内容简介:One of the most popular feature ofBank-Vaults, the Vault swiss-army knife for Kubernetes is theWe support the following three scenarios:Now your cluster is properly running on Istio with mTLS enabled globally.
One of the most popular feature ofBank-Vaults, the Vault swiss-army knife for Kubernetes is the secret injection webhook . With the growing popularity of Istio, recently the most requested feature was to support for runningBank-Vaults alongside Istio . We are big fans of Istio (a year ago we open sourced an Istio operator ) and we have built an automated and operationalized service mesh, Banzai Cloud Backyards . As both components (Bank-Vaults andBackyards) are part of our hybrid cloud container management plaform,Pipeline, we went ahead and made them work together smoothly.
We support the following three scenarios:
- Scenario 1: Vault runs outside an Istio mesh, whereas the namespace where the application runs and the webhook injects secrets has Istio sidecar injection enabled
- Scenario 2: The namespace where Vault is running has Istio sidecar injection enabled
- Scenario 3: Both namespaces have Istio sidecar injection enabled
Prerequisites
Install the Banzai Cloud Istio operator with theBackyards CLI
-
First of all, you need to install the Backyards CLI on your cluster:
curl https://getbackyards.sh | sh
-
Install the Istio operator using Backyards. For this example we need only the Istio operator, however feel free to experiment with the nice Backyards UI/CLI and the large collection of automated features like observability, traffic routing, canary, circuit breakers, and so on - check out this long list of features .
backyards install ? Install istio-operator (recommended). Press enter to accept Yes ? Install canary-operator (recommended). Press enter to accept No ? Install and run demo application (optional). Press enter to skip No
-
Make sure you have mTLS enabled in the Istio mesh through the operator with the following command:
Enable mTLS if it is not set to
STRICT:❯ backyards mtls require mesh INFO[0000] switched global mTLS to STRICT successfully
After this, we can check that mesh is configured with
mTLSturned on which applies to all applications in the cluster in Istio-enabled namespaces. You can change this if you would like to use another policy.$ backyards mtls get mesh mTLS rule for /mesh Policy Targets MtlsMode /default [] STRICT
Now your cluster is properly running on Istio with mTLS enabled globally.
Install the Bank-Vaults components
-
You are recommended to create a separate namespace forBank-Vaults called
vault-system. You can enable Istio sidecar injection here as well, but Kubernetes won't be able to call back the webhook properly since mTLS is enabled (and Kubernetes is outside of the Istio mesh). To overcome this, apply aPERMISSIVEIstio authentication policy to thevault-secrets-webhookService itself, so Kubernetes can call it back without Istio mutual TLS authentication.$ kubectl create namespace vault-system namespace/vault-system created $ backyards sidecar-proxy auto-inject on vault-system INFO[0002] auto sidecar injection successfully set to namespace default $ backyards mtls allow vault-system/vault-secrets-webhook INFO[0001] policy peers for vault-system/vault-secrets-webhook set successfully mTLS rule for vault-system/vault-secrets-webhook Policy Targets MtlsMode vault-system/vault-secrets-webhook-rw6mc [vault-secrets-webhook] PERMISSIVE
-
Now you can install the operator and the webhook to the prepared namespace:
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com helm upgrade --install vault-secrets-webhook banzaicloud-stable/vault-secrets-webhook --namespace vault-system helm upgrade --install vault-operator banzaicloud-stable/vault-operator --namespace vault-system
Soon the webhook and the operator become up and running. Check that the istio-proxy got injected into all Pods in vault-system .
Scenario 1: Vault runs outside, the application inside the mesh
To recap Scenario 1: Vault runs outside an Istio mesh, whereas the namespace where the application runs and the webhook injects secrets has Istio sidecar injection enabled.
First,install Vault outside the mesh, theninstall an application within the mesh.
