Vault Implementation on Expertflow CX
Step 1: Clone the Expertflow CX repository
git clone -b CX-4.5-vault https://efcx:RecRpsuH34yqp56YRFUb@gitlab.expertflow.com/cim/cim-solution.gitStep 2: Create Namespace
Create a namespace
vaultfor all Expertflow components
Run the following command on the control-plane node.
kubectl create namespace vaultStep 3: Apply TLS certificates
Apply TLS certificates using the following commands.
cd cim-solution/kubernetes/vault
kubectl apply -f tls/tls-ca.yaml
kubectl apply -f tls/tls-server-vault.yaml
kubectl apply -f tls/tls-server-client.yamlStep 4: Deploy Vault with Container Storage Interface (CSI)
Deploy Vault using the following command
helm install vault vault/ -n vault --values vault/csi-integrated.yaml Step 5: Initializing and unsealing of vault
https://expertflow-docs.atlassian.net/wiki/x/eQCLDw
Step 6: Set a secret in Vault
To put the secret in vault, follow below steps
kubectl -n vault exec -it vault-0 -- shvault logininput the token that was generated during the vault initialization.
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
issuer="https://kubernetes.default.svc.cluster.local"
enable the key value secret store in Vault at path secret/
vault secrets enable -path=secret -version=2 kv-v2For Keycloak:-
vault kv put secret/vault-external password=<password> admin-password=<admin-password>For Postgres:-
vault kv put secret/postgresql postgres-password=<admin password> password=<password for sa user>For Minio:-
vault kv put secret/minio root-password=<root password> root-user=minioadminFor Grafana:-
vault kv put secret/external user=efuser password=<password>For Mongodb:-
vault kv put secret/mongodb mongodb-root-password=<root password>For Redis:-
vault kv put secret/mongodb mongodb-root-password=<root password>For Expertflow Components:-
vault kv put secret/ef-connection-env ACTIVEMQ_PASSWORD=<activemq-admin-password> ACTIVEMQ_USERNAME=admin KEYCLOAK_PASSWORD_ADMIN=<keycloak-admin-password> KEYCLOAK_USERNAME_ADMIN=admin MONGODB_PASSWORD=<Mongodb-root-password> MONGODB_USERNAME=root REDIS_PASSWORD=<Redis-root-password> REDIS_SENTINEL_PASSWORD=Expertflow123 REDIS_SENTINEL_MASTER=expertflowStep 7: Verify secrets stored in Vault
To read the value of secrets stored:-
vault kv get secret/<secret name>output will be as below:-
Step 8: Create a Policy
Create a policy named ef-policy. This will be used to give the default service account permission to read the kv secret created earlier.
vault policy write ef-policy - <<EOF
path "secret/data/*" {
capabilities = ["read"]
}
EOFThe data of kv-v2 requires that an additional path element of data is included after its mount path (in this case, secret/).
Step 9: Create Authentication Role
create a Kubernetes authentication role named database that binds this policy with a Kubernetes service account named default.
vault write auth/kubernetes/role/database \
bound_service_account_names=default \
bound_service_account_namespaces="expertflow,ef-external" \
policies=ef-policy \
ttl=24h
Successful output:
Success! Data written to: auth/kubernetes/role/databaseStep 10: Install the secrets store CSI driver
Run the following command to install CSI using helm charts in secrets-store-csi-driver directory.
helm install csi secrets-store-csi-driver/ --set syncSecret.enabled=true --set linux.kubeletRootDir=/opt/rke/var/lib/kubelet -n vaultStep 11: Apply SecretProviderClass For All Secrets
Apply all SecretProviderClass using the following command:-
kubectl apply --filename SecretProviderClass/Step 12: Deploy Expertflow CX
Deploy Expertflow CX by following this document. https://expertflow-docs.atlassian.net/wiki/x/gZQm