This demo requires Helm V2
.
Additionally make sure Helm is installed with RBAC:
kubectl -n kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller \
--clusterrole cluster-admin \
--serviceaccount=kube-system:tiller
helm init --service-account tiller
Run the setup script that installs:
- Vault
- Vault Agent Injector
- PostgreSQL (for example)
./setup.sh
Vault will automatically init, unseal, load auth methods, load policies and setup roles.
To get the root token or unseal keys for Vault, look in the /tmp
directory in the vault-0
pod.
The demo is running in three different namespaces: vault
, postgres
and app
.
kubectl get pods -n vault
kubectl get pods -n postgres
# App won't have pods running into the examples are started
kubectl get pods -n app
Run the app demo:
cd ./examples/app
./run.sh
Observe no secrets/sidecars on the app pod:
kubectl describe pod <name of pod> -n app
kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets
Patch the app:
./patch.sh
Observe the secrets at:
kubectl describe pod <name of pod> -n app
kubectl exec -ti <name of app pod> -n app -c app -- ls /vault/secrets
Port forward and open the webpage:
kubectl port-forward <name of app pod> -n app 8080:8080
open https://127.0.0.1:8080
Run the pg_dump
job:
cd ./examples/pg_dump
./run.sh
kubectl get pods -n app
Observe the logs to show that it connected to PostgreSQL and created a logical
backup to /dev/stdout
:
kubectl logs -n app <name of job pod>