This deployment requires redeployment of ActiveMQ
1. Vault Setup
cd CX-4.10.5/kubernetes
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace vault
kubectl -n vault exec -it vault-0 -- sh
Create a KV-v2 secret in Vault:
Note: If its not already exists, then create path using below command.
vault secrets enable -path=kv kv-v2
vault kv put kv/activemq/broker \
activemq.username=admin \
activemq.password=Expertflow123
Verify:
vault kv get kv/activemq/broker
Write policy for the role
vault policy write ef-policy - <<EOF
path "/transit/export/*" {
capabilities = ["read"]
}
path "database/creds/*" {
capabilities = ["read"]
}
path "kv/data/activemq/broker" {
capabilities = ["read"]
}
path "kv/data/redis" {
capabilities = ["read"]
}
EOF
Attach policy to the role
vault write auth/approle/role/expertflow policies="ef-policy"
2. Vault Role for Kubernetes Authentication
Create a policy for Kubernetes role in Vault:
vault policy write activemq-kv - <<EOF
path "kv/data/activemq/broker" {
capabilities = ["read"]
}
EOF
Create a Kubernetes role in Vault:
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/expertflow \
bound_service_account_names=default \
bound_service_account_namespaces=ef-external \
policies=activemq-kv \
ttl=87600h
exit
3. Apply SecretProviderClass, ClusterRole and ClusterRoleBinding
kubectl apply -f pre-deployment/activemq-vault
4. Deploy / Restart Pods
kubectl delete pod -n vault <vault-csi-provider-pod>
# Restart ActiveMQ pod
kubectl delete pod -n ef-external <activemq-pod>