Setup secret in Vault for Portworx Volume Encryption
Prerequisites :
Follow the steps to setup Vault and ready your Portworx Cluster to use Vault as secrets provider. Vault
-
On the Vault UI, under Secrets select Enable a new engine +
-
Select KV and select Next
- Under Path and Keep Version as 2 and select Enable Engine
Lets say you want to give Portworx access to specific Path under kv/portworx/alpha where secrets will be stored.
- Create the Secret under the Path kv/portworx/alpha say test-secret OR pxvolsecret and give the Key-Values for this secret for example foo & mysecret given below:-
- Create a secret named px-vault in Kubernetes, containing details of the Vault server, Token, Backend Path (kv/portworx/alpha) in base64 format as follows:-
echo -n https://70.0.0.1:8200 | base64
echo -n abcd123456789123456 | base64
echo -n kv/portworx/alpha | base64
apiVersion: v1
kind: Secret
metadata:
name: px-vault
namespace: kube-system
type: Opaque
data:
VAULT_ADDR: aHR0cDovLzcwLjAuNzEuMTE6ODIwMA==
VAULT_TOKEN: cy54MjF5d3VGY1Y4OGlHeFRTejh1QzVPNE8=
VAULT_BACKEND_PATH: a3YvcG9ydHdvcngvYWxwaGE=
- If the Portworx Daemonset is already configured to use the vault, we just need to restart portworx service.
kubectl label nodes --all px/service=restart
-
This will restart Portworx on all the nodes and makes all the node aware of the Vault credentials stored in Kubernetes secret
px-vault -
Create a secure volume using the secret stored in the vault directly or via kubernetes object as follows:
Per key encrypted volumes can be created as follows:-
/opt/pwx/bin/pxctl volume create --secure --secret_key test-secret securevolume1
Cluster-wide Key encrypted volumes require you to first set the vault secret as cluster-wide key and then create the secure/encrypted volumes directly without mentioning the key
/opt/pwx/bin/pxctl secrets set-cluster-key --secret test-secret
/opt/pwx/bin/pxctl volume create --secure securevolume2
For Kubernetes object method, please refer to link Encrypting Kubernetes PVCs with Vault