[Yandex Cloud documentation](../../index.md) > [Tutorials](../index.md) > [Container infrastructure](index.md) > Managed Service for Kubernetes > Using Cloud Marketplace products > Using HashiCorp Vault to store secrets

# Using HashiCorp Vault to store secrets in Yandex Managed Service for Kubernetes

# Using HashiCorp Vault to store secrets


[HashiCorp Vault](https://www.vaultproject.io/) is an open-source tool for securely storing and accessing different kinds of secrets, such as passwords, certificates, and tokens.

Configure secret storage and access within your Yandex Managed Service for Kubernetes cluster using [HashiCorp Vault with Key Management Service support](https://yandex.cloud/en/marketplace/products/yc/vault-yckms-k8s) from Yandex Cloud Marketplace.

This tutorial shows how to mount a secret from HashiCorp Vault using a [Container Storage Interface](https://kubernetes.io/docs/concepts/storage/volumes/#csi) (CSI) volume.

To set up access to a secret in a Managed Service for Kubernetes cluster using HashiCorp Vault:
1. [Get your cloud ready](#before-you-begin).
1. [Install HashiCorp Vault](#install-vault).
1. [Log in to HashiCorp Vault](#login-vault).
1. [Create a secret](#create-secret).
1. [Configure the Kubernetes authentication method](#kubernetes-authentication).
1. [Install the SCI driver for the secret vault](#install-sci).
1. [Create a SecretProviderClass resource](#create-resource).
1. [Create a pod with the secret mounted](#create-pod).

If you no longer need the resources you created, [delete them](#clear-out).


## Required paid resources {#paid-resources}

The support cost for this solution includes:

* Fee for using the master and outgoing traffic in a Managed Service for Kubernetes cluster (see [Managed Service for Kubernetes pricing](../../managed-kubernetes/pricing.md)).
* Fee for using computing resources, OS, and storage in cluster nodes (VMs) (see [Compute Cloud pricing](../../compute/pricing.md)).
* Fee for a public IP address assigned to cluster nodes (see [Virtual Private Cloud pricing](../../vpc/pricing.md#prices-public-ip)).
* Key Management Service fee for the number of active key versions (with `Active` or `Scheduled For Destruction` for status) and completed cryptographic operations (see [Key Management Service pricing](../../kms/pricing.md)).


## Get your cloud ready {#before-you-begin}

1. Create a Kubernetes [cluster](../../managed-kubernetes/concepts/index.md#kubernetes-cluster) and [node group](../../managed-kubernetes/concepts/index.md#node-group).

    {% list tabs group=instructions %}

    * Manually {#manual}

        1. If you do not have a [network](../../vpc/concepts/network.md#network) yet, [create one](../../vpc/operations/network-create.md).
        1. If you do not have any [subnets](../../vpc/concepts/network.md#subnet) yet, [create them](../../vpc/operations/subnet-create.md) in the [availability zones](../../overview/concepts/geo-scope.md) where the new Kubernetes cluster and node group will reside.
        1. [Create these service accounts](../../iam/operations/sa/create.md):

            * Service account with the `k8s.clusters.agent` and `vpc.publicAdmin` [roles](../../managed-kubernetes/security/index.md#yc-api) for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to create a Kubernetes cluster. This service account will be used to create resources for your Kubernetes cluster.
            * Service account with the [container-registry.images.puller](../../container-registry/security/index.md#container-registry-images-puller) [role](../../iam/concepts/access-control/roles.md). Nodes will use this account to pull the required [Docker images](../../container-registry/concepts/docker-image.md) from the [registry](../../container-registry/concepts/registry.md).

            {% note tip %}

            You can use the same [service account](../../iam/concepts/users/service-accounts.md) to manage your Kubernetes cluster and its node groups.

            {% endnote %}

        1. [Create security groups](../../managed-kubernetes/operations/connect/security-groups.md) for the Managed Service for Kubernetes cluster and its node groups.

            {% note warning %}
            
            The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
            
            {% endnote %}

        1. [Create a Kubernetes cluster](../../managed-kubernetes/operations/kubernetes-cluster/kubernetes-cluster-create.md) and [node group](../../managed-kubernetes/operations/node-group/node-group-create.md) with any suitable configuration. When creating, specify the preconfigured security groups.

    * Using Terraform {#tf}

        1. If you do not have Terraform yet, [install it](../infrastructure-management/terraform-quickstart.md#install-terraform).
        1. [Get the authentication credentials](../infrastructure-management/terraform-quickstart.md#get-credentials). You can add them to environment variables or specify them later in the provider configuration file.
        1. [Configure and initialize a provider](../infrastructure-management/terraform-quickstart.md#configure-provider). There is no need to create a provider configuration file manually, you can [download it](https://github.com/yandex-cloud-examples/yc-terraform-provider-settings/blob/main/provider.tf).
        1. Place the configuration file in a separate working directory and [specify the parameter values](../infrastructure-management/terraform-quickstart.md#configure-provider). If you did not add the authentication credentials to environment variables, specify them in the configuration file.

