Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secret management with Vault #58

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions services/cert-manager/deploy-dev.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ helm repo update

kubectl apply -f $(dirname $0)/00-namespace.yaml

helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager
helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --version v1.14.7 --namespace cert-manager

kubectl apply -f $(dirname $0)/01-cluster-issuer-dev.yaml

kubectl apply -f $(dirname $0)/01-cluster-issuer-dev.yaml
3 changes: 2 additions & 1 deletion services/cert-manager/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ kubectl apply -f $(dirname $0)/00-namespace.yaml

helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager

kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml
kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml

5 changes: 5 additions & 0 deletions services/trust-manager/00-namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: trust-manager
25 changes: 25 additions & 0 deletions services/trust-manager/01-ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# This a certificate authority
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: trust-manager-selfsigned-issuer
spec:
selfSigned: {}
---

# This is the certificate for the certificate authority
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: trust-manager-example-ca
spec:
isCA: true
commonName: trust-manager-ca
secretName: trust-manager-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: trust-manager-selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
11 changes: 11 additions & 0 deletions services/trust-manager/deploy.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash

kubectl apply -f "$(dirname "$0")"

helm repo add jetstack https://charts.jetstack.io --force-update

helm upgrade --install trust-manager jetstack/trust-manager \
--namespace trust-manager \
--wait
# --set app.webhook.tls.approverPolicy.enabled=true \
# --set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager
4 changes: 4 additions & 0 deletions services/vault/00-namespaces.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
kind: Namespace
apiVersion: v1
metadata:
name: vault
38 changes: 38 additions & 0 deletions services/vault/01-certificates.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: website-cert
namespace: vault
spec:
secretName: website-cert
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: vault.niaefeup.pt
dnsNames:
- vault.niaefeup.pt
---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vault-cluster-ca
namespace: vault
spec:
isCA: false
commonName: "*"
ipAddresses:
- 127.0.0.1
dnsNames:
- vault.vault.svc.cluster.local
- vault-0.vault-internal
- vault-1.vault-internal
- vault-2.vault-internal
secretName: vault-cluster-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: trust-manager-selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
16 changes: 16 additions & 0 deletions services/vault/02-ingress-routes.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: vault-https
namespace: vault
spec:
entryPoints:
- websecure
routes:
- match: Host(`vault.niaefeup.pt`)
kind: Rule
services:
- name: vault-ui
port: 80
tls:
secretName: website-cert
13 changes: 13 additions & 0 deletions services/vault/03-bundle.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: vault-cluster-bundle # The bundle name will also be used for the target
spec:
sources:
- useDefaultCAs: true
- secret:
name: "vault-cluster-ca-secret"
key: "tls.crt"
target:
configMap:
key: "trust-bundle.pem"
12 changes: 12 additions & 0 deletions services/vault/deploy-vault-dev.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update

kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
kubectl apply -f "$(dirname "$0")"/vault-sa.yaml

helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-dev-values.yaml
helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault --values $(dirname $0)/vault-operator-dev-values.yaml
13 changes: 13 additions & 0 deletions services/vault/deploy-vault-prod.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update

kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
kubectl apply -f "$(dirname "$0")"/03-bundle.yaml
kubectl apply -f "$(dirname "$0")"/vault-sa.yaml

helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml
helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault --values $(dirname $0)/vault-operator-prod-values.yaml
15 changes: 15 additions & 0 deletions services/vault/vault-dev-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
server:
dev:
enabled: true
devRootToken: "root"
logLevel: debug
# A service is not needed since we are not going to be using the vault agent injector
ui:
enabled: true
serviceType: "LoadBalancer"
targetPort: 8200
externalPort: 8200

injector:
enabled: "false"
19 changes: 19 additions & 0 deletions services/vault/vault-operator-dev-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# This is the connection used if no other VaultConnection resources are loaded into the cluster
# For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm
defaultVaultConnection:
enabled: true
address: "https://vault.vault.svc.cluster.local:8200"
skipTLSVerify: false
controller:
manager:
clientCache:
persistenceModel: direct-encrypted # Encrypted using the Vault Transit engine
storageEncryption:
enabled: true
mount: vault-operator-auth
keyName: vso-client-cache
namespace: vault-operator
transitMount: vault-operator-transit
kubernetes:
role: vault-operator-role
serviceAccount: vault-operator
19 changes: 19 additions & 0 deletions services/vault/vault-operator-prod-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# https://github.com/hashicorp/vault-secrets-operator/blob/main/chart/values.yaml
defaultVaultConnection:
enabled: true
address: "https://vault.vault.svc.cluster.local:8200"
skipTLSVerify: false
caCertSecret: "vault-cluster-ca-secret"
controller:
manager:
clientCache:
persistenceModel: direct-encrypted
storageEncryption:
enabled: true
mount: demo-auth-mount
keyName: vso-client-cache
namespace: vault
transitMount: demo-transit
kubernetes:
role: auth-role-operator
serviceAccount: vault-operator
6 changes: 6 additions & 0 deletions services/vault/vault-operator-sa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
# SA bound to the VSO namespace for transit engine auth
namespace: vault-secrets-operator-system
name: demo-operator
89 changes: 89 additions & 0 deletions services/vault/vault-prod-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
global:
enabled: true
tlsDisable: false
namespace: vault

server:
dev:
enabled: false
affinity: null
logLevel: debug
extraEnvironmentVars:
VAULT_CACERT: /opt/vault/tls/ca.crt
VAULT_TLSCERT: /opt/vault/tls/tls.crt
VAULT_TLSKEY: /opt/vault/tls/tls.key
volumes:
- name: tls
secret:
secretName: vault-cluster-ca-secret
volumeMounts:
- name: tls
mountPath: "/opt/vault/tls"
readOnly: true
dataStorage:
enabled: true
size: 2Gi
storageClass: longhorn-locality-retain
mountPath: "/opt/vault/raft"
accessMode: ReadWriteOnce
ha:
enabled: true
raft:
enabled: true
replicas: 3
setNodeId: true
config: |
ui = true
disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages

listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = "false"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
tls_client_ca_file = "/opt/vault/tls/ca.crt" # certificate of the CA root
}

storage "raft" {
path = "/opt/vault/raft"

retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/opt/vault/tls/ca.crt"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}

retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/opt/vault/tls/ca.crt"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}

retry_join {
leader_api_addr = "https://vault-2.vault-internal:8200"
leader_ca_cert_file = "/opt/vault/tls/ca.crt"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}

autopilot {
cleanup_dead_servers = "true"
last_contact_threshold = "10s"
max_trailing_logs = 250000
min_quorum = 2
server_stabilization_time = "10s"
}
}

ui:
enabled: true
serviceType: "LoadBalancer"
targetPort: 8200
externalPort: 8200

injector:
enabled: "false"
6 changes: 6 additions & 0 deletions services/vault/vault-sa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
# SA bound to the VSO namespace for transit engine auth
namespace: vault
name: vault-sa