Configure Vault for ActiveMQ
This deployment requires redeployment of ActiveMQ
1. Vault Setup
CODE
cd CX-4.10.5/kubernetes
CODE
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace vault
CODE
kubectl -n vault exec -it vault-0 -- shCreate a KV-v2 secret in Vault:
CODE
vault secrets enable -path=kv kv-v2
CODE
vault kv put kv/activemq/broker \
activemq.username=admin \
activemq.password=Expertflow123Verify:
CODE
vault kv get kv/activemq/brokerWrite policy for the role
CODE
vault policy write ef-policy - <<EOF
path "/transit/export/*" {
capabilities = ["read"]
}
path "database/creds/*" {
capabilities = ["read"]
}
path "kv/data/activemq/broker" {
capabilities = ["read"]
}
EOFAttach policy to the role
CODE
vault write auth/approle/role/expertflow policies="ef-policy"2. Vault Role for Kubernetes Authentication
Create a policy for Kubernetes role in Vault:
CODE
vault policy write activemq-kv - <<EOF
path "kv/data/activemq/broker" {
capabilities = ["read"]
}
EOFCreate a Kubernetes role in Vault:
CODE
vault auth enable kubernetes
CODE
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
CODE
vault write auth/kubernetes/role/expertflow \
bound_service_account_names=default \
bound_service_account_namespaces=ef-external \
policies=activemq-kv \
ttl=87600h
CODE
exit3. Apply SecretProviderClass, ClusterRole and ClusterRoleBinding
CODE
kubectl apply -f pre-deployment/activemq-vault4. Deploy / Restart Pods
CODE
kubectl delete pod -n vault <vault-csi-provider-pod>
CODE
# Restart ActiveMQ pod
kubectl delete pod -n ef-external <activemq-pod>