        1. Download the [k8s-cluster.tf](https://github.com/yandex-cloud-examples/yc-mk8s-cluster-infrastructure/blob/main/k8s-cluster.tf) cluster configuration file to the same working directory. This file describes:

            * [Network](../../vpc/concepts/network.md#network).
            * [Subnet](../../vpc/concepts/network.md#subnet).
            * Kubernetes cluster.
            * [Service account](../../iam/concepts/users/service-accounts.md) for the Managed Service for Kubernetes cluster and node group.
            * [Security groups](../../vpc/concepts/security-groups.md) which contain [rules](../../managed-kubernetes/operations/connect/security-groups.md) required for the Managed Service for Kubernetes cluster and its node groups.

                {% note warning %}
                
                The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
                
                {% endnote %}

        1. In the `k8s-cluster.tf` file, specify the following:

            * [Folder ID](../../resource-manager/operations/folder/get-id.md).
            * Kubernetes version for the Kubernetes cluster and node groups.
            * Kubernetes cluster CIDR.
            * Name of the Managed Service for Kubernetes cluster service account.

        1. Validate your Terraform configuration files using this command:

            ```bash
            terraform validate
            ```

            Terraform will display any configuration errors detected in your files.

        1. Create the required infrastructure:

            1. Run this command to view the planned changes:
            
               ```bash
               terraform plan
               ```
            
               If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
            
            1. If everything looks correct, apply the changes:
               1. Run this command:
            
                  ```bash
                  terraform apply
                  ```
            
               1. Confirm updating the resources.
               1. Wait for the operation to complete.

            All the required resources will be created in the specified folder. You can check resource availability and their settings in the [management console](https://console.yandex.cloud).

    {% endlist %}

    {% note warning %}
    
    Do not change or delete Virtual Private Cloud resources used by the Managed Service for Kubernetes cluster. This may cause cluster errors or make it impossible to delete later.
    
    {% endnote %}

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../../managed-kubernetes/operations/connect/index.md#kubectl-connect).

## Install HashiCorp Vault {#install-vault}

Install HashiCorp Vault using Helm and initialize the vault by following [this guide](../../managed-kubernetes/operations/applications/hashicorp-vault.md). In the installation command, specify the `hcv` namespace and add extra parameters to set up the [Vault CSI provider](https://developer.hashicorp.com/vault/docs/platform/k8s/csi):

```bash
--namespace hcv \
--set "injector.enabled=false" \
--set "csi.enabled=true"
```

## Log in to HashiCorp Vault {#login-vault}

1. Start an interactive HashiCorp Vault shell session for the `hashicorp-vault-0` pod:

    ```bash
    kubectl exec -it hashicorp-vault-0 \
       --namespace hcv \
       -- /bin/sh
    ```

1. [Unseal](https://www.vaultproject.io/docs/concepts/seal#why) the vault:

    ```bash
    vault operator unseal
    ```

    Enter one of the recovery keys you got during [vault initialization](../../managed-kubernetes/operations/applications/hashicorp-vault.md#vault-init).

1. Log in to HashiCorp Vault with the root token:

    ```bash
    vault login
    ```

    Enter the root token (`Initial Root Token`) you got during vault initialization.

## Create a secret {#create-secret}

1. Enable the `kv` secrets engine at the `secret` path:

    ```bash
    vault secrets enable -path=secret kv
    ```

1. Create a secret at `secret/db-pass` with the password:

    ```bash
    vault kv put secret/db-pass password="12345678"
    ```

1. Make sure the secret is available for reading at `secret/db-pass`:

    ```bash
    vault kv get secret/db-pass
    ```

    Result:

    ```text
    ====== Data ======
    Key         Value
    ---         -----
    password    12345678
    ```

## Configure the Kubernetes authentication method {#kubernetes-authentication}

This method allows authentication with a Kubernetes service account token.

1. Enable the Kubernetes authentication method:

    ```bash
    vault auth enable kubernetes
    ```

1. Configure authentication using the Kubernetes API address:

    ```bash
    vault write auth/kubernetes/config \
       kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
    ```

    The `KUBERNETES_PORT_443_TCP_ADDR` environment variable refers to the internal network address of the Kubernetes node.

