hashicorp/vault-secrets-operator

# Vault Secrets Operator Vault Secrets Operator (VSO) 可以让 Pod 直接使用 Kubernetes Secrets 中的 Vault 密钥。 ## 概述 Vault Secrets Operator 通过监控其支持的 Custom Resource Definitions (CRD) 集合的变化来运行。 每个 CRD 提供了允许 Operator 将 Vault 密钥同步到 Kubernetes Secret 所需的规范。 Operator 将*源* Vault 密钥数据直接写入*目标* Kubernetes Secret，确保对*源*的任何更改在其生命周期内都会复制到*目标*。这样，应用程序只需要访问*目标*密钥即可使用其中的密钥数据。 请参阅开发者文档了解更多信息[此处](https://developer.hashicorp.com/vault/docs/platform/k8s/vso) ### 功能 Vault Secrets Operator 支持以下功能： - 支持所有 Vault 密钥引擎。 - 支持与 Vault 的 TLS/mTLS 通信。 - 通过 [Kubernetes Auth Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes) 使用请求 Pod 的 `ServiceAccount` 进行身份验证 - 将 Vault 密钥同步到 Kubernetes Secrets。 - 支持 `Deployment`、`ReplicaSet`、`StatefulSet` Kubernetes 资源类型的密钥轮换。 - 使用 Prometheus 工具监控 Operator - 支持的安装方式：`Helm`、`Kustomize` ## 示例 设置 kubernetes 并部署示例： ``` # Start a KinD cluster make setup-kind # Deploy Vault make setup-integration-test # Configure Vault ./config/samples/setup.sh # Build and deploy the operator make build docker-build deploy-kind # Deploy the sample K8s resources kubectl apply -k config/samples ``` 检查生成的密钥： ``` kubectl get secrets -n tenant-1 secret1 -o yaml kubectl get secrets -n tenant-1 pki1 -o yaml kubectl get secrets -n tenant-2 secret1 -o yaml ``` 删除示例： ``` kubectl delete -k config/samples ``` ### 使用 VaultPKISecret 的 Ingress TLS 文件 `config/samples/secrets_v1beta1_vaultpkisecret_tls.yaml` 包含了一个使用 VaultPKISecret 为 Ingress 填充 TLS 密钥的示例。这个示例需要更多设置才能测试（源自 [kind docs](https://kind.sigs.k8s.io/docs/user/ingress/)）。 TLS 示例是示例的一部分，因此请按上述方式设置 kind、配置 Vault 并部署 operator。 然后部署 nginx ingress controller： ``` kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml kubectl wait --namespace ingress-nginx \ --for=condition=ready pod \ --selector=app.kubernetes.io/component=controller \ --timeout=90s ``` 使用 curl 等工具检查已部署的应用，它应该返回 `tls-app` 主机名，证书应该有约 1.5m 的 TTL： ``` $ curl -k https://localhost:38443/tls-app/hostname tls-app $ curl -kvI https://localhost:38443/tls-app/hostname ... * Server certificate: * subject: CN=localhost * start date: Mar 17 05:53:28 2023 GMT * expire date: Mar 17 05:54:58 2023 GMT * issuer: CN=example.com ... ``` 查看 nginx controller 日志以查看 TLS 密钥的轮换： ``` kubectl logs -f -n ingress-nginx -l app.kubernetes.io/instance=ingress-nginx ``` ## 测试 ### 单元测试 ``` make test ``` ### 集成测试 ``` # Start a KinD cluster make setup-kind # Build the operator binary, image, and deploy to the KinD cluster make ci-build ci-docker-build ci-deploy-kind ci-deploy # Run the integration tests (includes Vault deployment) make integration-test ``` ### EKS 中的集成测试 ``` # Create an EKS cluster and a ECR repository make -f aws.mk create-eks # Build the operator image and run the integration tests (includes Vault Community deployment) make -f aws.mk build-push integration-test-eks # Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable) make -f aws.mk build-push integration-test-eks VAULT_ENTERPRISE=true ENT_TESTS=true ``` #### 使用静态凭证的 AWS 身份验证测试 ``` # Set SKIP_AWS_STATIC_CREDS_TEST=false and set the credentials for the static creds user via the environment variables TEST_AWS_ACCESS_KEY_ID, # TEST_AWS_SECRET_ACCESS_KEY, TEST_AWS_STATIC_CREDS_ROLE (and TEST_AWS_SESSION_TOKEN if applicable) for a user in AWS. # Note: these credentials will be set in a Kubernetes secret. export TEST_AWS_ACCESS_KEY_ID="..." export TEST_AWS_SECRET_ACCESS_KEY="..." export TEST_AWS_SESSION_TOKEN="..." export AWS_STATIC_CREDS_ROLE="arn:aws:iam::..." make -f aws.mk integration-test-eks TESTARGS="-run TestVaultAuth" SKIP_AWS_STATIC_CREDS_TEST=false ``` ### GKE 中的集成测试 ``` # Export the Google Cloud project id export GCP_PROJECT="" # Create an GKE cluster and a GAR repository make -f gcp.mk create-gke # Build & operator image & run the integration tests (includes Vault Community deployment) make -f gcp.mk build-push integration-test-gke # Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable) make -f gcp.mk build-push integration-test-gke VAULT_ENTERPRISE=true ENT_TESTS=true ``` ### AKS 中的集成测试 ``` # Export the Azure credentials az config set core.allow_broker=true && az account clear && az login az account set --subscription "" az ad sp create-for-rbac --name "vault-secrets-operator" --role "Owner" --scopes /subscriptions/ --output json export AZURE_APPID="" export AZURE_PASSWORD="" export AZURE_TENANT="" # Create an AKS cluster and a ACR repository make -f azure.mk create-aks # Build the operator image and run the integration tests (includes Vault Community deployment) make -f azure.mk build-push integration-test-aks # Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable) make -f azure.mk build-push integration-test-aks VAULT_ENTERPRISE=true ENT_TESTS=true ```

标签：Custom Resource Definition, EVTX分析, HashiCorp, Helm, Kubernetes Auth Method, Kustomize, mTLS, Operator, Pod, Secret Rotation, Secrets Management, Secret Sync, ServiceAccount, TLS, Vault, 子域名突变, 安全, 数据隔离, 日志审计, 服务网格, 秘密管理, 自定义请求头, 超时处理, 防御工具