add external vault config

README.md

@@ -16,7 +16,7 @@ kubectl apply -f k8s/certificate.yaml
 
 helm repo add hashicorp https://helm.releases.hashicorp.com
 helm search repo hashicorp/vault
-helm upgrade --install vault hashicorp/vault --values values.yaml
+helm upgrade --install vault hashicorp/vault --values helm/values.yaml
 
 mkdir ~/.vault-keys
 kubectl exec -ti vault-0 -- vault operator init -key-shares=5 -key-threshold=3 -format=json > ~/.vault-keys/cluster-keys.json
@@ -30,7 +30,7 @@ kubectl apply -f k8s/certificate.yaml
 
 helm repo add hashicorp https://helm.releases.hashicorp.com
 helm search repo hashicorp/vault
-helm upgrade --install vault hashicorp/vault --values values.yaml
+helm upgrade --install vault hashicorp/vault --values helm/values.yaml
 
 mkdir ~/.vault-keys
 kubectl exec -ti vault-0 -- vault operator init -key-shares=5 -key-threshold=3 -format=json > ~/.vault-keys/cluster-keys.json
@@ -343,3 +343,62 @@ spec:
   dnsNames:
   - test.dnet
 ```
+
+## Kubernetes External Vault Auth
+
+<https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes>
+
+### Connect to external vault
+
+```bash
+helm install vault hashicorp/vault \
+    --set "injector.externalVaultAddr=https://vault.ducoterra.net"
+
+VAULT_HELM_SECRET_NAME=$(kubectl get secrets --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
+TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME --output='go-template={{ .data.token }}' | base64 --decode)
+KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
+KUBE_HOST="https://3.14.3.104:6443"
+```
+
+```bash
+vault auth enable -path=pikube kubernetes
+
+vault write auth/pikube/config \
+    token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
+    kubernetes_host="https://3.14.3.104:6443" \
+    kubernetes_ca_cert="$KUBE_CA_CERT"
+
+vault write auth/pikube/role/issuer \
+    bound_service_account_names=issuer \
+    bound_service_account_namespaces=cert-manager \
+    policies=pki_dnet \
+    ttl=20m
+```
+
+### Install cert-manager
+
+```bash
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
+kubectl -n cert-manager create serviceaccount issuer
+ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
+
+cat > cert-manager/pikube-vault-clusterissuer.yaml <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: vault-issuer
+spec:
+  vault:
+    server: https://vault.ducoterra.net
+    path: pki_dnet_int/sign/dnet
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/pikube
+        role: issuer
+        secretRef:
+          name: $ISSUER_SECRET_REF
+          key: token
+EOF
+
+kubectl apply -f cert-manager/pikube-vault-clusterissuer.yaml
+```