Member post originally published on Devtron’s blog by Shubham Kumar

TL;DR: In this article we’ll learn about how to deploy Hashicorp vault in Kubernetes and how to fetch secrets from vault and integrate it with your applications on Kubernetes.

Table of contents

  1. What is HashiCorp Vault ?
    1. Key Concepts and Components
  2. Installing Hashicorp Vault Helm chart using Devtron
    1. Install External Secret Operator
    2. 1. Create a new secret
    3. 2. Select HashiCorp Vault as the External Secret Operator
    4. 3. Configure the secret
    5. 4. Save the secret
    6. 5.  Deploy the application
  3. Conclusion

Imagine secrets as keys to the locked doors in the digital world. These doors could hold valuable company data, financial systems, customer information, and much more. Proper management of these keys, or secrets, is akin to fortifying these doors against unauthorized entry and potential breaches. A breach involving compromised secrets can lead to data leaks, financial losses, damaged reputation, and even legal consequences.

In today’s digital world, keeping secrets safe is crucial for businesses. Secrets, like passwords, API keys, and sensitive data, need strong protection.

What is HashiCorp Vault ?

HashiCorp Vault is an advanced tool created to offer a secure and centralized platform for the management of secrets. Developed by HashiCorp, a renowned provider of infrastructure automation tools, Vault serves as a specialized solution to effectively handle the complexities of safeguarding secrets and controlling access to them.

Key Concepts and Components

To truly understand how HashiCorp Vault works , let’s explore its core concepts and components:

Installing Hashicorp Vault Helm chart using Devtron

You can use Devtron’s chart store for installing the HashiCorp Vault Helm chart. If the vault chart isn’t available there, it’s possible to incorporate the chart repository using global configurations.

Screenshot showing HashiCrop Vault selected in Devtron's chart store

Visit Global Configuration -> Chart Repositories -> + Add Repository to add Hashicorp official helm chart.

Here is the HashiCorp Vault repository URL: https://helm.releases.hashicorp.com

Take a look around how to add custom charts and deploy helm charts using Devtron for detailed understanding and deploying helm charts with Devtron.

To access the Vault’s dashboard, you need to configure ingress as shown below:

Screenshot showing Vault's Ingress configuration on Devtron

Once the Helm chart is deployed, it might take a few minutes for the application to become healthy.

Screenshot showing Vault application on Devtron

Once the Vault Helm application is in a healthy state, you can access the Vault dashboard using the hostname specified in the ingress configuration.

Screenshot showing Vault dashboard

To include new secrets in the vault, click on the Enable new engine option within the secrets engines section. In this area, you will find various secrets engines categorized as GenericCloud, and Infra.

Screenshot showing Enable a Secret Engine page on Vault, select KV on Generic

You can use the KV secrets engine to save secrets in a key-value manner within the storage set up in Vault.

Give a path and maximum number of versions and enable the engine.

Screenshot showing Enable a Secrets Engine page, Path : my-secrets, Maximum number of versions - 4

To add new secrets in a key-value pair, click on create secret.

Screenshot showing Create secret page on Vault secrets engines

Now the secrets have been added to the vault. Let’s move to how we can use these secrets in Devtron applications using External Secrets Operator.

External Secrets Operator is a Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault and many more. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret.

Install External Secret Operator

Before creating any external secrets on Devtron, External Secret Operator must be installed on the target cluster. External Secret Operator allows you to use external secret management systems (e.g., AWS Secrets Manager, Hashicorp Vault, Azure Secrets Manager, Google Secrets Manager etc.) to securely inject secrets in Kubernetes.

You can install External Secrets Operator using charts store:

  1. Go to the charts store.
  2. Search chart with name external-secrets and deploy with the default values.
Screenshot showing '"external-secrets" on Devtron
Screenshot showing Helm Apps / eso page on Devtron

To incorporate secrets from HashiCorp Vault, you need to create a generic Kubernetes secret that will be used for vault authentication. This involves creating a Kubernetes secret in the specific namespace where your application will be deployed. The secret should store the base64-encoded password or token obtained from the vault. To simplify the process, you can utilize the devtron/devtron-generic-chart . An example yaml is given below:

apiVersion: v1
kind: Secret
type: Opaque
data:
   token: <vault-password>
metadata:
   name: vault-token
   namespace: <namespace>

Note: There is no requirement to generate the Kubernetes secret each time you’re creating an External Secret for that specific namespace.

After successfully generating the generic secret, proceed with the following instructions in the Secrets section of your application:

1. Create a new secret

To add a new secret to your application, go to the App Configuration section. Then, on the left side, choose Secrets and click Add Secret.

Screenshot showing hashicorp-secret on Devtron Apps

2. Select HashiCorp Vault as the External Secret Operator

After clicking the Add Secret button, select HashiCorp Vault from the dropdown menu for the Data type option. Provide a name for the secret you are creating, and then proceed to configure the external secret as described in the next step.

Screenshot showing Add Secret - Hashi Corp Vault on Devtron

3. Configure the secret

To configure the external secret that will be fetched from HashiCorp Vault for your application, you will need to provide specific details using the following key-value pairs:

KeyDescription
vault.serverServer is the connection address for the Vaultserver, e.g: “https://vault.example.com:8200
vault.pathSpecify the path where the secret is stored in Vault
tokenSecretRef.nameEnter the name of the secret that will be used for authentication
tokenSecretRef.keySpecify the key name within the secret that contains the token
secretKeyProvide a name for the secret in Kubernetes
keyEnter the name of the secret in Vault
propertySpecify the key within the Vault secret
Screenshot showing external-secret-vault code on Devtron

4. Save the secret

After configuring the external secret from HashiCorp Vault, proceed to save the secret by clicking the Save button.

5.  Deploy the application

By following the steps mentioned above and configuring these values correctly, you can seamlessly fetch and utilize external secrets from HashiCorp Vault within your application environment by deploying the application. For this, go to build and deploy page and deploy the application in the environment.

Once the application become Healthy, you can see two custom resources on app details page; ExternalSecret and SecretStore. If you see the SecretStore successfully created, it indicates that the authentication process with Vault has been successful. If it’s not created, there might be an issue with Vault authentication.

Screenshot showing ExternalSecret, Rollout, SecretStore option highlighted on Custom Resource on Devtron page

If you find that ExternalSecret has been created, it signifies that secrets from the Vault secret manager have been successfully retrieved and propagated to the environment variables of the application’s Pod. To verify this, you can establish a connection with the Pod’s terminal and display the environment variables. Then, use a grep command to search for the specific variable name you defined under esoData as the secretKey.

Screenshot showing secret value verification on Devtron

Conclusion

Think of HashiCorp Vault and Devtron as your dynamic digital defenders. Vault secures secrets, Devtron empowers applications. Together, they ensure strong security, smooth operations, and innovative progress. Embrace this powerful partnership for protected secrets and elevated applications.