Skip to content
/ go-vault-secrets Public

Build a Go that consumes Vault secrets directly in Kubernetes with Okteto

License

Apache-2.0 license
7 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

okteto/go-vault-secrets

BranchesTags

Repository files navigation

Go and Vault demo application

This example shows how to use Okteto and Okteto Cloud to develop a Go services that consumes secrets from Vault directly in Kubernetes.

Prerequisites

Configure your Okteto Cloud Credentials

If you haven't yet, log in to https://cloud.okteto.com and click on the Credentials button on the left to download your Okteto Cloud credentials, and set them as your current context by running the command below:

$ export KUBECONFIG=<download-path>/okteto-kube.config

Install Vault

Clone the official vault chart

$ git clone https://github.com/hashicorp/vault-helm

Generate the installation configuration file

$ cat <<EOF > config.yaml
injector:
  enabled: false

server:
  dev:
    enabled: true
  authDelegator:
    enabled: false

dataStorage:
  size: 1Gi

auditStorage:
  size: 1Gi

ui:
  enabled: true
  annotations:
    dev.okteto.com/auto-ingress: "true"
EOF

Install the Vault Helm chart

$ helm install vault vault-helm -f config.yaml

For the purpose of this guide, we are installing Vault in dev mode. This is not recommended for production scenarios.

Configure Vault and Store the Secret

Run the vault client

$ kubectl exec -ti vault-0 /bin/sh

Create the policy

cat <<EOF > /home/vault/app-policy.hcl
path "secret*" {
  capabilities = ["read"]
}
EOF
$ vault policy write app /home/vault/app-policy.hcl
Success! Uploaded policy: app

Create the user token (we'll use this later, so keep it somewhere safe)

$ vault token create -policy=app
Key                  Value
---                  -----
token                s.XXXXXX
token_accessor       XXXXXXXX
token_duration       768h
token_renewable      true
token_policies       ["app" "default"]
identity_policies    []
policies             ["app" "default"]

Create the secret

$ vault kv put secret/helloworld username=foobaruser password=foobarbazpass
Key              Value
---              -----
created_time     2020-02-26T22:29:56.106059196Z
deletion_time    n/a
destroyed        false
version          1

Exit the vault pod

$ exit

Deploy the application

$ kubectl apply -f k8s.yml

The default application uses hard-coded credentials instead of getting them from Vault.

You can get the URL from the command line by running the command below, or from the Okteto Cloud UI:

$ kubectl get ing okteto-hello-world
NAME                 HOSTS                                    ADDRESS                     PORTS     AGE
okteto-hello-world   hello-world-cindy.cloud.okteto.net   34.223.83.14,52.26.95.105   80, 443   34s

Call the application to verify that everything works as expected:

$ curl https://hello-world-cindy.cloud.okteto.net
Hello world!
Super secret username: hard-coded-user
Super secret password is: hard-coded-password

Prepare your Application to use Vault

In order to call the vault API, you'll need to pass a token to your service.

We'll use the one we created in the previous step. We'll use Kubernetes environment variables and secrets to pass the token to the application.

Create the secret:

$ kubectl create secret generic vault --from-literal=token=<vault token>
secret/vault created

The k8s-with-secret.yml manifest is already configured with the environment variable. Update your application:

$ kubectl apply -f k8s-with-secret.yml

Develop directly in Kubernetes

Now let's go ahead and integrate our code with Vault, directly in the cluster.

Launch your development environment

$ okteto up

When you launch a development environment in Okteto, it will inherit all the configurations of the original deployment, like the Vault API token we just added:

okteto> echo $VAULT_TOKEN

You'll notice that the code to get the secrets is already there. All you need to do to enable is to open main.go in your local IDE and update the helloServer function to call getVaultSecrets() instead.

func helloServer(w http.ResponseWriter, r *http.Request) {
	u, p, err := getHardcodedSecrets()
	if err != nil {
		fmt.Printf("error: %s\n", err)
		w.WriteHeader(500)
	}

	fmt.Fprint(w, "Hello world!\n")
	fmt.Fprintf(w, "Super secret username: %s\n", u)
	fmt.Fprintf(w, "Super secret password is: %s\n", p)
}

Go to your okteto terminal, and start the service:

okteto> go run main.go
Starting hello-world server..

Call the application again to see the changes:

$ curl https://hello-world-cindy.cloud.okteto.net
Hello world!
Super secret username: foobaruser
Super secret password is: foobarbazpass

Conclusion

In this guide we show you how you can integrate your application with a third-party service like Vault using Okteto and Okteto Cloud.

Being able to use the same configuration model as you have in production is one of the great advantages of using remote development environments. It helps you go faster, better understand your dependencies, and catch pesky integration bugs early in the cycle.

Visit https://okteto.com/docs to learn how Okteto and Okteto Cloud makes application development easier than ever.

About

Build a Go that consumes Vault secrets directly in Kubernetes with Okteto

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

7 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages