Passing vHSM secrets using ConfigMaps

vHSM stores secrets securely, but Kubernetes applications need a way to access them. One method is using ConfigMaps. This section provides instructions to inject vHSM secrets using ConfigMaps to an application running in Kubernetes.

Prerequisites

• Install vHSM CLI

• Install kubectl

• Install a Kubernetes cluster

To pass vault secrets using ConfigMaps:

1. Deploy a sample application in your Kubernetes cluster

2. Enable vHSM secrets engine and store the secret

3. Create a ConfigMap from vHSM secrets

Deploy a sample application

1. Create a deployment YAML file, named app-deployment.yaml.

   Copy

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: my-app
   spec:
     replicas: 2
     selector:
       matchLabels:
         app: my-app
     template:
       metadata:
         labels:
           app: my-app
       spec:
         containers:
         - name: my-app
           image: nginx
           ports:
           - containerPort: 80

2. Change to the directory that contains the app-deployment.yaml and apply the deployment.

   Copy

   kubectl apply -f app-deployment.yaml

   The output is similar to:

   Copy

   deployment.apps/my-app created

3. Verify that the application is deployed.

   Copy

   kubectl get pods

   It might takes a couple of minutes for Pods to be in a Running status. The output is similar to:

   Copy

   NAME                      READY   STATUS   RESTARTS   AGE
   my-app-86d5bc587d-g85bz   1/1     Running   0          7s
   my-app-86d5bc587d-j4x4p   1/1     Running   0          7s

4. Create a service to expose the application.

   Copy

   kubectl expose deployment my-app --type=NodePort --port=80

5. Find the port on which the application is running.

   Copy

   kubectl get svc my-app

   The output is similar to:

   Copy

   NAME     TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
   my-app   NodePort   10.96.114.36   <none>        80:32696/TCP   8s

6. Port forward the application to access the application in your browser.

   Copy

   kubectl port-forward svc/my-app 8080:80

7. Access the application that you deployed in your browser at: http://localhost:8080.

Enable vHSM secrets engine and store the secret

1. Ensure that vHSM is running and the status is unsealed. For more information about using vHSM CLI, see the vHSM CLI documentation.

   The output is similar to:

2. Enable KV Secrets Engine, a key-value store that contains secrets in vHSM's physical storage:

   The output is similar to:

3. Store a secret in vHSM:

   The output is similar to:

Create a ConfigMap from vHSM secrets

1. Retrive the password that you stored in the vHSM server.

2. Create a ConfigMap that would inject the secret from the vHSM.

   The output is similar to:

3. Create a new deployment YAML file, named app-with-configmap.yaml.

4. Change to the directory that contains the app-with-configmap.yaml and apply the deployment.

   The output is similar to:

5. Verify that the application is deployed.

   The output is similar to:

6. Verify that secrets are passed to the newly deployed application using the command: kubectl exec -it <pod> -- printenv | grep DB_PASSWORD In this case the Pod that is running with the application with ConfigMap is my-app-with-configmap-6946f8b754-hfhcn.

   The output is:

   This confirms that the secret for the application is injected to the application using ConfigMaps.