diff --git a/platform/external-secrets/templates/clustersecretstore.yaml b/platform/external-secrets/templates/clustersecretstore.yaml index f8a3fb4e..f78df963 100644 --- a/platform/external-secrets/templates/clustersecretstore.yaml +++ b/platform/external-secrets/templates/clustersecretstore.yaml @@ -1,25 +1,19 @@ apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: - name: vault + name: global-secrets spec: provider: - vault: - server: http://vault.vault:8200 - path: secret + kubernetes: + # TODO move to separate namespace? + remoteNamespace: {{ .Release.Namespace }} + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + namespace: {{ .Release.Namespace }} + key: ca.crt auth: - tokenSecretRef: - name: vault-unseal-keys - namespace: vault - key: vault-root - # TODO switch to kubernetes auth - # kubernetes: - # mountPath: "kubernetes" - # role: "demo" - # serviceAccountRef: - # name: "my-sa" - # namespace: "secret-admin" - # secretRef: - # name: "my-secret" - # namespace: "secret-admin" - # key: "vault" + serviceAccount: + name: external-secrets-kubernetes-store + namespace: {{ .Release.Namespace }} diff --git a/platform/external-secrets/templates/role.yaml b/platform/external-secrets/templates/role.yaml new file mode 100644 index 00000000..65128b29 --- /dev/null +++ b/platform/external-secrets/templates/role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: external-secrets-kubernetes-store + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create diff --git a/platform/external-secrets/templates/rolebinding.yaml b/platform/external-secrets/templates/rolebinding.yaml new file mode 100644 index 00000000..1a65c30a --- /dev/null +++ b/platform/external-secrets/templates/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: external-secrets-kubernetes-global-secrets + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-secrets-kubernetes-global-secrets +subjects: + - kind: ServiceAccount + name: external-secrets-kubernetes-global-secrets + namespace: {{ .Release.Namespace }} diff --git a/platform/external-secrets/templates/serviceaccount.yaml b/platform/external-secrets/templates/serviceaccount.yaml new file mode 100644 index 00000000..f0866baa --- /dev/null +++ b/platform/external-secrets/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets-kubernetes-global-secrets + namespace: {{ .Release.Namespace }} diff --git a/platform/vault/Chart.yaml b/platform/vault/Chart.yaml deleted file mode 100644 index f33c82f6..00000000 --- a/platform/vault/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: vault -version: 0.0.0 -dependencies: - - name: vault-operator - version: 1.15.6 - repository: https://kubernetes-charts.banzaicloud.com diff --git a/platform/vault/templates/cr.yaml b/platform/vault/templates/cr.yaml deleted file mode 100644 index d1d27058..00000000 --- a/platform/vault/templates/cr.yaml +++ /dev/null @@ -1,267 +0,0 @@ -apiVersion: "vault.banzaicloud.com/v1alpha1" -kind: "Vault" -metadata: - name: "vault" -spec: - size: 1 - image: vault:1.6.2 - # specify a custom bank-vaults image with bankVaultsImage: - # bankVaultsImage: ghcr.io/banzaicloud/bank-vaults:latest - - # Common annotations for all created resources - annotations: - common/annotation: "true" - - # Vault Pods , Services and TLS Secret annotations - vaultAnnotations: - type/instance: "vault" - - # Vault Configurer Pods and Services annotations - vaultConfigurerAnnotations: - type/instance: "vaultconfigurer" - - # Vault Pods , Services and TLS Secret labels - vaultLabels: - example.com/log-format: "json" - - # Vault Configurer Pods and Services labels - vaultConfigurerLabels: - example.com/log-format: "string" - - # Support for affinity Rules, same as in PodSpec - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key : "node-role.kubernetes.io/your_role" - # operator: In - # values: ["true"] - - # Support for pod nodeSelector rules to control which nodes can be chosen to run - # the given pods - # nodeSelector: - # "node-role.kubernetes.io/your_role": "true" - - # Support for node tolerations that work together with node taints to control - # the pods that can like on a node - # tolerations: - # - effect: NoSchedule - # key: node-role.kubernetes.io/your_role - # operator: Equal - # value: "true" - - # Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running - serviceAccount: vault - - # Specify the Service's type where the Vault Service is exposed - # Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce - # forces you to expose your Service on a NodePort - serviceType: ClusterIP - - # Specify existing secret contains TLS certificate (accepted secret type: kubernetes.io/tls) - # If it is set, generating certificate will be disabled - # existingTlsSecretName: selfsigned-cert-tls - - # Specify threshold for renewing certificates. Valid time units are "ns", "us", "ms", "s", "m", "h". - # tlsExpiryThreshold: 168h - - ingress: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hajimari.io/appName: Vault - hajimari.io/icon: database-lock - spec: - ingressClassName: nginx - rules: - - host: &host vault.khuedoan.com - http: - paths: - - backend: - service: - name: vault - port: - number: 8200 - path: / - pathType: Prefix - tls: - - hosts: - - *host - secretName: vault-tls-certificate - - # Use local disk to store Vault file data, see config section. - volumes: - - name: vault-file - persistentVolumeClaim: - claimName: vault-file - - volumeMounts: - - name: vault-file - mountPath: /vault/file - - # Support for distributing the generated CA certificate Secret to other namespaces. - # Define a list of namespaces or use ["*"] for all namespaces. - caNamespaces: - - "vswh" - - # Describe where you would like to store the Vault unseal keys and root token. - unsealConfig: - options: - # The preFlightChecks flag enables unseal and root token storage tests - # This is true by default - preFlightChecks: true - # The storeRootToken flag enables storing of root token in chosen storage - # This is true by default - storeRootToken: true - kubernetes: - secretNamespace: {{ .Release.Namespace }} - - # A YAML representation of a final vault config file. - # See https://www.vaultproject.io/docs/configuration/ for more information. - config: - storage: - file: - path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used - listener: - tcp: - address: "0.0.0.0:8200" - # TODO enable TLS? - tls_disable: true - # tls_cert_file: /vault/tls/server.crt - # tls_key_file: /vault/tls/server.key - telemetry: - statsd_address: localhost:9125 - ui: true - - # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration - # The repository also contains a lot examples in the deploy/ and operator/deploy directories. - externalConfig: - policies: - - name: allow_secrets - rules: path "secret/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - - name: allow_pki - rules: path "pki/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - - groups: - - name: admin1 - policies: - - allow_secrets - metadata: - privileged: true - type: external - - name: admin2 - policies: - - allow_secrets - metadata: - privileged: true - type: external - - group-aliases: - - name: admin1 - mountpath: token - group: admin1 - - - auth: - - type: kubernetes - roles: - # Allow every pod in the default namespace to use the secret kv store - - name: default - bound_service_account_names: ["default", "vault-secrets-webhook", "vault"] - bound_service_account_namespaces: ["default", "vswh"] - policies: ["allow_secrets", "allow_pki"] - ttl: 1h - - secrets: - - path: secret - type: kv - description: General secrets. - options: - version: 2 - - - type: pki - description: Vault PKI Backend - config: - default_lease_ttl: 168h - max_lease_ttl: 720h - configuration: - config: - - name: urls - issuing_certificates: https://vault.default:8200/v1/pki/ca - crl_distribution_points: https://vault.default:8200/v1/pki/crl - root/generate: - - name: internal - common_name: vault.default - roles: - - name: default - allowed_domains: localhost,pod,svc,default - allow_subdomains: true - generate_lease: true - ttl: 1m - - # Allows writing some secrets to Vault (useful for development purposes). - # See https://www.vaultproject.io/docs/secrets/kv/index.html for more information. - startupSecrets: - - type: kv - path: secret/data/accounts/aws - data: - data: - AWS_ACCESS_KEY_ID: secretId - AWS_SECRET_ACCESS_KEY: s3cr3t - - type: kv - path: secret/data/dockerrepo - data: - data: - DOCKER_REPO_USER: dockerrepouser - DOCKER_REPO_PASSWORD: dockerrepopassword - - type: kv - path: secret/data/mysql - data: - data: - MYSQL_ROOT_PASSWORD: s3cr3t - MYSQL_PASSWORD: 3xtr3ms3cr3t - - vaultEnvsConfig: - - name: VAULT_LOG_LEVEL - value: debug - - name: VAULT_STORAGE_FILE - value: "/vault/file" - - # If you are using a custom certificate and are setting the hostname in a custom way - # sidecarEnvsConfig: - # - name: VAULT_ADDR - # value: https://vault.local:8200 - - # # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - # vaultPodSpec: - # hostAliases: - # - ip: "127.0.0.1" - # hostnames: - # - "vault.local" - - # It is possible to override the Vault container directly: - # vaultContainerSpec: - # lifecycle: - # postStart: - # exec: - # command: - # - setcap cap_ipc_lock=+ep /vault/plugins/orchestrate - - # Marks presence of Istio, which influences things like port namings - istioEnabled: false - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault-file -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi diff --git a/platform/vault/templates/rbac.yaml b/platform/vault/templates/rbac.yaml deleted file mode 100644 index fb0f7b98..00000000 --- a/platform/vault/templates/rbac.yaml +++ /dev/null @@ -1,48 +0,0 @@ -kind: ServiceAccount -apiVersion: v1 -metadata: - name: vault - ---- - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: vault -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "update", "patch"] ---- - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: vault -roleRef: - kind: Role - name: vault - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: vault - ---- - -# This binding allows the deployed Vault instance to authenticate clients -# through Kubernetes ServiceAccounts (if configured so). -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vault-auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: vault - namespace: vault diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml deleted file mode 100644 index e69de29b..00000000