1. Create a policy named `internal-app` that will allow the Kubernetes service account to read the secret you created:

    ```bash
    vault policy write internal-app - <<EOF
    path "secret/db-pass" {
      capabilities = ["read"]
    }
    EOF
    ```

1. Create the `database` role that will associate the `internal-app` policy with the Kubernetes `webapp-sa` service account (you will create it later):

    ```bash
    vault write auth/kubernetes/role/database \
       bound_service_account_names=webapp-sa \
       bound_service_account_namespaces=hcv \
       policies=internal-app \
       ttl=20m
    ```

    Tokens returned upon authentication are valid for 20 minutes.

1. Exit HashiCorp Vault:

    ```bash
    exit
    ```

## Install the SCI driver for the secret vault {#install-sci}

1. Add the `secrets-store-csi-driver` Helm repository:

    ```bash
    helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    ```

1. Install the SCI driver:

    ```bash
    helm install csi secrets-store-csi-driver/secrets-store-csi-driver \
       --namespace=hcv \
       --set syncSecret.enabled=true
    ```

1. Make sure the driver is running and ready:

    ```bash
    kubectl get pods -n hcv -l "app=secrets-store-csi-driver"
    ```

    Result:

    ```text
    NAME                                 READY   STATUS    RESTARTS   AGE
    csi-secrets-store-csi-driver-nbxcd   3/3     Running   0          4m28s
    ```

## Create a SecretProviderClass resource {#create-resource}

1. Create a file named `spc-vault-database.yaml` with settings for the CSI provider:

    {% cut "spc-vault-database.yaml" %}

    ```yaml
    apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClass
    metadata:
      name: vault-database
    spec:
      provider: vault
      parameters:
        vaultAddress: "http://hashicorp-vault.hcv:8200"
        roleName: "database"
        objects: |
          - objectName: "db-password"
            secretPath: "secret/db-pass"
            secretKey: "password"
    ```

    {% endcut %}

1. Create the `SecretProviderClass` resource:

    ```bash
    kubectl apply -f spc-vault-database.yaml -n hcv
    ```

## Create a pod with the secret mounted {#create-pod}

1. Create a service account named `webapp-sa` for the Kubernetes cluster:

    ```bash
    kubectl create serviceaccount webapp-sa \
       --namespace hcv
    ```

1. Create a file named `webapp-pod.yaml` containing the `webapp` pod configuration:

    {% cut "spc-vault-database.yaml" %}

    ```yaml
    kind: Pod
    apiVersion: v1
    metadata:
      name: webapp
    spec:
      serviceAccountName: webapp-sa
      containers:
      - image: jweissig/app:0.0.1
        name: webapp
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "vault-database"
    ```

    {% endcut %}

1. Create a pod named `webapp`:

    ```bash
    kubectl apply -f webapp-pod.yaml -n hcv 
    ```

1. Make sure the `webapp` pod is running and ready:

    ```bash
    kubectl get pod webapp -n hcv
    ```

    Result:

    ```text
    NAME     READY   STATUS    RESTARTS   AGE
    webapp   1/1     Running   0          5m25s
    ```

1. Display the secret password stored at `/mnt/secrets-store/db-password` in the file system:

    ```bash
    kubectl exec webapp -n hcv -- cat /mnt/secrets-store/db-password
    ```

    Result:

    ```text
    12345678
    ```

## Delete the resources you created {#clear-out}

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them.

{% list tabs group=instructions %}

* Manually {#manual}

    1. [Delete the Kubernetes cluster](../../managed-kubernetes/operations/kubernetes-cluster/kubernetes-cluster-delete.md).
    1. [Delete the security groups](../../vpc/operations/security-group-delete.md).
    1. [Delete the subnet](../../vpc/operations/subnet-delete.md) and [network](../../vpc/operations/network-delete.md).
    1. [Delete the service accounts](../../iam/operations/sa/delete.md).
    1. [Delete the symmetric encryption key](../../kms/operations/key.md#delete).

* Using Terraform {#tf}

    1. In the terminal window, go to the directory containing the infrastructure plan.
    
        {% note warning %}
    
        Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
    
        {% endnote %}
    
    1. Delete resources:
    
        1. Run this command:
    
            ```bash
            terraform destroy
            ```
    
        1. Confirm deleting the resources and wait for the operation to complete.
    
        All the resources described in the Terraform manifests will be deleted.

{% endlist %}

## See also {#see-also}

* [HashiCorp Vault documentation](https://developer.hashicorp.com/vault/docs?product_intent=vault)
* [Installing HashiCorp Vault with Key Management Service support](../../managed-kubernetes/operations/applications/hashicorp-vault.md)
* [Installing the External Secrets Operator with Yandex Lockbox support](../../managed-kubernetes/operations/applications/external-secrets-operator.md)
* [Syncing with Yandex Lockbox secrets](../../managed-kubernetes/tutorials/kubernetes-lockbox-secrets.md)