Vault as an External Secret Store
This document applies to Crossplane version v1.18 and not to the latest release v1.19.
This guide walks through the steps required to configure Crossplane and
its Providers to use Vault as an External Secret Store (ESS) with ESS Plugin Vault.
External Secret Stores are an alpha feature.
They’re not recommended for production use. Crossplane disables External Secret Stores by default.
Crossplane uses sensitive information including Provider credentials, inputs to managed resources and connection details.
The Vault credential injection guide details using Vault and Crossplane for Provider credentials.
Crossplane doesn’t support for using Vault for managed resources input. Crossplane issue #2985 tracks support for this feature.
Supporting connection details with Vault requires a Crossplane external secret store.
Prerequisites
This guide requires Helm version 3.11 or later.
Install Vault
Add the Vault Helm chart
Add the Helm repository for hashicorp.
1helm repo add hashicorp https://helm.releases.hashicorp.com --force-update
Install Vault using Helm.
1helm -n vault-system upgrade --install vault hashicorp/vault --create-namespace
Unseal Vault
If Vault is sealed unseal Vault using the unseal keys.
Get the Vault keys.
1kubectl -n vault-system exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
2VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
Unseal the vault using the keys.
1kubectl -n vault-system exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
2Key Value
3--- -----
4Seal Type shamir
5Initialized true
6Sealed false
7Total Shares 1
8Threshold 1
9Version 1.13.1
10Build Date 2023-03-23T12:51:35Z
11Storage Type file
12Cluster Name vault-cluster-df884357
13Cluster ID b3145d26-2c1a-a7f2-a364-81753033c0d9
14HA Enabled false
Configure Vault Kubernetes authentication
Enable the Kubernetes auth method for Vault to authenticate requests based on Kubernetes service accounts.
Get the Vault root token
The Vault root token is inside the JSON file created when unsealing Vault.
1cat cluster-keys.json | jq -r ".root_token"
Enable Kubernetes authentication
Connect to a shell in the Vault pod.
From the Vault shell, login to Vault using the root token.
1vault login # use the root token from above
2Token (will be hidden):
3Success! You are now authenticated. The token information displayed below
4is already stored in the token helper. You do NOT need to run "vault login"
5again. Future Vault requests will automatically use this token.
6
7Key Value
8--- -----
9token hvs.TSN4SssfMBM0HAtwGrxgARgn
10token_accessor qodxHrINVlRXKyrGeeDkxnih
11token_duration ∞
12token_renewable false
13token_policies ["root"]
14identity_policies []
15policies ["root"]
Enable the Kubernetes authentication method in Vault.
Configure Vault to communicate with Kubernetes and exit the Vault shell
1vault write auth/kubernetes/config \
2 token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
3 kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
4 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
5Success! Data written to: auth/kubernetes/config
6/ $ exit
Configure Vault for Crossplane integration
Crossplane relies on the Vault key-value secrets engine to store information and Vault requires a permissions policy for the Crossplane service account.
Enable the Vault kv secrets engine
Enable the Vault KV Secrets Engine.
1kubectl -n vault-system exec -it vault-0 -- vault secrets enable -path=secret kv-v2
2Success! Enabled the kv-v2 secrets engine at: secret/
Create a Vault policy for Crossplane
Create the Vault policy to allow Crossplane to read and write data from Vault.
1kubectl -n vault-system exec -i vault-0 -- vault policy write crossplane - <<EOF
2path "secret/data/*" {
3 capabilities = ["create", "read", "update", "delete"]
4}
5path "secret/metadata/*" {
6 capabilities = ["create", "read", "update", "delete"]
7}
8EOF
9Success! Uploaded policy: crossplane
Apply the policy to Vault.
1kubectl -n vault-system exec -it vault-0 -- vault write auth/kubernetes/role/crossplane \
2 bound_service_account_names="*" \
3 bound_service_account_namespaces=crossplane-system \
4 policies=crossplane \
5 ttl=24h
6Success! Data written to: auth/kubernetes/role/crossplane
Install Crossplane
Install the Crossplane with the External Secrets Stores feature enabled.
