directions to follow
https://apavankumar.medium.com/hashicvault-secrets-in-kubernetes-with-csi-driver-ec917d4a2672
- Deploy vault
$ kubectl exec -it vault-0 -- /bin/sh
$ vault login root
$ vault secrets enable -version=1 kv
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
$ vault policy write kv_policy - <<EOF
path "kv/*" {
capabilities = ["read"]
}
EOF
$ vault write auth/kubernetes/role/csi-kv \
bound_service_account_names=csi-sa \
bound_service_account_namespaces=default \
policies=kv_policy \
ttl=20m
## Put some Sample data
vault kv put kv/db password=password
vault kv put kv/app user=admin
create a SecretProviderClass for our kv put values
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-user-creds
spec:
provider: vault
parameters:
roleName: 'csi-kv'
vaultAddress: 'http://vault:8200' # use the service that is made by vault
objects: |
- objectName: "user"
secretPath: "kv/app"
secretKey: "user"
- objectName: "password"
secretPath: "kv/db"
secretKey: "password"
https://tailscale.com/kb/1236/kubernetes-operator 2. Deploy csi storage secret 3. Deploy tailscale - this needs a specific secret client_id and client_secret, if you want it secure put it in vault and expose using a SecretProviderclass