mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2025-07-20 20:59:32 +07:00
Code Issues Packages Projects Releases Wiki Activity

refactor!: replace Vault with in-cluster global secrets

Browse Source
This commit is contained in:
Khue Doan
2023-11-26 00:01:25 +07:00
parent 54e071e0f2
commit 37a324f71a
8 changed files with 51 additions and 341 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
platform/external-secrets/templates/clustersecretstore.yaml
View File

@ -1,25 +1,19 @@
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore kind: ClusterSecretStore
metadata: metadata:
name: vault name: global-secrets
spec: spec:
provider: provider:
vault: kubernetes:
server: http://vault.vault:8200 # TODO move to separate namespace?
path: secret remoteNamespace: {{ .Release.Namespace }}
server:
caProvider:
type: ConfigMap
name: kube-root-ca.crt
namespace: {{ .Release.Namespace }}
key: ca.crt
auth: auth:
tokenSecretRef: serviceAccount:
name: vault-unseal-keys name: external-secrets-kubernetes-store
namespace: vault namespace: {{ .Release.Namespace }}
key: vault-root
# TODO switch to kubernetes auth
# kubernetes:
# mountPath: "kubernetes"
# role: "demo"
# serviceAccountRef:
# name: "my-sa"
# namespace: "secret-admin"
# secretRef:
# name: "my-secret"
# namespace: "secret-admin"
# key: "vault"

20
platform/external-secrets/templates/role.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: external-secrets-kubernetes-store
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectrulesreviews
verbs:
- create

13
platform/external-secrets/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: external-secrets-kubernetes-global-secrets
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: external-secrets-kubernetes-global-secrets
subjects:
- kind: ServiceAccount
name: external-secrets-kubernetes-global-secrets
namespace: {{ .Release.Namespace }}

5
platform/external-secrets/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-kubernetes-global-secrets
namespace: {{ .Release.Namespace }}

7
platform/vault/Chart.yaml
View File

@ -1,7 +0,0 @@
apiVersion: v2
name: vault
version: 0.0.0
dependencies:
- name: vault-operator
version: 1.15.6
repository: https://kubernetes-charts.banzaicloud.com

