Securing Secrets in the Cloud: A Hands-On Guide to HashiCorp Vault

Why Use Secrets?

Secrets are used to store confidential data such as database usernames and passwords. It's unwise to create a configuration file with these secrets and then push it to a distributed version control system (VCS). Doing so exposes sensitive information, even if it’s encoded in base64, which can easily be decoded by anyone.

To safeguard confidential data, several solutions are available:

1. Sealed Secrets

2. External Secret Operator (ESO)

3. Secret Store CSI driver

In today's blog, we will focus on HashiCorp Vault, with plans to explore other options in future posts.

Now Let's see how?

Prerequisites

• An existing HCP account

• A cluster

1. Click On "Vault Secrets" from menu on Hashicorp vault Dashboard.

2. Click on "Create first app".

3. Provide name of your app then click on "Create app".

4. Once You're on the secret Page, Click on "Create new Secret".

5. 

   For Auto rotating secret , You need to upgrade to paid version. Today we will see only static secret. Select "Static secret".

6. Provide name and value of you secret then click Save.

   

7. To Create another secret Click on "create new Secret".

   

8. Provide name and value of your second secret then click save.

   

9. It's time to create IAM Access to access this secret. Click on "Access Control(IAM) from main dashboard of Hashicorp vault.

10. Click on "Service principals" from left menu.

11. Click on "Create Service principals".

    

12. Provide name for Service principal name. Select service "Secrets". Select role "Vault Secrets App Secret Reader" and Click on Create service principal.

    

13. Click on "Keys" From Left menu.

    

14. Click on "Generate Key" and save "Client ID" and "Client Secret" somewhere else we need that later on

    

15. Install Vault Secrets Operator using below helm command.

    helm repo add hashicorp https://helm.releases.hashicorp.com
    

    helm install vault-secrets-operator hashicorp/vault-secrets-operator \
         --namespace vault-secrets-operator-system \
         --create-namespace
    

16. Create a Kubernetes secret for the HCP service principal credentials using following command.

kubectl create secret generic vso-demo-sp \
    --namespace default \
    --from-literal=clientID=$HCP_CLIENT_ID \
    --from-literal=clientSecret=$HCP_CLIENT_SECRET

You need to use client Id and secret which we created earlier.

17. Now Configure Vault Secrets Operator with the HCP organization and project ID.

kubectl create -f - <<EOF
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: HCPAuth
metadata:
  name: default
  namespace: vault-secrets-operator-system
spec:
  organizationID: <ORganization ID>
  projectID: <project ID>
  servicePrincipal:
    secretRef: vso-demo-sp
EOF

18. Now Create secret using below command.

    kubectl create -f - <<EOF
    apiVersion: secrets.hashicorp.com/v1beta1
    kind: HCPVaultSecretsApp
    metadata:
      name: my-secret
    spec:
      appName: $APP_NAME
      destination:
        create: true
        labels:
          hvs: "true"
        name: my-secret
      refreshAfter: 3m
    EOF
    

Now if you check secret, You will see new secret has been created.

Now if you check it's yaml file using following command

k get secret my-secret -oyaml

You will find username and password.

Now Your secret are more secure. No need to worry about storing secret in configuration file and pushing code into VCS.

That was all for today. You can use in-house Hasicorp vault in kubernetes in production.

We will see Other ways to store your secrets in upcoming blogs.