Tokens from Vault via CSI driver
This document is applicable only for self-hosted installations. For Botkube Cloud installations, the Botkube Agent configuration, along with all secrets, are managed via the Botkube Cloud dashboard.
This tutorial shows how to install Botkube which takes the configuration from Vault instance.
Prerequisites​
-
Kubernetes Clusters that supports CSI.
For example, to run K3s using Lima, run:
limactl start template://k3s -
helmv3 installed. -
kubectlinstalled.
Steps​
This instruction guides you through the installation of Botkube and Vault on a Kubernetes cluster and configuring them together.
-
Install Vault with CSI enabled:
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault --namespace default \
--set "server.dev.enabled=true" \
--set "injector.enabled=false" \
--set "csi.enabled=true" -
Add Slack token in Vault:
# Exec to pod
kubectl exec -n default -it vault-0 -- /bin/sh# Write the token to Vault
vault kv put -mount=secret slack-app-token token=xapp-...
vault kv put -mount=secret slack-bot-token token=xoxb-... -
Enable Vault's Kubernetes authentication:
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"vault policy write internal-app - <<EOF
path "secret/data/slack-app-token" {
capabilities = ["read"]
}
path "secret/data/slack-bot-token" {
capabilities = ["read"]
}
EOFvault write auth/kubernetes/role/database \
bound_service_account_names=botkube-sa \
bound_service_account_namespaces=default \
policies=internal-app \
ttl=20m# Exit from the Vault Pod
exit -
Install the Secrets Store CSI driver:
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi secrets-store-csi-driver/secrets-store-csi-driver \
--namespace default \
--set syncSecret.enabled=true -
Create BotKue installation parameters:
cat > /tmp/values.yaml << ENDOFFILE
extraObjects:
- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-database
spec:
provider: vault
parameters:
roleName: "database"
vaultAddress: "http://vault.default:8200"
objects: |
- objectName: "slack-app-token"
secretPath: "secret/data/slack-app-token"
secretKey: "token"
- objectName: "slack-bot-token"
secretPath: "secret/data/slack-bot-token"
secretKey: "token"
secretObjects:
- secretName: communication-slack
type: Opaque
data:
- objectName: "slack-app-token"
key: "slack-app-token"
- objectName: "slack-bot-token"
key: "slack-bot-token"
communications:
'default-group':
# Settings for SocketSlack
socketSlack:
enabled: true
channels: {} # configure your channels
# botToken - specified via env variable
# appToken - specified via env variable
extraEnv:
- name: BOTKUBE_COMMUNICATIONS_DEFAULT-GROUP_SOCKET__SLACK_APP__TOKEN
valueFrom:
secretKeyRef:
name: communication-slack
key: slack-app-token
- name: BOTKUBE_COMMUNICATIONS_DEFAULT-GROUP_SOCKET__SLACK_BOT__TOKEN
valueFrom:
secretKeyRef:
name: communication-slack
key: slack-bot-token
extraVolumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
extraVolumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-database"
ENDOFFILE -
Install Botkube:
noteYou need to clone the https://github.com/kubeshop/botkube first.
helm install botkube --namespace default \
-f /tmp/values.yaml \
./helm/botkube