VSO

Helm 저장소 추가 및 업데이트

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
Shell
복사

Vault 설치

vault-values.yaml 파일 생성

server:
  dev:
    enabled: true
    devRootToken: "root"
  logLevel: debug
ui:
  enabled: true
  serviceType: "LoadBalancer"
  externalPort: 8200
injector:
  enabled: "false"
YAML
복사

helm install vault hashicorp/vault -n vault --create-namespace --values vault-values.yaml
Shell
복사

Vault Secrets Operator 설치

vso-values.yaml 파일 생성

defaultVaultConnection:
  enabled: true
  address: http://vault:8200
  skipTLSVerify: false
  spec:
  template:
    spec:
      containers:
      - name: manager
        args:
        - "--client-cache-persistence-model=direct-encrypted"
YAML
복사

helm install vault-secrets-operator hashicorp/vault-secrets-operator -n vault -f vso-values.yaml
Shell
복사

Vault Secrets Operator 정적 시크릿 정의

ault Pod에 접근하여 시크릿 엔진 활성화 및 시크릿 추가

kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh
vault secrets enable -path vso-test -version=2 kv
vault kv put vso-test/secret test="password"
vault kv get vso-test/secret
Shell
복사

Kubernetes Auth Method 구성

Kubernetes Auth Method 활성화 및 설정

vault auth enable kubernetes
vault write auth/kubernetes/config kubernetes_host="https://kubernetes.default.svc.cluster.local"
Shell
복사

Vault 정책 작성

vault policy write vso-policy - <<EOF
path "vso-test/data/secret" {
  capabilities = ["read"]
}
EOF
Shell
복사

Service Account 생성 및 역할 설정

Service Account 생성

kubectl create sa vso-sa
Shell
복사

Vault Pod에 접근하여 역할 설정

kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh
vault write auth/kubernetes/role/vso \
  bound_service_account_names=vso-sa \
  bound_service_account_namespaces=default \
  policies=vso-policy \
  ttl=5m
Shell
복사

Vault CRD 설정 (VaultAuth, VaultStaticSecret)

VaultAuth 설정

kubectl apply -f - <<EOF
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: static-auth
  namespace: default
spec:
  kubernetes:
    audiences:
    - vault
    role: vso
    serviceAccount: vso-sa
    tokenExpirationSeconds: 600
  method: kubernetes
  mount: kubernetes
EOF
Shell
복사

VaultStaticSecret 설정

kubectl apply -f - <<EOF
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: vault-kv
  namespace: default
spec:
  type: kv-v2
  mount: vso-test
  path: secret
  destination:
    name: vsosecret
    create: true
  refreshAfter: 30s
  vaultAuthRef: static-auth
EOF
Shell
복사

시크릿 확인 및 업데이트

시크릿 확인

kubectl get secrets
kubectl get secret vsosecret -o jsonpath='{.data.test}' | base64 -d
Shell
복사

시크릿 업데이트

kubectl exec --stdin=true --tty=true vault-0 -n vault -- /bin/sh
vault kv put vso-test/secret test="password2"
kubectl get secret vsosecret -o jsonpath='{.data.test}' | base64 -d
Shell
복사