将 KOPS CA 密钥和证书存储在 Vault 中
Store KOPS CA key and certificate in Vault
我最近开始使用 KOPS 作为配置 Kubernetes 集群的工具,据我目前所见,它将它的 CA 密钥和证书存储在它的 S3 存储桶中,这很好。
但出于好奇,是否可以将这些存储在 Hashicorp Vault 中,而不是 s3?
But out curiosity, would it be possible to store these in Hashicorp Vault instead, as opposed to s3?
是的。用户 Matt Schuchard 在评论中提到:
Yes you can store them in the KV2 secrets engine, or use the PKI secrets engine to generate them instead.
有关详细信息,请查看此 kops documentation. The most interesting part should be Node authentication and configuration:
The vault store uses IAM auth to authenticate against the vault server and expects the vault auth plugin to be mounted on /aws.
Instructions for configuring your vault server to accept IAM authentication are at https://learn.hashicorp.com/vault/identity-access-management/iam-authentication
To configure kOps to use the Vault store, add this to the cluster spec:
spec:
secretStore: vault://<vault>:<port>/<kv2 mount>/clusters/<clustername>/secrets
keyStore: vault://<vault>:<port>/<kv2 mount>/clusters/<clustername>/keys
也看看这个hashicorp site。
我最近开始使用 KOPS 作为配置 Kubernetes 集群的工具,据我目前所见,它将它的 CA 密钥和证书存储在它的 S3 存储桶中,这很好。
但出于好奇,是否可以将这些存储在 Hashicorp Vault 中,而不是 s3?
But out curiosity, would it be possible to store these in Hashicorp Vault instead, as opposed to s3?
是的。用户 Matt Schuchard 在评论中提到:
Yes you can store them in the KV2 secrets engine, or use the PKI secrets engine to generate them instead.
有关详细信息,请查看此 kops documentation. The most interesting part should be Node authentication and configuration:
The vault store uses IAM auth to authenticate against the vault server and expects the vault auth plugin to be mounted on
/aws.Instructions for configuring your vault server to accept IAM authentication are at https://learn.hashicorp.com/vault/identity-access-management/iam-authentication
To configure kOps to use the Vault store, add this to the cluster spec:
spec:
secretStore: vault://<vault>:<port>/<kv2 mount>/clusters/<clustername>/secrets
keyStore: vault://<vault>:<port>/<kv2 mount>/clusters/<clustername>/keys
也看看这个hashicorp site。