diff --git a/services/cert-manager/deploy.sh b/services/cert-manager/deploy.sh index cb9dbff..54ef263 100755 --- a/services/cert-manager/deploy.sh +++ b/services/cert-manager/deploy.sh @@ -7,4 +7,5 @@ kubectl apply -f $(dirname $0)/00-namespace.yaml helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager -kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml \ No newline at end of file +kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml + diff --git a/services/trust-manager/00-namespace.yaml b/services/trust-manager/00-namespace.yaml new file mode 100644 index 0000000..553f1ec --- /dev/null +++ b/services/trust-manager/00-namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: trust-manager diff --git a/services/trust-manager/01-ca.yaml b/services/trust-manager/01-ca.yaml new file mode 100644 index 0000000..9dc2a4b --- /dev/null +++ b/services/trust-manager/01-ca.yaml @@ -0,0 +1,24 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: trust-manager-selfsigned-issuer +spec: + selfSigned: {} +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: trust-manager-example-ca + namespace: cert-manager +spec: + isCA: true + commonName: trust-manager-ca + secretName: trust-manager-ca-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: trust-manager-selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io diff --git a/services/trust-manager/deploy.sh b/services/trust-manager/deploy.sh new file mode 100755 index 0000000..682ed9c --- /dev/null +++ b/services/trust-manager/deploy.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +kubectl apply -f "$(dirname "$0")" + +helm repo add jetstack https://charts.jetstack.io --force-update + +helm upgrade --install trust-manager jetstack/trust-manager \ + --namespace trust-manager \ + --wait +# --set app.webhook.tls.approverPolicy.enabled=true \ +# --set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager diff --git a/services/vault/03-bundle.yaml b/services/vault/03-bundle.yaml new file mode 100644 index 0000000..8be75d3 --- /dev/null +++ b/services/vault/03-bundle.yaml @@ -0,0 +1,13 @@ +apiVersion: trust.cert-manager.io/v1alpha1 +kind: Bundle +metadata: + name: vault-cluster-bundle # The bundle name will also be used for the target +spec: + sources: + - useDefaultCAs: true + - secret: + name: "trust-manager-ca-secret" # This is a secret from the ca.yaml file from the trust-manager service + key: "tls.crt" + target: + configMap: + key: "trust-bundle.pem" diff --git a/services/vault/deploy-vault-prod.sh b/services/vault/deploy-vault-prod.sh index 096cf51..b047301 100755 --- a/services/vault/deploy-vault-prod.sh +++ b/services/vault/deploy-vault-prod.sh @@ -6,6 +6,7 @@ helm repo update kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml kubectl apply -f "$(dirname "$0")"/01-certificates.yaml kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml +kubectl apply -f "$(dirname "$0")"/03-bundle.yaml kubectl apply -f "$(dirname "$0")"/vault-sa.yaml helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index 00388d6..54951ac 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -3,6 +3,15 @@ server: dev: enabled: false logLevel: debug + volumes: + - name: tls + secret: + secretName: vault-tls + volumeMounts: + - name: vault-tls + mountPath: "/vault/tls" + readOnly: true + ui: enabled: true serviceType: "ClusterIP" @@ -29,14 +38,6 @@ ha: storage "raft" { path = "/opt/vault/raft" - - #retry_join { - # leader_tls_servername = "vault" - # leader_api_addr = "https://0.0.0.0:8200" - # leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem" - # leader_client_cert_file = "/opt/vault/tls/vault-cert.pem" - # leader_client_key_file = "/opt/vault/tls/vault-key.pem" - #} } raft: enabled: true