• KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
16-Jun-2022

Introducing KubeVault v2022.06.16

author-image
Sakib Alamin

Software Engineer

AppsCode Inc.

Introducing KubeVault v2022.06.16

We are very excited to announce the release of KubeVault v2022.06.16 Edition. The KubeVault v2022.06.16 contains VaultServer latest api version v1alpha2, update to authentication method with addition of JWT/OIDC auth method. A new SecretEngine for MariaDB has been added, KubeVault CLI has been updated along with various fixes on KubeVault resource sync. We’re going to discuss some of them in details below.

KubeVault is a Kubernetes operator for HashiCorp Vault . The Vault is a tool for secrets management, encryption as a service, and privileged access management. The KubeVault operator makes it easy to deploy, maintain and manage Vault servers in Kubernetes. It also supports various secret engines management, policy management in the Kubernetes native way.

In this post, we are going to highlight the major changes. You can find the complete commit by commit changelog here .

What’s new in this release?

  • JWT/OIDC Authentication Method

    The JWT auth method can be used to authenticate with Vault using OIDC or by providing a JWT. The OIDC method allows authentication via a configured OIDC Provider using the user’s web browser. This method may be initiated from the Vault UI or the command line. Alternatively, a JWT can be provided directly.

    While deploying the VaultServer it’s possible to define the list of auth methods users want to enable with it.

    A VaultServer yaml may look like this:

      apiVersion: kubevault.com/v1alpha2
  kind: VaultServer
  metadata:
    name: vault
    namespace: demo
  spec:
    version: 1.10.3
    replicas: 3
    authMethods:
      - type: jwt
        path: jwt
        jwtConfig:
          defaultLeaseTTL: 1h
          defaultRole: k8s.kubevault.com.demo.reader-writer-role
          oidcClientID: aFSrk3w06WsQqyjA30HvhbbJIR1VBidU
          oidcDiscoveryURL: https://dev-tob49v6v.us.auth0.com/
          credentialSecretRef:
            name: jwt-cred
    backend:
      raft:
        storage:
          storageClassName: "standard"
          resources:
            requests:
              storage: 1Gi
    unsealer:
      secretShares: 3
      secretThreshold: 2
      mode:
        kubernetesSecret:
          secretName: vault-keys

    • .spec.authMethods.type is a required field, the type of authentication method we want to enable.

    • .spec.authMethods.path is a required field, the path where we want to enable this authentication method.

    • .spec.authMethods.jwtConfig / .spec.authMethods.oidcConfig contains various configuration for this authentication method. Some of the parameters are: defaultLeaseTTL, maxLeaseTTL, pluginName, credentialSecretRef, tlsSecretRef, oidcDiscoveryURL, oidcClientID, oidcResponseMode, defaultRole, providerConfig, etc. Check out this for more details. After an authentication method is successfully enabled, KubeVault operator will configure it with the provided configuration.

      After successfully enabling & configuring authentication methods, a VaultServer .status.authMethodStatus may look like this:

      status:
  authMethodStatus:
  - path: jwt
    status: EnableSucceeded
    type: jwt
  - path: kubernetes
    status: EnableSucceeded
    type: kubernetes

      We can verify it using the Vault CLI:

      $ vault auth list

Path           Type          Accessor                    Description
----           ----          --------                    -----------
jwt/           jwt           auth_jwt_ba23cc30           n/a
kubernetes/    kubernetes    auth_kubernetes_40fd86fd    n/a
token/         token         auth_token_950c8b80         token based credentials

  • MariaDB SecretEngine

    Now, MariaDB SecretEngine can be enabled, configured & MariaDBRole can also be created with KubeVault. Here’s a sample yaml for MariDB SecretEngine & MariaDBRole:

    apiVersion: engine.kubevault.com/v1alpha1
kind: SecretEngine
metadata:
  name: mariadb-engine
  namespace: demo
spec:
  vaultRef:
    name: vault
    namespace: demo
  mariadb:
    databaseRef:
      name: mariadb
      namespace: db
    pluginName: "mysql-database-plugin"

    apiVersion: engine.kubevault.com/v1alpha1
kind: MariaDBRole
metadata:
  name: mariadb-role
  namespace: dev
spec:
  secretEngineRef:
    name: mariadb-engine
  creationStatements:
    - "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';"
    - "GRANT CREATE, SELECT, INSERT ON *.* TO '{{name}}'@'%';"
  revocationStatements:
    - "DROP USER '{{name}}'@'%';" 
  defaultTTL: 3h
  maxTTL: 24h

  • Merge secrets using KubeVault CLI

    Now, you can merge two Kubernetes Secrets using KubeVault CLI.

    # merge two secret name1 & name2 from ns1 & ns2 namespaces respectively
$ kubectl vault merge-secrets --src=<ns1>/<name1> --dst=<ns2>/<name2>

# --overwrite-keys flag will overwrite keys in destination if set to true.
$ kubectl vault merge-secrets --src=<ns1>/<name1> --dst=<ns2>/<name2> --overwrite-keys=true

$ kubectl vault merge-secrets --src=demo/src-secret --dst=demo/dest-cred

What’s Next?

Please try the latest release and give us your valuable feedback.

  • If you want to install KubeVault, please follow the installation instruction from here .

Support

To speak with us, please leave a message on our website .

To receive product announcements, follow us on Twitter .

If you have found a bug with KubeVault or want to request new features, please file an issue .

TAGS

cli hashicorp kubernetes kubevault kubevault-cli secret-management security vault

Get Up and Running Quickly

Deploy, manage, upgrade Kubernetes on any cloud and automate deployment, scaling, and management of containerized applications.

CONTACT US