README
¶
Episode 057 : Vault and Kubernetes
- Hosted by @krisnova
- Recording date: 2018-11-17
Table of Contents
- 00:00:00 - Welcome to TGIK!
Show Notes
Auth done using the Kubernetes Auth backend: https://www.vaultproject.io/docs/auth/kubernetes.html
jwt is something of an under-description. In granting the service account token to Vault, you are authing using a shared-secret credential that let's one use the serviceaccount generally; so be aware (but if you can't trust Vault or the wire to it ... you're in trouble)
When configuring kubernetes_ca_cert=@ca.crt it is worth keeping in mind this part of the write documentation
Data is specified as "key=value" pairs. If the value begins with an "@", then it is loaded from a file. If the value is "-", Vault will read the value from stdin.
As for the value you could extract from your kubeconfig as e.g.
kubectl config view --raw -o json | \
jq -r '. as $raw | .clusters[] |
select(
.name == (
$raw.contexts[] | select( .name == ($raw."current-context")
) | .context.cluster)
) | .cluster | ."certificate-authority-data"' | \
base64 --decode > ca.crt
# or there may be a key "certificate-authority" which
# will contain a file name you can just use with @
Reference Links
sed -i s/Heptio/Heptio + VMware/g
Thanks to Justin from Lithuania for our keychains. TODO: we should check in a photo.
- 1.13alpha3 is out - 1.13 is in code freeze, last release of the year!
- VMware update from Craig
- Nova at Heptio
- Dockerbox (Seth Pollack) - a busybox for Docker
- Heptio Intro to Containers and Kubernetes training
- Kelsey Hightower's Vault on GKE
- Vault Operator
- Dynamic Secrets
- Kubernetes RBAC
- Service Account Token
- Shamir's Secret (Seal/Unseal)
- Dynamic Secrets
- Sealed Secrets
- Kubicorn
- Klone
Documentation
¶
There is no documentation for this package.
Source Files