-
Notifications
You must be signed in to change notification settings - Fork 0
Guide: Using Red Hat COP Vault Config Operator with SPIFFE Integration
Here’s the complete guide formatted in Markdown, combining all the steps:
NOTE: This guide assumes you have already completed setting up Workload Identity: https://github.com/5GSEC/nephio/wiki/Workload-Identity-Setup-with-Nephio
Create a YAML file for the namespace:
apiVersion: v1
kind: Namespace
metadata:
name: vault-adminApply the namespace:
kubectl apply -f vault-admin-namespace.yamlRun the following commands to add the Helm repository, update it, and install the Vault Config Operator:
helm repo add vault-config-operator https://redhat-cop.github.io/vault-config-operator
helm repo update
helm install vault-config-operator vault-config-operator/vault-config-operator --namespace vault-admin --values operatorConfig.yamlenv:
- name: "VAULT_ADDR"
value: "http://vault.vault.svc:8200"
enableMonitoring: false
enableCertManager: trueCreate a YAML file defining the ClusterRole and ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-admin
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: secrets-admin-global
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-admin
apiGroup: rbac.authorization.k8s.ioApply the role and binding:
kubectl apply -f vault-admin-clusterrole.yamlExec into the Vault container:
kubectl exec -it -n vault vault-0 -- shWrite an admin policy for the vault-admin namespace (attach the policy file later):
vault policy write vault-admin ./vault-admin-policy.yaml-
Enable Kubernetes authentication:
vault auth enable kubernetes -
Configure the Kubernetes authentication:
vault write -tls-skip-verify auth/kubernetes/config kubernetes_host=https://kubernetes.default.svc:443
-
Write a role for the
vault-adminpolicy:vault write -tls-skip-verify auth/kubernetes/role/policy-admin \ bound_service_account_names=default \ bound_service_account_namespaces=vault-admin \ policies=vault-admin \ ttl=1h
Apply this YAML to enable the Key-Value (KV) secrets engine:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: SecretEngineMount
metadata:
name: global-secrets
spec:
authentication:
path: kubernetes
role: policy-admin
type:
kv
path:
kvApply the config:
kubectl apply -f kv-secrets-engine.yamlApply this YAML to enable the JWT authentication engine:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: JWTOIDCAuthEngineConfig
metadata:
name: spire-oidc
spec:
authentication:
path: kubernetes
role: policy-admin
path: jwt
OIDCDiscoveryURL: "http://spiffe.nephio.org:8888"
OIDCResponseMode: "form_post"Apply the config:
kubectl apply -f jwt-auth-engine.yamlApply this YAML to give read permissions on kv/global-secrets/test/*:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: Policy
metadata:
name: test-reader
spec:
authentication:
path: kubernetes
role: policy-admin
policy: |
# Configure read secrets
path "kv/global-secrets/test/*" {
capabilities = ["read"]
}
type: aclApply the config:
kubectl apply -f test-reader-policy.yamlApply this YAML to allow only specific SPIFFE identities to access the secret path:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: JWTOIDCAuthEngineRole
metadata:
name: spire-role
spec:
authentication:
path: kubernetes
role: policy-admin
path: jwt
name: dev
tokenPolicies:
- test-reader
roleType: "jwt"
boundAudiences:
- "TESTING"
userClaim: "sub"
boundSubject: "spiffe://example.org/workload-1"Apply the config:
kubectl apply -f spire-role-config.yamlThis guide should now be fully ready for copying and applying in Markdown format. Let me know if you need any further modifications!