From 5a22615744775c9a498ba2b3c336c3834d6d3885 Mon Sep 17 00:00:00 2001 From: Khue Doan Date: Wed, 11 May 2022 21:48:25 +0700 Subject: [PATCH] refactor(vault): switch to Vault Operator --- platform/vault/Chart.yaml | 6 +- platform/vault/templates/cr.yaml | 283 +++++++++++++++++++++++++ platform/vault/templates/init-job.yaml | 34 --- platform/vault/templates/rbac.yaml | 48 +++++ platform/vault/values.yaml | 19 -- 5 files changed, 334 insertions(+), 56 deletions(-) create mode 100644 platform/vault/templates/cr.yaml delete mode 100644 platform/vault/templates/init-job.yaml create mode 100644 platform/vault/templates/rbac.yaml diff --git a/platform/vault/Chart.yaml b/platform/vault/Chart.yaml index 49f57f55..f33c82f6 100644 --- a/platform/vault/Chart.yaml +++ b/platform/vault/Chart.yaml @@ -2,6 +2,6 @@ apiVersion: v2 name: vault version: 0.0.0 dependencies: - - name: vault - version: 0.19.0 - repository: https://helm.releases.hashicorp.com + - name: vault-operator + version: 1.15.6 + repository: https://kubernetes-charts.banzaicloud.com diff --git a/platform/vault/templates/cr.yaml b/platform/vault/templates/cr.yaml new file mode 100644 index 00000000..d080f214 --- /dev/null +++ b/platform/vault/templates/cr.yaml @@ -0,0 +1,283 @@ +apiVersion: "vault.banzaicloud.com/v1alpha1" +kind: "Vault" +metadata: + name: "vault" +spec: + size: 1 + image: vault:1.6.2 + # specify a custom bank-vaults image with bankVaultsImage: + # bankVaultsImage: ghcr.io/banzaicloud/bank-vaults:latest + + # Common annotations for all created resources + annotations: + common/annotation: "true" + + # Vault Pods , Services and TLS Secret annotations + vaultAnnotations: + type/instance: "vault" + + # Vault Configurer Pods and Services annotations + vaultConfigurerAnnotations: + type/instance: "vaultconfigurer" + + # Vault Pods , Services and TLS Secret labels + vaultLabels: + example.com/log-format: "json" + + # Vault Configurer Pods and Services labels + vaultConfigurerLabels: + example.com/log-format: "string" + + # Support for affinity Rules, same as in PodSpec + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key : "node-role.kubernetes.io/your_role" + # operator: In + # values: ["true"] + + # Support for pod nodeSelector rules to control which nodes can be chosen to run + # the given pods + # nodeSelector: + # "node-role.kubernetes.io/your_role": "true" + + # Support for node tolerations that work together with node taints to control + # the pods that can like on a node + # tolerations: + # - effect: NoSchedule + # key: node-role.kubernetes.io/your_role + # operator: Equal + # value: "true" + + # Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running + serviceAccount: vault + + # Specify the Service's type where the Vault Service is exposed + # Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce + # forces you to expose your Service on a NodePort + serviceType: ClusterIP + + # Specify existing secret contains TLS certificate (accepted secret type: kubernetes.io/tls) + # If it is set, generating certificate will be disabled + # existingTlsSecretName: selfsigned-cert-tls + + # Specify threshold for renewing certificates. Valid time units are "ns", "us", "ms", "s", "m", "h". + # tlsExpiryThreshold: 168h + + ingress: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hajimari.io/appName: Vault + hajimari.io/icon: database-lock + spec: + ingressClassName: nginx + rules: + - host: &host vault.khuedoan.com + http: + paths: + - backend: + service: + name: vault + port: + number: 8200 + path: / + pathType: Prefix + tls: + - hosts: + - *host + secretName: vault-tls-certificate + + # Use local disk to store Vault file data, see config section. + volumes: + - name: vault-file + persistentVolumeClaim: + claimName: vault-file + + volumeMounts: + - name: vault-file + mountPath: /vault/file + + # Support for distributing the generated CA certificate Secret to other namespaces. + # Define a list of namespaces or use ["*"] for all namespaces. + caNamespaces: + - "vswh" + + # Describe where you would like to store the Vault unseal keys and root token. + unsealConfig: + options: + # The preFlightChecks flag enables unseal and root token storage tests + # This is true by default + preFlightChecks: true + # The storeRootToken flag enables storing of root token in chosen storage + # This is true by default + storeRootToken: true + kubernetes: + secretNamespace: {{ .Release.Namespace }} + + # A YAML representation of a final vault config file. + # See https://www.vaultproject.io/docs/configuration/ for more information. + config: + storage: + file: + path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used + listener: + tcp: + address: "0.0.0.0:8200" + # Uncommenting the following line and deleting tls_cert_file and tls_key_file disables TLS + # tls_disable: true + tls_cert_file: /vault/tls/server.crt + tls_key_file: /vault/tls/server.key + telemetry: + statsd_address: localhost:9125 + ui: true + + # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration + # The repository also contains a lot examples in the deploy/ and operator/deploy directories. + externalConfig: + policies: + - name: