Vault as a PKI engine for Kubernetes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys welcome to this self-paced lab about vault with kubernetes where volt is a certificate manager this is an interactive lab so the steps describe what you can do and you can start the terminal here that just does not work so i've prepared separate hosts for that that we're gonna run the steps on so those separate hosts they are prepared let me just briefly run you through them there's this code here and if you go to github slash robert the book and then search for ansible playbook mini cube you can set them up yourself basically they just install a mini cube helm and kubernetes so that means we can now log into the machine and it's this one in this case and before you start you should switch to mini cube and that's it and now one of the first steps in the lab you can skip a few because we're not going to run it in this browser terminal is right around here so we need to clone some repositories that has some code that we're going to use here as minicube takes a few seconds and you can go into the directory what i've seen some of these copy paste buttons do work and some copy a bit too much the output also so sometimes you have to select the command and paste that in most of the time you can use the copy button first step is to start minicube mini cube is a small kubernetes environment it's not production ready it's just good for demos or labs like these mini cube start and that will take a couple of seconds because it's going to download stuff this host lives at digital ocean it's connected quite well but it's not a super quick machine so this takes a minute or so that we have all the facilities for kubernetes but on a small single machine so it's good to try and experiment there it is so now we can verify that it ran successfully and if it's all running and configured you're good to go so that now that minicube is running we can add some repository for helm charts you can still copy paste everything here that just adds the repository but doesn't really get anything so with helm repo update we receive all the charts that are in such a repository and that means we can start vault using helm and let's go there we are and if you get the parts you'll notice that it's not did we skip a step no you'll notice that it's not ready it is there and it will never be ready uh that's until we initialize an unseal vault so once again you can run this over and over again it will never be ready we'll get it ready in the next section so we've installed volt using helm so we can start to configure and use volt in this case we're gonna start vault with a single key chart that is not production ready but it's good for this environment and we'll save the unseal key and the root key in a file that we're gonna pick up on later that's it so we now have initialize default operator init initialized vault and that file just contains probably json stuff cat this and that and you'll see the unseal key and the root token that's what we're going to use for now here they demonstrate that you can get the key out or the unsealed key you can also save it and that's what we're going to do because we need it a little later there it is and you can also of course echo it volt on seal key i should copy paste more there it is same value as this value when it's initialized it means that the back end is there it's encrypted with that key but it's it's not unsealed yet we need to understand each time you start up a vault instance it needs to be unsealed typically you do that with three people five people or so in this case it's a demo one person is good enough and you see now that it's not sealed anymore so that's good [Music] and the part should get ready as you see i'm starting to copy paste the commands because by now i think the copy button takes also the outputs which results in small errors not problematic but ugly yeah so that is ready now and besides that key we also need the root token i don't need to see it that is fine i'll just save it immediately there we go and now that we have it we can also log in and with logging in we can start to use or configure fault that's done now logged in for eternity good for us i'll probably destroy the whole environment in a couple of minutes so that's it for configuring or initializing and unsealing volts so we've just initialized an unsealed vault so that means we can start to use it and configure it that's what we'll do now first let's log in to the container that's it and we can start to use it what we're going to do here is enable a pki secrets engine so each secret engine needs to be enabled and configured so that's what we're going to do now we're going to tune it a bit and we'll write sorry we'll initialize a self-signed ca in this case especially here don't use this button copy paste just that command so it's three lines so that you can start to use it there it is we get these certificates we don't specifically need them by now next up we're gonna need to configure the revocation location and the issuing location there we go and in this case we're going to create a role with a policy attached to that role just copy paste everything in should probably drag it up a bit i'll clean my screen so it's back on the top and in this case let's just write in a file and adjust as input bring this whole policy in and attach it to the role pki that's it and it says to exit but we're going to enter it again in a bit so i don't think you need to exit you can but we'll enter it again in a bit so vault just been configured to use kubernetes for authentication and now we're going to deploy a certificate manager here's the steps it's a single line actually and i think once again if you copy the whole part you probably copy a bit too much including the output let's paste this oh that's oh yeah i should have exited i did i copy the dollar sign okay all are created great next we can create a namespace perfect and we can add yet another uh sorry helm repository in this case for jet stack and we need to update the repository in order to receive the list of charts and now we can install or deploy this the certificate manager here we go yeah that looks good i see some errors passing by should not be an issue it'll end up it's been deployed successfully good enough so now let's have a look at the pods in this specific namespace and we need to wait a bit it's probably pulling container images yeah it's getting more and more ready give this a minute or so maybe i can use a watch yeah watch is a little tool to loop over command over and over specifically for these kinds of use cases where you want to know when it's done it runs every two seconds but it's configurable there it is it's ready everything's ready and that's it for the deployment of the cert manager so now that the cert manager is configured we can actually start to create an issuer and generate certificates so let's first create a service account called issuer there we go and let's have a look at what secrets we now have there should be one extra couple of seconds old there it is our extra secret and let's store that value in a variable we'll use it later on let's double check if it's there and let's copy paste them such a great typer yeah that's perfect now what we're going to do here is tell humanitus to make a volt issuer and this is where it relates volt here it is with this secret so let's pop this in here we go so we now have just a file with one variable that should have been rendered to that value get yeah it is so here's that single value now we can start to apply that let's bring it to the top uh cube ctl apply perfect and you can read a bit more information here too by the way and finally we can make a certificate or at least the file that can be applied to create a certificate using vault here's the file is there any variable in here no none so that should be exactly the same here it is and we can start to apply that here it is and that's applied so cert manager has now contacted volt for that certificate and that's now configured and we can probably also describe it sure back to the top it is quite a long list but the third manager a couple of seconds ago uh processed this request so that's it that's how you can configure volt and kubernetes or actually kubernetes to use cert manager to use volt to issue certificates hope that's helpful helpful see you next time
Info
Channel: Robert de Bock
Views: 54
Rating: undefined out of 5
Keywords: vault, k8s, pki, certificate, ca
Id: qHB9yOaURu4
Channel Id: undefined
Length: 12min 31sec (751 seconds)
Published: Fri Jun 18 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.