Configure the Secret Engine on Vault Server UI

1. Creation of Kubernetes Auth Method for 1001-myapp project

1.1 Getting the kube-apiserver Service Example

echo "https://$(kubectl get service kubernetes -o jsonpath='{.spec.clusterIP}'):443"
#https://192.168.194.129:443

1.2 Getting the Kubernetes CA Example

kubectl config view --minify --flatten -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 -d

1.3 Create the Kubernetes Authentication

1.4 Add Access Role of Kubernetes Authentication

2. Creation of kv Secret Engine for 1001-myapp project

2.1 Enable a Secrets Engine

2.2 Add the Redis Secrets

3. Creation of database Secret Engine for 1001-myapp project

3.1 Enable a Secret Engine

3.2 Add the PostgreSQL Connection

• postgres://{{username}}:{{password}}@10.0.0.101:35432/postgres?sslmode=disable

3.3 Add the Access Role of PostgreSQL Connection

• Type of role: dynamic
  • 不建议使用，因为应用 Pod 每次重启即 vault-agent 读取时，valut-server 都会执行 SQL 创建用户(如v-root-postgres-YJHMS2hgaCnPFY66OTvg-1732417427), 虽然会在 TTL 后删除，但任然存在创建大量 PG 用户的风险。

• Equlevent to Create the dynamic role by Vault CLI

kubectl -n vault-system exec -ti vault-0 -- sh

export VAULT_TOKEN='hvs.tpsp0fqKX6weEqy3d0sOpgsh'

# Setup the allowed roles. (Note: Will auto update the PG user 'vault_user' to hash password)
vault write database/1001-myapp/config/postgresql \
    allowed_roles="postgresql-dynamic" \
    plugin_name="postgresql-database-plugin" \
    connection_url="postgres://{{username}}:{{password}}@10.0.0.101:35432/postgres?sslmode=disable" \
    username="vault_user" \
    password="123456"
#Success! Data written to: database/1001-myapp/config/postgresql

# Create the dynamic role.
vault write database/1001-myapp/roles/postgresql-dynamic \
  db_name=postgresql \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl='1h' \
  max_ttl='24h'

# Check the getting configuration.
vault read database/1001-myapp/config/postgresql
#Key                                   Value
#---                                   -----
#allowed_roles                         [postgresql-dynamic]
#connection_details                    map[backend:database/1001-myapp connection_url:postgres://{{username}}:{{password}}@10.0.0.101:35432/postgres?sslmode=disable max_connection_lifetime:0s max_idle_connections:0 max_open_connections:4 username:vault]
#password_policy                       n/a
#plugin_name                           postgresql-database-plugin
#plugin_version                        n/a
#root_credentials_rotate_statements    []
#verify_connection                     true

# Check the getting dynamic role Metadata.
vault read database/1001-myapp/roles/postgresql-dynamic
#Key                    Value
#---                    -----
#creation_statements      [CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";]
#credential_type          password
#db_name                  postgresql
#default_ttl              1h
#max_ttl                  24h
#renew_statements         []
#revocation_statements    []
#rollback_statements      []

# Check the getting dynamic role Password.
vault read database/1001-myapp/creds/postgresql-dynamic
#Key                    Value
#---                    -----
#lease_id           database/1001-myapp/creds/postgresql-dynamic/G8p9hvzU4VAjiv8Nj0O5cLgb
#lease_duration     1h
#lease_renewable    true
#password           6T8G-FXuSiZlgb1WBMqb
#username           v-root-postgres-YJHMS2hgaCnPFY66OTvg-1732417427

• Type of role: static
  • 推荐使用

• Equlevent to Create the static role by Vault CLI

kubectl -n vault-system exec -ti vault-0 -- sh

export VAULT_TOKEN='hvs.tpsp0fqKX6weEqy3d0sOpgsh'

# Setup the allowed roles. (Note: Will auto update the PG user 'vault_user' to hash password)
vault write database/1001-myapp/config/postgresql \
    allowed_roles="postgresql-static" \
    plugin_name="postgresql-database-plugin" \
    connection_url="postgres://{{username}}:{{password}}@10.0.0.101:35432/postgres?sslmode=disable" \
    username="vault_user" \
    password="123456"
#Success! Data written to: database/1001-myapp/config/postgresql

# Create the static role.
vault write database/1001-myapp/static-roles/postgresql-static \
    db_name=postgresql \
    rotation_statements="ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';" \
    username="vault_user" \
    rotation_period="24h"

# Check the getting configuration.
vault read database/1001-myapp/config/postgresql
#Key                                   Value
#---                                   -----
#allowed_roles                         [postgresql-static]
#connection_details                    map[backend:database/1001-myapp connection_url:postgres://{{username}}:{{password}}@10.0.0.101:35432/postgres?sslmode=disable max_connection_lifetime:0s max_idle_connections:0 max_open_connections:4 username:vault]
#password_policy                       n/a
#plugin_name                           postgresql-database-plugin
#plugin_version                        n/a
#root_credentials_rotate_statements    []
#verify_connection                     true

# Check the getting static role Metadata.
vault read database/1001-myapp/static-roles/postgresql-static
#Key                    Value
#---                    -----
#credential_type        password
#db_name                postgresql
#last_vault_rotation    2024-11-23T17:22:40.814119366Z
#rotation_period        24h
#rotation_statements    []
#username               vault_user

# Check the getting static role Password.
vault read database/1001-myapp/static-creds/postgresql-static
#Key                    Value
#---                    -----
#last_vault_rotation    2024-11-23T17:22:40.814119366Z
#password               maSy-UDR9CPg46RpQ6lh
#rotation_period        24h
#ttl                    23h41m50s
#username               vault_user

4. Configure of Policy

4.1 Modify the Default Policy