Skip to main content
Version: 1.12

Tokens from Vault via CSI driver

info

This document is applicable only for self-hosted installations. For Botkube Cloud installations, the Botkube Agent configuration, along with all secrets, are managed via the Botkube Cloud dashboard.

This tutorial shows how to install Botkube which takes the configuration from Vault instance.

Prerequisites

Steps

This instruction guides you through the installation of Botkube and Vault on a Kubernetes cluster and configuring them together.

  1. Install Vault with CSI enabled:

    helm repo add hashicorp https://helm.releases.hashicorp.com
    helm repo update
    helm install vault hashicorp/vault --namespace default \
    --set "server.dev.enabled=true" \
    --set "injector.enabled=false" \
    --set "csi.enabled=true"
  2. Add Slack token in Vault:

    # Exec to pod
    kubectl exec -n default -it vault-0 -- /bin/sh
    # Write the token to Vault
    vault kv put -mount=secret slack-app-token token=xapp-...
    vault kv put -mount=secret slack-bot-token token=xoxb-...
  3. Enable Vault's Kubernetes authentication:

    vault auth enable kubernetes
    vault write auth/kubernetes/config \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
    vault policy write internal-app - <<EOF
    path "secret/data/slack-app-token" {
    capabilities = ["read"]
    }
    path "secret/data/slack-bot-token" {
    capabilities = ["read"]
    }
    EOF
    vault write auth/kubernetes/role/database \
    bound_service_account_names=botkube-sa \
    bound_service_account_namespaces=default \
    policies=internal-app \
    ttl=20m
    # Exit from the Vault Pod
    exit
  4. Install the Secrets Store CSI driver:

    helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    helm install csi secrets-store-csi-driver/secrets-store-csi-driver \
    --namespace default \
    --set syncSecret.enabled=true
  5. Create Botkube installation parameters:

    cat > /tmp/values.yaml << ENDOFFILE
    extraObjects:
    - apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClass
    metadata:
    name: vault-database
    spec:
    provider: vault
    parameters:
    roleName: "database"
    vaultAddress: "http://vault.default:8200"
    objects: |
    - objectName: "slack-app-token"
    secretPath: "secret/data/slack-app-token"
    secretKey: "token"
    - objectName: "slack-bot-token"
    secretPath: "secret/data/slack-bot-token"
    secretKey: "token"
    secretObjects:
    - secretName: communication-slack
    type: Opaque
    data:
    - objectName: "slack-app-token"
    key: "slack-app-token"
    - objectName: "slack-bot-token"
    key: "slack-bot-token"

    communications:
    'default-group':
    # Settings for SocketSlack
    socketSlack:
    enabled: true
    channels: {} # configure your channels
    # botToken - specified via env variable
    # appToken - specified via env variable

    extraEnv:
    - name: BOTKUBE_COMMUNICATIONS_DEFAULT-GROUP_SOCKET__SLACK_APP__TOKEN
    valueFrom:
    secretKeyRef:
    name: communication-slack
    key: slack-app-token
    - name: BOTKUBE_COMMUNICATIONS_DEFAULT-GROUP_SOCKET__SLACK_BOT__TOKEN
    valueFrom:
    secretKeyRef:
    name: communication-slack
    key: slack-bot-token

    extraVolumeMounts:
    - name: secrets-store-inline
    mountPath: "/mnt/secrets-store"
    readOnly: true

    extraVolumes:
    - name: secrets-store-inline
    csi:
    driver: secrets-store.csi.k8s.io
    readOnly: true
    volumeAttributes:
    secretProviderClass: "vault-database"
    ENDOFFILE
  6. Install Botkube:

    note

    You need to clone the https://github.com/kubeshop/botkube first.

    helm install botkube --namespace default \
    -f /tmp/values.yaml \
    ./helm/botkube