267
platform/vault/templates/cr.yaml
View File

@ -1,267 +0,0 @@
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
name: "vault"
spec:
size: 1
image: vault:1.6.2
# specify a custom bank-vaults image with bankVaultsImage:
# bankVaultsImage: ghcr.io/banzaicloud/bank-vaults:latest
# Common annotations for all created resources
annotations:
common/annotation: "true"
# Vault Pods , Services and TLS Secret annotations
vaultAnnotations:
type/instance: "vault"
# Vault Configurer Pods and Services annotations
vaultConfigurerAnnotations:
type/instance: "vaultconfigurer"
# Vault Pods , Services and TLS Secret labels
vaultLabels:
example.com/log-format: "json"
# Vault Configurer Pods and Services labels
vaultConfigurerLabels:
example.com/log-format: "string"
# Support for affinity Rules, same as in PodSpec
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key : "node-role.kubernetes.io/your_role"
# operator: In
# values: ["true"]
# Support for pod nodeSelector rules to control which nodes can be chosen to run
# the given pods
# nodeSelector:
# "node-role.kubernetes.io/your_role": "true"
# Support for node tolerations that work together with node taints to control
# the pods that can like on a node
# tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/your_role
# operator: Equal
# value: "true"
# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
serviceAccount: vault
# Specify the Service's type where the Vault Service is exposed
# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
# forces you to expose your Service on a NodePort
serviceType: ClusterIP
# Specify existing secret contains TLS certificate (accepted secret type: kubernetes.io/tls)
# If it is set, generating certificate will be disabled
# existingTlsSecretName: selfsigned-cert-tls
# Specify threshold for renewing certificates. Valid time units are "ns", "us", "ms", "s", "m", "h".
# tlsExpiryThreshold: 168h
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hajimari.io/appName: Vault
hajimari.io/icon: database-lock
spec:
ingressClassName: nginx
rules:
- host: &host vault.khuedoan.com
http:
paths:
- backend:
service:
name: vault
port:
number: 8200
path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: vault-tls-certificate
# Use local disk to store Vault file data, see config section.
volumes:
- name: vault-file
persistentVolumeClaim:
claimName: vault-file
volumeMounts:
- name: vault-file
mountPath: /vault/file
# Support for distributing the generated CA certificate Secret to other namespaces.
# Define a list of namespaces or use ["*"] for all namespaces.
caNamespaces:
- "vswh"
# Describe where you would like to store the Vault unseal keys and root token.
unsealConfig:
options:
# The preFlightChecks flag enables unseal and root token storage tests
# This is true by default
preFlightChecks: true
# The storeRootToken flag enables storing of root token in chosen storage
# This is true by default
storeRootToken: true
kubernetes:
secretNamespace: {{ .Release.Namespace }}
# A YAML representation of a final vault config file.
# See https://www.vaultproject.io/docs/configuration/ for more information.
config:
storage:
file:
path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used
listener:
tcp:
address: "0.0.0.0:8200"
# TODO enable TLS?
tls_disable: true
# tls_cert_file: /vault/tls/server.crt
# tls_key_file: /vault/tls/server.key
telemetry:
statsd_address: localhost:9125
ui: true
# See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
# The repository also contains a lot examples in the deploy/ and operator/deploy directories.
externalConfig:
policies:
- name: allow_secrets
rules: path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
- name: allow_pki
rules: path "pki/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
groups:
- name: admin1
policies:
- allow_secrets
metadata:
privileged: true
type: external
- name: admin2
policies:
- allow_secrets
metadata:
privileged: true
type: external
group-aliases:
- name: admin1
mountpath: token
group: admin1
auth:
- type: kubernetes
roles:
# Allow every pod in the default namespace to use the secret kv store
- name: default
bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
bound_service_account_namespaces: ["default", "vswh"]
policies: ["allow_secrets", "allow_pki"]
ttl: 1h
secrets:
- path: secret
type: kv
description: General secrets.
options:
version: 2
- type: pki
description: Vault PKI Backend
config:
default_lease_ttl: 168h
max_lease_ttl: 720h
configuration:
config:
- name: urls
issuing_certificates: https://vault.default:8200/v1/pki/ca
crl_distribution_points: https://vault.default:8200/v1/pki/crl
root/generate:
- name: internal
common_name: vault.default
roles:
- name: default
allowed_domains: localhost,pod,svc,default
allow_subdomains: true
generate_lease: true
ttl: 1m
# Allows writing some secrets to Vault (useful for development purposes).
# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
startupSecrets:
- type: kv
path: secret/data/accounts/aws
data:
data:
AWS_ACCESS_KEY_ID: secretId
AWS_SECRET_ACCESS_KEY: s3cr3t
- type: kv
path: secret/data/dockerrepo
data:
data:
DOCKER_REPO_USER: dockerrepouser
DOCKER_REPO_PASSWORD: dockerrepopassword
- type: kv
path: secret/data/mysql
data:
data:
MYSQL_ROOT_PASSWORD: s3cr3t
MYSQL_PASSWORD: 3xtr3ms3cr3t
vaultEnvsConfig:
- name: VAULT_LOG_LEVEL
value: debug
- name: VAULT_STORAGE_FILE
value: "/vault/file"
# If you are using a custom certificate and are setting the hostname in a custom way
# sidecarEnvsConfig:
# - name: VAULT_ADDR
# value: https://vault.local:8200
# # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
# vaultPodSpec:
# hostAliases:
# - ip: "127.0.0.1"
# hostnames:
# - "vault.local"
# It is possible to override the Vault container directly:
# vaultContainerSpec:
# lifecycle:
# postStart:
# exec:
# command:
# - setcap cap_ipc_lock=+ep /vault/plugins/orchestrate
# Marks presence of Istio, which influences things like port namings
istioEnabled: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-file
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

48
platform/vault/templates/rbac.yaml
View File

@ -1,48 +0,0 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: vault
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vault
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vault
roleRef:
kind: Role
name: vault
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: vault
---
# This binding allows the deployed Vault instance to authenticate clients
# through Kubernetes ServiceAccounts (if configured so).
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault
namespace: vault

0
platform/vault/values.yaml
View File