allow_secrets + rules: path "secret/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + - name: allow_pki + rules: path "pki/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + + groups: + - name: admin1 + policies: + - allow_secrets + metadata: + privileged: true + type: external + - name: admin2 + policies: + - allow_secrets + metadata: + privileged: true + type: external + + group-aliases: + - name: admin1 + mountpath: token + group: admin1 + + + auth: + - type: kubernetes + roles: + # Allow every pod in the default namespace to use the secret kv store + - name: default + bound_service_account_names: ["default", "vault-secrets-webhook", "vault"] + bound_service_account_namespaces: ["default", "vswh"] + policies: ["allow_secrets", "allow_pki"] + ttl: 1h + + secrets: + - path: secret + type: kv + description: General secrets. + options: + version: 2 + + - type: pki + description: Vault PKI Backend + config: + default_lease_ttl: 168h + max_lease_ttl: 720h + configuration: + config: + - name: urls + issuing_certificates: https://vault.default:8200/v1/pki/ca + crl_distribution_points: https://vault.default:8200/v1/pki/crl + root/generate: + - name: internal + common_name: vault.default + roles: + - name: default + allowed_domains: localhost,pod,svc,default + allow_subdomains: true + generate_lease: true + ttl: 1m + + # Allows writing some secrets to Vault (useful for development purposes). + # See https://www.vaultproject.io/docs/secrets/kv/index.html for more information. + startupSecrets: + - type: kv + path: secret/data/accounts/aws + data: + data: + AWS_ACCESS_KEY_ID: secretId + AWS_SECRET_ACCESS_KEY: s3cr3t + - type: kv + path: secret/data/dockerrepo + data: + data: + DOCKER_REPO_USER: dockerrepouser + DOCKER_REPO_PASSWORD: dockerrepopassword + - type: kv + path: secret/data/mysql + data: + data: + MYSQL_ROOT_PASSWORD: s3cr3t + MYSQL_PASSWORD: 3xtr3ms3cr3t + + vaultEnvsConfig: + - name: VAULT_LOG_LEVEL + value: debug + - name: VAULT_STORAGE_FILE + value: "/vault/file" + + # If you are using a custom certificate and are setting the hostname in a custom way + # sidecarEnvsConfig: + # - name: VAULT_ADDR + # value: https://vault.local:8200 + + # # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + # vaultPodSpec: + # hostAliases: + # - ip: "127.0.0.1" + # hostnames: + # - "vault.local" + + # It is possible to override the Vault container directly: + # vaultContainerSpec: + # lifecycle: + # postStart: + # exec: + # command: + # - setcap cap_ipc_lock=+ep /vault/plugins/orchestrate + + # Marks presence of Istio, which influences things like port namings + istioEnabled: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-file +spec: + # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 + # storageClassName: "" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + +# --- +# apiVersion: v1 +# kind: PersistentVolume +# metadata: +# name: vault-file +# spec: +# capacity: +# storage: 1Gi +# accessModes: +# - ReadWriteOnce +# persistentVolumeReclaimPolicy: Recycle +# hostPath: +# path: /vault/file diff --git a/platform/vault/templates/init-job.yaml b/platform/vault/templates/init-job.yaml deleted file mode 100644 index 92e94b3d..00000000 --- a/platform/vault/templates/init-job.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-init - namespace: {{ .Release.Namespace }} - annotations: - argocd.argoproj.io/sync-wave: "1" # TODO init and unseal in previous waves for production usage - argocd.argoproj.io/hook: PostSync - argocd.argoproj.io/hook-delete-policy: BeforeHookCreation -spec: - backoffLimit: 3 - template: - spec: - restartPolicy: Never - containers: - - name: apply - image: golang:1.18-alpine - env: - - name: VAULT_ADDR - value: http://vault:8200 - workingDir: /go/src/generate-secrets - command: - - sh - - -c - args: - - | - echo hello - # volumeMounts: - # - name: source - # mountPath: /go/src/vault-init - # volumes: - # - name: source - # configMap: - # name: vault-init-source diff --git a/platform/vault/templates/rbac.yaml b/platform/vault/templates/rbac.yaml new file mode 100644 index 00000000..fb0f7b98 --- /dev/null +++ b/platform/vault/templates/rbac.yaml @@ -0,0 +1,48 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: vault + +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: vault +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "update", "patch"] +--- + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: vault +roleRef: + kind: Role + name: vault + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: vault + +--- + +# This binding allows the deployed Vault instance to authenticate clients +# through Kubernetes ServiceAccounts (if configured so). +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml index 08d23167..e69de29b 100644 --- a/platform/vault/values.yaml +++ b/platform/vault/values.yaml @@ -1,19 +0,0 @@ -vault: - injector: - enabled: false - server: - dataStorage: - storageClass: longhorn - ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hajimari.io/appName: Vault - hajimari.io/icon: database-lock - hosts: - - host: &host vault.khuedoan.com - tls: - - secretName: vault-tls-certificate - hosts: - - *host