Vault Agent Injector Example

This demo requires Helm V3 and jq to be installed.

Demo

Run the setup script that installs:

• Vault
• Vault Agent Injector
• CSI Secret Store
• Vault CSI Provider
• PostgreSQL (for example)

./setup.sh

Vault will automatically init, unseal, load auth methods, load policies and setup roles.

To get the root token or unseal keys for Vault, look in the /tmp directory in the vault-0 pod.

Namespaces

The demo is running in three different namespaces: vault, postgres and app.

kubectl get pods -n vault

kubectl get pods -n postgres

# App won't have pods running into the examples are started
kubectl get pods -n app

Static Secret Demo:

cd ./examples/static-secrets
./run.sh

Observe no secrets/sidecars on the app pod:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

Dynamic Secret Demo:

cd ./examples/dynamic-secrets
./run.sh

Observe no secrets/sidecars on the app pod:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080

Transit Demo:

cd ./examples/transit
./run.sh

Patch the app:

./patch.sh

Observe the secrets at:

kubectl describe pod <name of pod> -n app

kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets

Port forward and open the webpage:

kubectl port-forward <name of app pod> -n app 8080:8080

open http://127.0.0.1:8080