Install Vault outside the mesh
-
Provision a Vault instance with the Bank-Vaults operator in a separate namespace:
kubectl create namespace vault
-
Apply the RBAC and CR files to the cluster to create a Vault instance in the
vaultnamespace with the operator:kubectl apply -f rbac.yaml -f cr-istio.yaml
$ kubectl get pods -n vault NAME READY STATUS RESTARTS AGE vault-0 3/3 Running 0 22h vault-configurer-6458cc4bf-6tpkz 1/1 Running 0 22h
If you are writing your own Vault CR make sure that
istioEnabled: trueis configured, this influences port naming so the Vault service port protocols are detected by Istio correctly. -
The
vault-secrets-webhookcan't inject Vault secrets intoinitContainersin an Istio-enabled namespace when theSTRICTauthentication policy is applied to the Vault service, because Istio needs a sidecar container to do mTLS properly, and in the phase wheninitContainersare running the Pod doesn't have a sidecar yet. If you wish to inject intoinitContainersas well, you need to apply aPERMISSIVEauthentication policy in thevaultnamespace, since it has its own TLS certificate outside of Istio scope (so this is safe to do from networking security point of view).$ backyards mtls allow vault INFO[0001] policy peers for vault/ set successfully mTLS rule for vault/ Policy Targets MtlsMode vault/default [] PERMISSIVE
Install the application inside a mesh
In this scenario Vault is running outside the Istio mesh (as we have installed it in the) and our demo application runs within the Istio mesh. To install the demo application inside the mesh, complete the following steps:
-
Create a namespace first for the application and enable Istio sidecar injection:
kubectl create namespace app
backyards sidecar-proxy auto-inject on app
-
Install the application manifest to the cluster:
kubectl apply -f app.yaml
-
Check that the application is up and running. It should have two containers, the
appitself and theistio-proxy:$ kubectl get pods -n app NAME READY STATUS RESTARTS AGE app-5df5686c4-sl6dz 2/2 Running 0 119s
$ kubectl logs -f -n app deployment/app app time="2020-02-18T14:26:01Z" level=info msg="Received new Vault token" time="2020-02-18T14:26:01Z" level=info msg="Initial Vault token arrived" s3cr3t going to sleep...
Scenario 2: Running Vault inside the mesh
To run Vault inside the mesh, complete the following steps. Note that these instructions assume that you haveup and running, and modifying it to run Vault inside the mesh.
-
Turn off Istio in the
appnamespace by removing theistio-injectionlabel:kubectl label namespace app istio-injection- kubectl label namespace vault istio-injection=enabled
backyards sidecar-proxy auto-inject off app backyards sidecar-proxy auto-inject on vault
-
Delete the Vault pods in the
vaultnamespace, so they will get recreated with theistio-proxysidecar:kubectl delete pods --all -n vault
-
Check that they both come back with an extra container (4/4 and 2/2 now):
$ kubectl get pods -n vault NAME READY STATUS RESTARTS AGE vault-0 4/4 Running 0 1m vault-configurer-6d9b98c856-l4flc 2/2 Running 0 1m
-
Delete the application pods in the
appnamespace, so they will get recreated without theistio-proxysidecar:kubectl delete pods --all -n app
The app pod got recreated with only the app container (1/1) and Vault access still works:
$ kubectl get pods -n app NAME READY STATUS RESTARTS AGE app-5df5686c4-4n6r7 1/1 Running 0 71s $ kubectl logs -f -n app deployment/app time="2020-02-18T14:41:20Z" level=info msg="Received new Vault token" time="2020-02-18T14:41:20Z" level=info msg="Initial Vault token arrived" s3cr3t going to sleep...
Scenario 3: both Vault and the app are running inside the mesh
In this scenario, both Vault and the app are running inside the mesh. You can configure this scenario right after completing the.
-
Enable sidecar auto-injection for both namespaces:
backyards sidecar-proxy auto-inject on app backyards sidecar-proxy auto-inject on vault
-
Delete all pods so they are getting injected with the proxy:
kubectl delete pods --all -n app kubectl delete pods --all -n vault
-
Check the logs in the app container. It should sill show success:
$ kubectl logs -f -n app deployment/app time="2020-02-18T15:04:03Z" level=info msg="Initial Vault token arrived" time="2020-02-18T15:04:03Z" level=info msg="Renewed Vault Token" s3cr3t going to sleep...
Conclusion
The Bank-Vaults alongside Istio feature, Backing up Vault with Velero , Vault replication across multiple datacenters and HSM support with theBank-Vaults operator are three major features in the upcomingBank-Vaults release, so stay tuned. OnceBank-Vaults 1.0 release is out, we'll be launching commercial support for Bank-Vaults. If you're interested in commercial support, or anything else from our suite of products, make sure youget in touch with us.
To learn more about theBank-Vaults operator and similar topics, subscribe to our newsletter . If you're interested in contributing, check out the Bank-Vaults repository , or give us a GitHub star .
Learn more about Bank-Vaults:
- Inject secrets directly into Pods from Vault
- Vault replication across multiple datacenters on Kubernetes
- Backing up Vault with Velero
- Vault webhook - complete secret support with consul-template
- Other posts related to Bank-Vaults
AboutBackyards
Banzai Cloud’s Backyards is a multi and hybrid-cloud enabled service mesh platform for constructing modern applications. Built on Kubernetes, our Istio operator and Pipeline enables flexibility, portability and consistency across on-premise datacenters and on five cloud environments. Use our simple, yet extremely powerful, UI and CLI, and experience automated canary releases, traffic shifting, routing, secure service communication, in-depth observability and more, for yourself.
#multicloud #hybridcloud #BanzaiCloud
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