1helm upgrade --install crossplane crossplane-stable/crossplane --namespace crossplane-system --create-namespace --set args='{--enable-external-secret-stores}'
Install the Crossplane Vault plugin
The Crossplane Vault plugin isn’t part of the default Crossplane install. The plugin installs as a unique Pod that uses the Vault Agent Sidecar Injection to connect the Vault secret store to Crossplane.
First, configure annotations for the Vault plugin pod.
1cat > values.yaml <<EOF
2podAnnotations:
3 vault.hashicorp.com/agent-inject: "true"
4 vault.hashicorp.com/agent-inject-token: "true"
5 vault.hashicorp.com/role: crossplane
6 vault.hashicorp.com/agent-run-as-user: "65532"
7EOF
Next, install the Crossplane ESS Plugin pod to the crossplane-system namespace
and apply the Vault annotations.
1helm upgrade --install ess-plugin-vault oci://xpkg.crossplane.io/crossplane-contrib/ess-plugin-vault --namespace crossplane-system -f values.yaml
Configure Crossplane
Using the Vault plugin requires configuration to connect to the Vault service. The plugin also requires Providers to enable external secret stores.
With the plugin and providers configured, Crossplane requires two StoreConfig
objects to describe how Crossplane and the Providers communicate with vault.
Enable external secret stores in the Provider
ControllerConfig Create a ControllerConfig object to enable external secret stores.
1echo "apiVersion: pkg.crossplane.io/v1alpha1
2kind: ControllerConfig
3metadata:
4 name: vault-config
5spec:
6 args:
7 - --enable-external-secret-stores" | kubectl apply -f -
Install the Provider and apply the ControllerConfig.
1echo "apiVersion: pkg.crossplane.io/v1
2kind: Provider
3metadata:
4 name: provider-gcp
5spec:
6 package: xpkg.crossplane.io/crossplane-contrib/provider-gcp:v0.23.0-rc.0.19.ge9b75ee5
7 controllerConfigRef:
8 name: vault-config" | kubectl apply -f -
Connect the Crossplane plugin to Vault
Create a
1echo "apiVersion: secrets.crossplane.io/v1alpha1
2kind: VaultConfig
3metadata:
4 name: vault-internal
5spec:
6 server: http://vault.vault-system:8200
7 mountPath: secret/
8 version: v2
9 auth:
10 method: Token
11 token:
12 source: Filesystem
13 fs:
14 path: /vault/secrets/token" | kubectl apply -f -
Create a Crossplane StoreConfig
Create a
The
1echo "apiVersion: secrets.crossplane.io/v1alpha1
2kind: StoreConfig
3metadata:
4 name: vault
5spec:
6 type: Plugin
7 defaultScope: crossplane-system
8 plugin:
9 endpoint: ess-plugin-vault.crossplane-system:4040
10 configRef:
11 apiVersion: secrets.crossplane.io/v1alpha1
12 kind: VaultConfig
13 name: vault-internal" | kubectl apply -f -
Create a Provider StoreConfig
Create a
The
1echo "apiVersion: gcp.crossplane.io/v1alpha1
2kind: StoreConfig
3metadata:
4 name: vault
5spec:
6 type: Plugin
7 defaultScope: crossplane-system
8 plugin:
9 endpoint: ess-plugin-vault.crossplane-system:4040
10 configRef:
11 apiVersion: secrets.crossplane.io/v1alpha1
12 kind: VaultConfig
13 name: vault-internal" | kubectl apply -f -
Create Provider resources
Check that Crossplane installed the Provider and the Provider is healthy.
1kubectl get providers
2NAME INSTALLED HEALTHY PACKAGE AGE
3provider-gcp True True xpkg.crossplane.io/crossplane-contrib/provider-gcp:v0.23.0-rc.0.19.ge9b75ee5 10m
Create a CompositeResourceDefinition
Create a CompositeResourceDefinition to define a custom API endpoint.
