Merge pull request kelseyhightower#690 from ttousai/vault-k8s-doc-update

Update Vault Kubernetes authentication doc
terrycorley · Mar 24, 2018 · a23aa1c · a23aa1c
2 parents 1957caa + 21b6aa1
commit a23aa1c
Showing 1 changed file with 31 additions and 12 deletions.
diff --git a/docs/vault-kubernetes-auth.md b/docs/vault-kubernetes-auth.md
@@ -4,8 +4,8 @@ These are steps to get vault with Kubernetes auth working on minikube.
 
 - Deploy Helm
   ```
-  # Install Helm - on macOS
-  brew install kubernetes-helm
+  # Install Helm
+  Use the correct method for your OS from https://docs.helm.sh/using_helm/#installing-the-helm-client
   # Deploy tiller into the cluster
   helm init
 
@@ -14,8 +14,8 @@ These are steps to get vault with Kubernetes auth working on minikube.
   # Add Vault chart
   helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
   # Install Vault
-  # Currently the chart has Vault 0.8.2 and we need 0.8.3 (but PR is pending)
-  helm install incubator/vault --name vault --set vault.dev=true --set image.tag="0.8.3" 
+  # We need at least Vault 0.8.3
+  helm install incubator/vault --name vault --set vault.dev=true --set image.tag="0.9.5"
   ```
 
 - Enable Kubernetes backend
@@ -26,27 +26,41 @@ These are steps to get vault with Kubernetes auth working on minikube.
   kubectl exec -i -t ${POD_NAME} sh
   # Set env vars for Vault client
   export VAULT_TOKEN=$(cat /root/.vault-token)
+  # Set Vault host URL (do this everytime you exec back into container)
+  export VAULT_ADDR=http://127.0.0.1:8200
   # Enable Kube auth backend
-  vault auth-enable kubernetes
-  # Configure Kube auth bacckend
+  vault auth enable kubernetes
+  # Configure Kube auth backend
   vault write auth/kubernetes/config \
     kubernetes_host=https://kubernetes \
     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
   # Create Vault policy for testing
-  vault write sys/policy/test \
-    rules='path "secret/*" { capabilities = ["create", "read"] }'
-  # Cretate role for confd
+  vault policy write test -<<EOF
+  path "secret/*" {
+    capabilities = ["create"]
+  }
+
+  path "secret/foo" {
+    capabilities = ["read"]
+  }
+  EOF
+
+  # Create role for confd
   vault write auth/kubernetes/role/confd \
     bound_service_account_names=vault-auth \
     bound_service_account_namespaces=default \
     policies=test \
     ttl=1h
   # Write test secret
   vault write secret/foo value=bar
+
+  # Now exit vault container
+  exit
   ```
   
 - Create RBAC (if used) rule to allow acccess to TokenReview API
   ```
+  kubectl create -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRoleBinding
   metadata:
@@ -60,12 +74,17 @@ These are steps to get vault with Kubernetes auth working on minikube.
   - kind: ServiceAccount
     name: vault-auth
     namespace: default
+  EOF
   ```
 
 - Start a pod with confd and get a secret
   ```
+  # Create service account for kube auth
+  kubectl create serviceaccount vault-auth
+  # Start pod
   kubectl run test -i -t --image=quay.io/stepanstipl/test:confd-v7 \
-    --restart=Never -- sh 
+    --overrides='{ "apiVersion": "v1", "spec": {"serviceAccount": "vault-auth", "serviceAccountName": "vault-auth"} }' \
+    --restart=Never -- sh
   # Inside the pod
   # Create confd config
   mkdir -p /etc/confd/conf.d /etc/confd/templates
@@ -78,10 +97,10 @@ These are steps to get vault with Kubernetes auth working on minikube.
   # And template
   echo '{{getv "/secret/foo"}}' > /etc/confd/templates/test.conf.tmpl
   # and finally run confd
-  confd -onetime -backend vault -auth-type kubernetes -role-id confd -node http://unrealistic-sabertooth-vault:8200 -log-level debug
+  confd -onetime -backend vault -auth-type kubernetes -role confd -node http://vault-vault:8200 -log-level debug
   ```
 
 - Check `/tmp/test.conf`, it should contain your secret
   ```
   cat /tmp/test.conf
-  ``` 
+  ```