vault?
@MarcelDempers
2 жыл бұрын
Applications can only get their inputs from either environment variables or from files. For example, TLS certificates are stored on file and use Linux file permissions to secure it so only your application process is allowed to read that file. You can store your password in a Kubernetes secret if running in K8s and inject it into your java properties file at runtime or store the entire file as a K8s secret. Or resort to getting your credentials from ENV variables and not store it in the java properties file. Passwords are generally stored in configs, so it's not unusual to do so. If you are are concerned about it, there are ways to encrypt passwords before storing them in configs too. In this video, Vault simply automates the credential rotation and automates writing it to file. If you want to go one step further and not store your credential in file, you can use the Vault SDK and write Java code to pull the secrets from Vault and authenticate using K8s service account. Hope that helps
Hi, thanks for the video! But I wonder, what if our application still running but the postgres credentials has been expired, what will happend to the executed queries? Thanks!
@MarcelDempers
3 жыл бұрын
It would be important to adapt the application code in order to detect that the secret file changed on disk and reload + establish a new SQL connection. I would then play with the Vault settings to see if you can overlap the secret creation with the TTL in order to keep existing queries from finishing in time (drain old connections) and have all new queries go through the new connection with the new secret.
@clavianusjuneardo27
3 жыл бұрын
@@MarcelDempers it seems possible but would make a millisec downtime I think, since there'll be a transition period between old connection and new connection. But, thanks for the answer! Hope you make a video about the database static roles!
@MarcelDempers
3 жыл бұрын
This is why you would drain old connections (let queries finish) and open new connection with the new secret. Having the old and new credential TTL overlap allows a smooth transition. Similar to how you drain web server traffic when doing a rolling deployment. I've worked with folks who have implemented this successfully with other databases so depends how you configure it
@clavianusjuneardo27
3 жыл бұрын
@@MarcelDempers Got it, many thanks!
Can you please guide us how can we rotate database secret for mongoDB and how to inject that into Spring boot service. I searched the whole internet but unable to find the solutions
Hey Hi. How are you. I need some help to auto unseal vault using shell script in kubernetes yaml files, can you please help me out, if you dont mind.
Hey Hi. i have facing some issue after vault configuration on ibm kubernetes cluster, i have given Key shares and Key threshold numbers after that i clicked on intilize i got this below issue "Error failed to initialize barrier: failed to persist keyring: mkdir /vault/data/core: permission denied", can you please help me out for this one
@MarcelDempers
3 жыл бұрын
"mkdir /vault/data/core: permission denied" states your vault process cannot access its data folder. All volumes are mounted as root by default. In the video, we ensure ownership to the vault user with an init container and chmod'ing /vault/data
@rayudu2080
3 жыл бұрын
@@MarcelDempers Can you please let me know in which video you ensure ownership to the vault user with an init container
@MarcelDempers
3 жыл бұрын
It might be in the first one of the Vault series kzread.info/head/PLHq1uqvAteVtq-NRX3yd1ziA_wJSBu3Oj
@rayudu2080
3 жыл бұрын
@@MarcelDempers Thanks a lot yar..
@rayudu2080
3 жыл бұрын
i need some thing else also, can we do unseal process via shell script is that possible to do.
Noice!