1echo "apiVersion: apiextensions.crossplane.io/v1
2kind: CompositeResourceDefinition
3metadata:
4 name: compositeessinstances.ess.example.org
5 annotations:
6 feature: ess
7spec:
8 group: ess.example.org
9 names:
10 kind: CompositeESSInstance
11 plural: compositeessinstances
12 claimNames:
13 kind: ESSInstance
14 plural: essinstances
15 connectionSecretKeys:
16 - publicKey
17 - publicKeyType
18 versions:
19 - name: v1alpha1
20 served: true
21 referenceable: true
22 schema:
23 openAPIV3Schema:
24 type: object
25 properties:
26 spec:
27 type: object
28 properties:
29 parameters:
30 type: object
31 properties:
32 serviceAccount:
33 type: string
34 required:
35 - serviceAccount
36 required:
37 - parameters" | kubectl apply -f -
Create a Composition
Create a Composition to create a Service Account and Service Account Key
inside GCP.
Creating a Service Account Key generates
1echo "apiVersion: apiextensions.crossplane.io/v1
2kind: Composition
3metadata:
4 name: essinstances.ess.example.org
5 labels:
6 feature: ess
7spec:
8 publishConnectionDetailsWithStoreConfigRef:
9 name: vault
10 compositeTypeRef:
11 apiVersion: ess.example.org/v1alpha1
12 kind: CompositeESSInstance
13 mode: Pipeline
14 pipeline:
15 - step: patch-and-transform
16 functionRef:
17 name: function-patch-and-transform
18 input:
19 apiVersion: pt.fn.crossplane.io/v1beta1
20 kind: Resources
21 resources:
22 - name: serviceaccount
23 base:
24 apiVersion: iam.gcp.crossplane.io/v1alpha1
25 kind: ServiceAccount
26 metadata:
27 name: ess-test-sa
28 spec:
29 forProvider:
30 displayName: a service account to test ess
31 - name: serviceaccountkey
32 base:
33 apiVersion: iam.gcp.crossplane.io/v1alpha1
34 kind: ServiceAccountKey
35 spec:
36 forProvider:
37 serviceAccountSelector:
38 matchControllerRef: true
39 publishConnectionDetailsTo:
40 name: ess-mr-conn
41 metadata:
42 labels:
43 environment: development
44 team: backend
45 configRef:
46 name: vault
47 connectionDetails:
48 - name: publicKey
49 type: FromConnectionSecretKey
50 fromConnectionSecretKey: publicKey
51 - name: publicKey
52 type: FromConnectionSecretKey
53 fromConnectionSecretKey: publicKeyType" | kubectl apply -f -
Create a Claim
Now create a Claim to have Crossplane create the GCP resources and associated
secrets.
Like the Composition, the Claim uses
1echo "apiVersion: ess.example.org/v1alpha1
2kind: ESSInstance
3metadata:
4 name: my-ess
5 namespace: default
6spec:
7 parameters:
8 serviceAccount: ess-test-sa
9 compositionSelector:
10 matchLabels:
11 feature: ess
12 publishConnectionDetailsTo:
13 name: ess-claim-conn
14 metadata:
15 labels:
16 environment: development
17 team: backend
18 configRef:
19 name: vault" | kubectl apply -f -
Verify the resources
Verify all resources are READY and SYNCED:
1kubectl get managed
2NAME READY SYNCED DISPLAYNAME EMAIL DISABLED
3serviceaccount.iam.gcp.crossplane.io/my-ess-zvmkz-vhklg True True a service account to test ess my-ess-zvmkz-vhklg@testingforbugbounty.iam.gserviceaccount.com
4
5NAME READY SYNCED KEY_ID CREATED_AT EXPIRES_AT
6serviceaccountkey.iam.gcp.crossplane.io/my-ess-zvmkz-bq8pz True True 5cda49b7c32393254b5abb121b4adc07e140502c 2022-03-23T10:54:50Z
View the claims
View the composite resources.
1kubectl get composite
2NAME READY COMPOSITION AGE
3my-ess-zvmkz True essinstances.ess.example.org 32s
Verify Vault secrets
Look inside Vault to view the secrets from the managed resources.
1kubectl -n vault-system exec -i vault-0 -- vault kv list /secret/default
2Keys
3----
4ess-claim-conn
The key
Check connection secrets in the crossplane-system Vault scope.
