Tokens from Vault via CSI driver
This tutorial shows how to install Botkube which takes the configuration from Vault instance.
Prerequisites​
-
Kubernetes Clusters that supports CSI.
For example, to run K3s using Lima, run:
limactl start template://k3s
-
helm
v3 installed. -
kubectl
installed.
Steps​
This instruction guides you through the installation of Botkube and Vault on a Kubernetes cluster and configuring them together.
-
Install Vault with CSI enabled:
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault --namespace default \
--set "server.dev.enabled=true" \
--set "injector.enabled=false" \
--set "csi.enabled=true" -
Add Slack token in Vault:
# Exec to pod
kubectl exec -n default -it vault-0 -- /bin/sh# Write the token to Vault
vault kv put -mount=secret slack-app-token token=xapp-...
vault kv put -mount=secret slack-bot-token token=xoxb-... -
Enable Vault's Kubernetes authentication:
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"vault policy write internal-app - <<EOF
path "secret/data/slack-app-token" {
capabilities = ["read"]
}
path "secret/data/slack-bot-token" {
capabilities = ["read"]
}
EOFvault write auth/kubernetes/role/database \
bound_service_account_names=botkube-sa \
bound_service_account_namespaces=default \
policies=internal-app \
ttl=20m# Exit from the Vault Pod
exit -
Install the Secrets Store CSI driver:
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi secrets-store-csi-driver/secrets-store-csi-driver \
--namespace default \
--set syncSecret.enabled=true -
Create Botkube installation parameters:
cat > /tmp/values.yaml << ENDOFFILE
extraObjects:
- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-database
spec:
provider: vault
parameters:
roleName: "database"
vaultAddress: "http://vault.default:8200"
objects: |
- objectName: "slack-app-token"
secretPath: "secret/data/slack-app-token"
secretKey: "token"
- objectName: "slack-bot-token"
secretPath: "secret/data/slack-bot-token"
secretKey: "token"
secretObjects:
- secretName: communication-slack
type: Opaque
data:
- objectName: "slack-app-token"
key: "slack-app-token"
- objectName: "slack-bot-token"
key: "slack-bot-token"
communications:
'default-group':
# Settings for SocketSlack
socketSlack:
enabled: true
channels: {} # configure your channels
# botToken - specified via env variable
# appToken - specified via env variable
extraEnv:
- name: BOTKUBE_COMMUNICATIONS_DEFAULT-GROUP_SOCKET__SLACK_APP__TOKEN
valueFrom:
secretKeyRef:
name: communication-slack
key: slack-app-token
- name: BOTKUBE_COMMUNICATIONS_DEFAULT-GROUP_SOCKET__SLACK_BOT__TOKEN
valueFrom:
secretKeyRef:
name: communication-slack
key: slack-bot-token
extraVolumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
extraVolumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-database"
ENDOFFILE -
Install Botkube:
noteYou need to clone the https://github.com/kubeshop/botkube first.
helm install botkube --namespace default \
-f /tmp/values.yaml \
./helm/botkube