Published on 00/00/0000
Last updated on 00/00/0000
Published on 00/00/0000
Last updated on 00/00/0000
Share
Share
7 min read
Share
Bank-Vaults already supports multiple KMS alternatives for encrypting and storing unseal-keys
and root-tokens
. However, during bootstrapping and configuring sometimes you need to source other secrets to configure Vault securely. In this post you will learn how to do that with the help of the valuable contributions of Pato Arvizu. Thank you!
For those unfamiliar with Bank-Vaults, let's do a quick recap. Bank-Vaults is a Vault Swiss Army knife, which makes enterprise-grade security attainable on Kubernetes. It has many 'blades' that cut through all kinds of security problems: the Bank-Vaults Kubernetes operator provides automation; a Go client with automatic token renewal provides dynamic secret generation, multiple unseal options and more; a CLI tool initializes, unseals and configures Vault with authentication methods and secret engines; and direct secret injection into Pods reduces attack surface.
We'd also like to take a moment to highlight some other notable features:Vault
object via the externalConfig
, it's sometimes convenient (or necessary) to inject settings that are known only at runtime (e.g. secrets that you don't want to store in source control, or dynamic resources managed elsewhere), or computations based on multiple values (string or arithmetic operations). For these cases, the operator supports parameterized templating. The vault-configurer
component evaluates the templates and injects the rendered configuration into Vault.
This templating is based on Go templates, extended by Sprig, with some custom functions available specifically for bank-vaults (like decrypting strings using the AWS Key Management Service or the Google Cloud Platform's Cloud Key Management Service).
{{
and }}
). Instead, they use ${
for the left delimiter, and }
for the right one. Additionally, to quote parameters being passed to functions, surround them with backticks (`
). For example, to call the env
function, you can use this in your manifest:
password: "${ env `MY_ENVIRONMENT_VARIABLE` }"
In this case, vault-configurer
will evaluate MY_ENVIRONMENT_VARIABLE
at runtime (assuming it was properly injected) and set it to the password
field.
awskms
Note: this function assumes that the vault-configurer
pod has the appropriate AWS IAM credentials and permissions to decrypt the given string. You can be inject the AWS IAM credentials by using Kubernetes secrets as environment variables, an EC2 instance role, kube2iam, or EKS IAM roles, etc.
Parameter | Type | Required |
---|---|---|
encodedString | Base64-encoded string | Yes |
encryptionContext | Variadic list of strings | No |
gcpkms
Note: this function assumes that the vault-configurer
pod has the appropriate GCP IAM credentials and permissions to decrypt the given string. You can inject the GCP IAM credentials by using Kubernetes secrets as environment variables, or they can be acquired via a service account authentication, etc.
Parameter | Type | Required |
---|---|---|
encodedString | Base64-encoded string | Yes |
projectId | String | Yes |
location | String | Yes |
keyRing | String | Yes |
key | String | Yes |
blob
Reads the content of a blob from disk (file) or from cloud blob storage services (object storage) at the given URL and returns it. This assumes that the path exists, and is readable by vault-configurer
.
Valid values for the URL parameters are listed below, for more fine grained options check the documentation of the underlying library:
file:///path/to/dir/file
s3://my-bucket/object?region=us-west-1
gs://my-bucket/object
azblob://my-container/blob
Note: this function assumes that the vault-configurer
pod has the appropriate rights to access the given cloud service, for that, please check the awskms and gcpkms functions.
Parameter | Type | Required |
---|---|---|
url | String | Yes |
root
password is provided for Vault securely with the help of the new awskms
template function and configured automatically.
$ banzai cluster create <<EOF
{
"name": "bifrost",
"location": "eu-west-1",
"cloud": "amazon",
"secretName": "aws",
"properties": {
"eks": {
"version": "1.15.12",
"nodePools": {
"pool1": {
"spotPrice": "0.03",
"count": 2,
"minCount": 2,
"maxCount": 4,
"autoscaling": true,
"instanceType": "t2.medium"
}
}
}
}
}
EOF
$ aws kms encrypt --region eu-west-1
--key-id 9f054126-2a98-470c-9f10-9b3b0cad94a1
--plaintext $(echo -n secretPassword | base64) \
--encryption-context Tool=bank-vaults \
--output text \
--query CiphertextBlob
AQICAHgF8pf5QFJ57AOqyHwBTI+KJ5zPmn5Pew3EzA0QvA8x7gHwYdiEad7eSKiARs35EBaFAAAAbDBqBgkqhkiG9w0BBwagXTBZkWWuUHNahSjQZtmeoQYjMvmHe1WYuCTBZQMEAS4wEQQMSfvJv4JxyVmTpVfoAgEQgCmAIATgudq7IW+0JXUJhT/B+iKsmIy/A2Cud609nx4mRgOsK5+ObbnL1A==
cr-awskms.yaml
:
secrets:
- type: database
description: mysql
configuration:
config:
- name: mysql
plugin_name: mysql-database-plugin
max_open_connections: 5
connection_url: "{{username}}:{{password}}@tcp(vault.cluster-cnehjeaeuy8e.eu-west-1.rds.amazonaws.com:3306)/"
allowed_roles: ['*']
username: root
password: '${ awskms (env `ENCRYPTED_DB_CREDS`) }'
roles:
- name: app
db_name: mysql
creation_statements: "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT ALL ON `app\_%`.* TO '{{name}}'@'%';"
default_ttl: 2m
max_ttl: 10m
envsConfig:
- name: ENCRYPTED_DB_CREDS
value: "AQICAHgF8pf5QFJ57AOqyHwBTI+KJ5zPmn5Pew3EzA0QvA8x7gHwYdiEad7eSKiARs35EBaFAAAAbDBqBgkqhkiG9w0BBwagXTBZkWWuUHNahSjQZtmeoQYjMvmHe1WYuCTBZQMEAS4wEQQMSfvJv4JxyVmTpVfoAgEQgCmAIATgudq7IW+0JXUJhT/B+iKsmIy/A2Cud609nx4mRgOsK5+ObbnL1A==" # This should be the base64-encoded ciphertext blob
- name: AWS_REGION
value: eu-west-1
Of course you can replace ENCRYPTED_DB_CREDS
with the new blob
function, and you can store the encrypted password in an S3 bucket (if you don't like encrypted Secrets in your configuration), and pull back to the config with:
(awskms (blob `s3://bank-vaults/encrypted/db-creds?region=eu-west-1`))
helm upgrade --install vault-operator banzaicloud-stable/vault-operator
kubectl apply -f cr-awskms.yaml
vault-configurer
with the kubectl logs -f deployment/vault-configurer
command to verify that it successfully configured the MySQL database dynamic secret backend.Learn more about Bank-Vaults:
- Secret injection webhook improvements
- Backing up Vault with Velero
- Vault replication across multiple datacenters
- Vault secret injection webhook and Istio
- HSM support
- Injecting dynamic configuration with templates
- OIDC issuer discovery for Kubernetes service accounts
- Show all posts related to Bank-Vaults
Get emerging insights on emerging technology straight to your inbox.
Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.
The Shift is Outshift’s exclusive newsletter.
Get the latest news and updates on generative AI, quantum computing, and other groundbreaking innovations shaping the future of technology.