Introduction to the Broker
The Role definition at the beginning of the broker.yml file enables the broker pod to execute. The Service descriptions in the broker.yml example below are also required as the DSV client uses the name to make internal calls.
In using the broker.yml file, be sure to first swap in variable values appropriate to your organization, specifically:
spec:
template:
spec:
containers:
env:
- name: TENANT
value: your_tenant_name
- name: CLIENT_ID
value: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- name: CLIENT_SECRET
value: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxx
When the broker is running, it watches for new pods coming online that execute with a specific Annotation, dsv. For each such pod, it looks at the value of the tenant to be used, and adds the pod to its internal registry.
Kubernetes Plugin Configuration
The Kubernetes plugin provides a means of managing workloads and services for the containers configured for the DevOps Secrets Vault. The following steps are required to configure a Kubernetes plugin.
-
Provide a certificate, an authentication provider, and a corresponding role. Refer to Authentication by Certificate. Save that data. DSV doesn't keep any of these keys. The certificate and key are passed to the broker via the Kubernetes tls secret.
-
Create the Kubernetes
tlssecret.CopyapiVersion: v1
kind: Secretmetadata: name: dsv-auth-tls-secrets namespace: sandbox05-pportaltype: kubernetes.io/tlsdata: tls.crt: <your client/leaf cert> tls.key: <your client/leaf private key> -
Add the volume in broker/controller yaml and mount at /etc/dsv/certs. We chose mounting secrets for automatic updates (https://kubernetes.io/docs/concepts/configuration/secret/#mounted-secrets-are-updated-automatically).
Copyvolumes:
- name: dsv-tls-secrets secret: secretName: dsv-auth-tls-secretsCopyvolumeMounts:
- name: dsv-tls-secrets readOnly: true mountPath: /etc/dsv/certs -
Add the new
ENVvariable to the broker. This tells the broker what type of authentication it uses. name:AUTH_TYPEvalue:certificate
The Broker YAML File
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: dsv-service-pod-reader-binding
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dsv-service-pod-reader-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dsv-service-pod-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
---
apiVersion: v1
kind: Secret
metadata:
name: thycotic-keys
namespace: default
type: Opaque
---
apiVersion: v1
kind: Deployment
metadata:
name: dsv-broker
spec:
replicas: 1
selector:
matchLabels:
app: dsv-broker
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
template:
metadata:
labels:
app: dsv-broker
spec:
containers:
- name: dsv-broker
image: thycotic/dsv-k8s-controller:<tagname>
imagePullPolicy: IfNotPresent
volumeMounts:
- name: secretkey
mountPath: /tmp/keys
readOnly: true
env:
- name: REFRESH_TIME
value: 5m
- name: THY_API_URL
value: https://%s.devbambe.com/v1
- name: TENANT
value: testtenant
- name: CLIENT_ID
value: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- name: CLIENT_SECRET
value: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxx
- name: LOG_LEVEL
value: debug
volumes:
- name: secretkey
secret:
secretName: thycotic-keys
---
kind: Service
apiVersion: v1
metadata:
name: dsv-broker
spec:
selector:
app: dsv-broker
ports:
- protocol: TCP
port: 80
targetPort: 3000
---
kind: Service
apiVersion: v1
metadata:
name: dsv-auth
spec:
selector:
app: dsv-broker
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080
- name: https
protocol: TCP
port: 443
targetPort: 443
This file can also be used locally, for example:
kubectl create -f broker.yml
