Configure Vault Integration

Configure Armory Agent integration with Vault.

Proprietary

Early Access

The information below is written for an Early Access feature. Contact us if you are interested in using this feature! Your feedback will help shape the development of this feature.

Do not use Early Access features for production environments.

Before you begin

This guide is for experienced Kubernetes and Armory Enterprise users.
You have read the Armory Agent overview.

Authenticate Agent with Vault

The Armory Agent is compatible with properties Armory Enterprise uses for storing secrets in HashiCorp Vault. You put configuration in kubesvc.yaml in the secrets.vault.* section. You refer to Vault secrets using the same syntax you use in configuring secrets for Armory Enterprise. See the Referencing Secrets section for details.

This is an example of what the Kubernetes service account configuration looks like in Agent, using an encryptedFile: reference for kubeconfigFile:

# ./kubesvc.yaml
kubernetes:
  accounts:
    - name: account01
      kubeconfigFile: encryptedFile:vault!e:secret!p:spinnaker/kubernetes!k:config

secrets:
  vault:
    enabled: true
    authMethod: KUBERNETES
    url: https://your.vault.instance
    role: spinnaker
    path: kubernetes

Dynamically load accounts from Vault

This requires you to install the Vault Injector Sidecar.

The Armory Agent detects changes in the configuration file and manages new accounts that it finds. This makes it possible to use a sidecar for adding and removing accounts dynamically instead of having a static ConfigMap. The Vault guide specifies the following syntax:

vault kv put secret/kubernetes account01=@kubeconfig.yaml

Keep kubeconfig files in one Vault secret (in this case secret/kubernetes).
Each field name corresponds to an account name in Armory Enterprise.
Each field value is the contents of the kubeconfigFile used by that account.

Configuration template

Replace the configuration files and kubeconfig files from the Armory Agent for Kubernetes Installation guide and instead use Vault injector annotations to provide a template.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: spin-kubesvc
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-kubesvc-local.yml: ""
        vault.hashicorp.com/secret-volume-path-kubesvc-local.yml: '/opt/spinnaker/config'
        vault.hashicorp.com/agent-inject-file-kubesvc-local.yml: 'kubesvc-local.yml'
        vault.hashicorp.com/agent-inject-template-kubesvc-local.yml: |
          kubernetes:
            accounts:
          {{- with secret "secret/kubernetes" -}}
          {{ range $k, $v := .Data.data }}
              - kubeconfigFile: 'encryptedFile:vault!e:secret!n:kubernetes!k:{{ $k }}'
                name: {{ $k -}}
          {{- else }}
              []
          {{ end -}}
          {{- end }}
          secrets:
            vault:
              enabled: true
              authMethod: KUBERNETES
              role:
              path:
              url:
          clouddriver:
            insecure: true
    spec:
      volumes:
        - $patch: delete
          name: volume-kubesvc-config
        - $patch: delete
          name: volume-kubesvc-kubeconfigs
      containers:
        - name: kubesvc
          volumeMounts:
            - $patch: delete
              name: volume-kubesvc-config
              mountPath: /opt/spinnaker/config
            - $patch: delete
              name: volume-kubesvc-kubeconfigs
              mounthPath:
              mountPath: /kubeconfigfiles

Make sure to include the required Vault injector annotations like vault.hashicorp.com/role or vault.hashicorp.com/agent-configmap that correspond to your environment.
Be aware of the version of Vault’s KV engine currently in your environment. This guide assumes you have the secret engine KV version 2. For KV version 1, you need to modify the template to use {{ range $k, $v := .Data }} instead. See the Templating Language’s Versioned Read section for more information.
This template expects secret/kubernets to hold the kubeconfig file: Make sure to replace both line 16 and 18 in case that’s not the case in your environment.
Make sure to include all other Agent Options that you require in your environment.

After addressing the preceding points, save the template as armory-agent-vault-patch.yaml and refer to it in your kustomization.yaml:

# ./kustomization.yaml
# Pre-existing SpinnakerService resource (may be different)
namespace: spinnaker
resources:
  - spinnakerservice.yaml
bases:
# Armory agent deployment
  - armory-agent

patchesStrategicMerge:
  - armory-agent-vault-patch.yaml

Troubleshooting

Agent deployment is to appearing / There are no spin-kubesvc pods

Check the following commands for any error or warning message:
- kubectl describe desploy spin-kubesvc | sed -ne '/^Events:$/,$p'
- kubectl describe rs -l cluster=spin-kubesvc | sed -ne '/^Events:$/,$p'
Error message: Error creating: admission webhook "vault.hashicorp.com" denied the request: error validating agent configuration: no Vault role found:
- Make sure that the annotations vault.hashicorp.com/role or vault.hashicorp.com/agent-configmap are set and they correspond to your environment

Agent gets stuck in status Init

Check for logs of the injector with the following command: kubectl logs deploy/spin-kubesvc -c vault-agent-init.
Error message: [WARN] (view) vault.read(secret/kubernetes): no secret exists at secret/data/kubernetes (retry attempt 1 after "250ms"):
- Make sure to update the reference in armory-agent-vault-patch.yaml to a secret that is accessible in your environment.

Agent is in Crash loop back off

Check for logs of kubesvc with the following command kubectl logs deploy/spin-kubesvc -c kubesvc.
Error message: Error registering vault config: vault configuration error:
- Make sure to update armory-agent-vault-patch.yaml to include the properties secrets.vault.* that correspond to your environment.
Error message failed to load configuration: error fetching key \"data\":
- Your vault KV engine is using version 2. Make sure the template in armory-agent-vault-patch.yaml is using {{ range $k, $v := .Data.data }}.

Agent registers with 0 servers

Check for logs of vault injector with the following command: kubectl logs -f deploy/spin-kubesvc -c vault-agent.
Error message missing dependency: vault.read(secret/kubernetes):
- Your vault KV engine is using version 1. Make sure the template in armory-agent-vault-patch.yaml is using {{ range $k, $v := .Data }} .

Feedback

Was this page helpful?

Thank you for letting us know!

Sorry to hear that. Please tell us how we can improve.

Last modified July 20, 2021: (971b962)