HashiCorp Vault는 ID기반 secret 및 암호화 관리 시스템인데, 여기서 secret은 API 암호화 키, 암호 및 인증서 등 access 제어하는 모든 것이다
구성은 Helm으로 한다.
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vaultvalues.yaml은 다음과 같다.
controller:
affinity: {}
annotations: {}
controllerConfigMapYaml:
health:
healthProbeBindAddress: ':8081'
leaderElection:
leaderElect: true
resourceName: b0d477c0.hashicorp.com
metrics:
bindAddress: '127.0.0.1:8080'
webhook:
port: 9443
extraLabels: {}
hostAliases: []
imagePullSecrets: []
kubeRbacProxy:
image:
pullPolicy: IfNotPresent
repository: quay.io/brancz/kube-rbac-proxy
tag: v0.18.1
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
kubernetesClusterDomain: cluster.local
manager:
backoffOnSecretSourceError:
initialInterval: 5s
maxElapsedTime: 0s
maxInterval: 60s
multiplier: 1.5
randomizationFactor: 0.5
clientCache:
cacheSize: null
persistenceModel: ''
storageEncryption:
appRole:
roleId: ''
secretRef: ''
aws:
headerValue: ''
iamEndpoint: ''
irsaServiceAccount: ''
region: ''
role: ''
secretRef: ''
sessionName: ''
stsEndpoint: ''
enabled: false
gcp:
clusterName: ''
projectID: ''
region: ''
role: ''
workloadIdentityServiceAccount: ''
headers: {}
jwt:
role: ''
secretRef: ''
serviceAccount: default
tokenAudiences: []
keyName: ''
kubernetes:
role: ''
serviceAccount: null
tokenAudiences: []
method: kubernetes
mount: kubernetes
namespace: ''
params: {}
transitMount: ''
vaultConnectionRef: default
extraArgs: []
extraEnv: []
globalTransformationOptions:
excludeRaw: false
globalVaultAuthOptions:
allowDefaultGlobals: true
image:
pullPolicy: IfNotPresent
repository: hashicorp/vault-secrets-operator
tag: 0.9.0
logging:
level: info
stacktraceLevel: panic
timeEncoding: rfc3339
maxConcurrentReconciles: null
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
nodeSelector: {}
podSecurityContext:
runAsNonRoot: true
preDeleteHookTimeoutSeconds: 120
rbac:
clusterRoleAggregation:
editorRoles: []
userFacingRoles:
edit: false
view: false
viewerRoles: []
replicas: 1
securityContext:
allowPrivilegeEscalation: false
strategy: {}
terminationGracePeriodSeconds: 120
tolerations: []
defaultAuthMethod:
allowedNamespaces: []
appRole:
roleId: ''
secretRef: ''
aws:
headerValue: ''
iamEndpoint: ''
irsaServiceAccount: ''
region: ''
role: ''
secretRef: ''
sessionName: ''
stsEndpoint: ''
enabled: false
gcp:
clusterName: ''
projectID: ''
region: ''
role: ''
workloadIdentityServiceAccount: ''
headers: {}
jwt:
role: ''
secretRef: ''
serviceAccount: default
tokenAudiences: []
kubernetes:
role: ''
serviceAccount: default
tokenAudiences: []
method: kubernetes
mount: kubernetes
namespace: ''
params: {}
vaultAuthGlobalRef:
allowDefault: null
enabled: false
mergeStrategy:
headers: none
params: none
name: ''
namespace: ''
defaultVaultConnection:
address: 'http://vault:8200' # vault svc
caCertSecret: ''
enabled: true # 기 구성한 vault와의 연결
headers: {}
skipTLSVerify: false
tlsServerName: ''
hooks:
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
upgradeCRDs:
backoffLimit: 5
enabled: true
executionTimeout: 30s
metricsService:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
type: ClusterIP
telemetry:
serviceMonitor:
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
enabled: false
interval: 30s
path: /metrics
port: https
scheme: https
scrapeTimeout: 10s
selectors: {}
tests:
enabled: true
okta연동 방법인데, 커뮤니티버전에서는 아이디패스워드로그인까지만 가능하고, enterprise 라이선스부터 MFA 2차인증 연동이 된다.
sh-4.4$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 1
Threshold 1
Unseal Progress 0/1
Unseal Nonce n/a
Version 1.17.2
Build Date 2024-07-05T15:19:12Z
Storage Type file
HA Enabled false
sh-4.4$ vault operator unseal fl7v4tygsKzb4ONMpp48TUDzC8GOriZgHG2Cg8CsDCs=
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.17.2
Build Date 2024-07-05T15:19:12Z
Storage Type file
Cluster Name vault-cluster-4e8f9d09
Cluster ID 3609a9fe-58ce-51b2-69bb-e6e23c94e48d
HA Enabled false
sh-4.4$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.17.2
Build Date 2024-07-05T15:19:12Z
Storage Type file
Cluster Name vault-cluster-4e8f9d09
Cluster ID 3609a9fe-58ce-51b2-69bb-e6e23c94e48d
HA Enabled false
sh-4.4$ vault login hvs.xk02XpUYTFzGqOpmh2HNpOkA
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.xk02XpUYTFzGqOpmh2HNpOkA
token_accessor CTr4KvYJJVTayNZzhCOp1npK
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
sh-4.4$ vault auth enable okta
Success! Enabled okta auth method at: okta/
sh-4.4$ vault auth list
Path Type Accessor Description Version
---- ---- -------- ----------- -------
okta/ okta auth_okta_50c171cb n/a n/a
token/ token auth_token_7f80c35b token based credentials n/a
sh-4.4$ vault write auth/okta/config base_url="okta.com" org_name="supermoon" api_token="00StWq-Fq6MJwYZG2UcFWH9zyCHPhLv84UdYQx0xxxx"
Success! Data written to: auth/okta/config
sh-4.4$ vault read auth/okta/config
Key Value
--- -----
base_url okta.com
bypass_okta_mfa false
org_name supermoon
organization supermoon
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
sh-4.4$ vault write auth/okta/users/admin@supermoon.com
Success! Data written to: auth/okta/users/admin@supermoon.com
728x90
'CloudNative > Provisioning' 카테고리의 다른 글
| edge 에 발담그기 (0) | 2025.03.15 |
|---|---|
| trivy (1) | 2024.12.20 |
| nexus cli file upload (0) | 2024.10.25 |
| nexus gradle repository (1) | 2024.10.18 |
| jupyterhub + nexus pypi repository (1) | 2024.04.26 |