1kubectl -n vault-system exec -i vault-0 -- vault kv list /secret/crossplane-system
2Keys
3----
4d2408335-eb88-4146-927b-8025f405da86
5ess-mr-conn
The key
and the key
Check contents of Claim’s connection secret ess-claim-conn to see the key
created by the managed resource.
1kubectl -n vault-system exec -i vault-0 -- vault kv get /secret/default/ess-claim-conn
2======= Metadata =======
3Key Value
4--- -----
5created_time 2022-03-18T21:24:07.2085726Z
6custom_metadata map[environment:development secret.crossplane.io/ner-uid:881cd9a0-6cc6-418f-8e1d-b36062c1e108 team:backend]
7deletion_time n/a
8destroyed false
9version 1
10
11======== Data ========
12Key Value
13--- -----
14publicKey -----BEGIN PUBLIC KEY-----
15MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsEYCokmYEsZJCc9QN/8
16Fm1M/kTPp7Gat/MXLTP3zFyCTBFVNLN79MbAKdinWi6ePXEb75vzB79IdZcWj8lo
178trnS64QjNB9Vs4Xk5UvDALwleFN/bZeperxivDPwVPvT9Aqy/U9kohoS/LHyE8w
18uWQb5AuMeVQ1gtCTnCqQZ4d2MSVhQXYVvAWax1spJ9LT7mHub5j95xDdYIcOV3VJ
19l9CIo4VrWIT8THFN2NnjTrGq9+0TzXY0bV674bjJkfBC6v6yXs5HTetG+Uekq/xf
20FCjrrDi1+2UR9Mu2WTuvl8qn50be+mbwdJO5wE32jewxdYrVVmj19+PkaEeAwGTc
21vwIDAQAB
22-----END PUBLIC KEY-----
23publicKeyType TYPE_RAW_PUBLIC_KEY
Check contents of managed resource connection secret ess-mr-conn. The public
key is identical to the public key in the Claim since the Claim is using this
managed resource.
1kubectl -n vault-system exec -i vault-0 -- vault kv get /secret/crossplane-system/ess-mr-conn
2======= Metadata =======
3Key Value
4--- -----
5created_time 2022-03-18T21:21:07.9298076Z
6custom_metadata map[environment:development secret.crossplane.io/ner-uid:4cd973f8-76fc-45d6-ad45-0b27b5e9252a team:backend]
7deletion_time n/a
8destroyed false
9version 2
10
11========= Data =========
12Key Value
13--- -----
14privateKey {
15 "type": "service_account",
16 "project_id": "REDACTED",
17 "private_key_id": "REDACTED",
18 "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n",
19 "client_email": "ess-test-sa@REDACTED.iam.gserviceaccount.com",
20 "client_id": "REDACTED",
21 "auth_uri": "https://accounts.google.com/o/oauth2/auth",
22 "token_uri": "https://oauth2.googleapis.com/token",
23 "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
24 "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/ess-test-sa%40REDACTED.iam.gserviceaccount.com"
25}
26privateKeyType TYPE_GOOGLE_CREDENTIALS_FILE
27publicKey -----BEGIN PUBLIC KEY-----
28MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsEYCokmYEsZJCc9QN/8
29Fm1M/kTPp7Gat/MXLTP3zFyCTBFVNLN79MbAKdinWi6ePXEb75vzB79IdZcWj8lo
308trnS64QjNB9Vs4Xk5UvDALwleFN/bZeperxivDPwVPvT9Aqy/U9kohoS/LHyE8w
31uWQb5AuMeVQ1gtCTnCqQZ4d2MSVhQXYVvAWax1spJ9LT7mHub5j95xDdYIcOV3VJ
32l9CIo4VrWIT8THFN2NnjTrGq9+0TzXY0bV674bjJkfBC6v6yXs5HTetG+Uekq/xf
33FCjrrDi1+2UR9Mu2WTuvl8qn50be+mbwdJO5wE32jewxdYrVVmj19+PkaEeAwGTc
34vwIDAQAB
35-----END PUBLIC KEY-----
36publicKeyType TYPE_RAW_PUBLIC_KEY
Remove the resources
Deleting the Claim removes the managed resources and associated keys from Vault.
1kubectl delete claim my-ess