Setting up Kubernetes auth backend on Vault. I did this by running Vault server in dev mode in minikube. Files referenced in the commands below are included as other files in this gist.
kubectl create namespace vault-ns
kubectl --namespace=vault-ns run vault --image=vault --port=8200 -- vault server -dev -dev-listen-address=0.0.0.0:8200 -dev-root-token-id=root-token
kubectl --namespace=vault-ns expose deployment vault --type=NodePort --port=80 --target-port=8200
minikube service --namespace vault-ns vault --url
export VAULT_ADDR="$(minikube service --namespace vault-ns vault --url)" VAULT_TOKEN=root-token
vault audit enable file file_path=stdout
# You can open up another terminal to tail the Vault audit logs if you need help debugging anything
kubectl --namespace=vault-ns logs -f deployment/vault
# Ctrl-C to exit
kubectl --namespace=vault-ns apply -f ./vault-auth-service-account.yaml
export vault_auth_secret_name="$(kubectl --namespace=vault-ns get serviceaccount vault-auth -o jsonpath="{.secrets[*]['name']}")"
export vault_auth_token="$(kubectl --namespace=vault-ns get secret $vault_auth_secret_name -o jsonpath="{.data.token}" | base64 --decode)"
echo $vault_auth_token
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host=https://kubernetes.default.svc \
kubernetes_ca_cert=@${HOME}/.minikube/ca.crt \
token_reviewer_jwt="${vault_auth_token}"
vault read auth/kubernetes/config
vault policy write admin ./admin-policy.hcl
vault policy read admin
# Normally you would not grant "admin" permissions to an app in Vault,
# but I'm just using this policy as an example
vault write auth/kubernetes/role/some-k8s-app \
bound_service_account_names=some-k8s-app \
bound_service_account_namespaces=some-k8s-app \
policies=admin \
ttl=4h
vault read auth/kubernetes/role/some-k8s-app
kubectl create namespace some-k8s-app
kubectl --namespace=some-k8s-app create serviceaccount some-k8s-app
kubectl --namespace=some-k8s-app run -i -t vault-client-${RANDOM} \
--image=vault \
--env="VAULT_ADDR=http://vault.vault-ns" \
--restart=Never \
--serviceaccount='some-k8s-app' -- \
/bin/sh
vi /var/vault-agent-config.hcl
vault agent -config=/var/vault-agent-config.hcl -log-level=debug
# Ctrl-C to exit
export VAULT_TOKEN="$(cat /var/vault-token)"
vault token lookup # should show the token is from a Kubernetes login
vault secrets list # should successfully authenticate to Vault server