Skip to content

Commit

Permalink
feat(kubernetes): install bank vaults operator
Browse files Browse the repository at this point in the history
  • Loading branch information
@mrsimonemms
mrsimonemms committed Nov 3, 2024
1 parent 4d585cd commit 014894b
Show file tree
Hide file tree
Showing 6 changed files with 341 additions and 0 deletions.
2 changes: 2 additions & 0 deletions modules/kubernetes/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ No modules.
| [helm_release.hcloud_ccm](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.hcloud_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.vault](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_secret_v1.hcloud](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
| [random_integer.ingress_load_balancer_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |

Expand All @@ -50,6 +51,7 @@ No modules.
| <a name="input_kubeconfig"></a> [kubeconfig](#input\_kubeconfig) | Kubeconfig for the cluster | `string` | n/a | yes |
| <a name="input_load_balancer_location"></a> [load\_balancer\_location](#input\_load\_balancer\_location) | Location to use for the load balancer | `string` | n/a | yes |
| <a name="input_load_balancer_type"></a> [load\_balancer\_type](#input\_load\_balancer\_type) | Type of load balancer to use | `string` | `"lb11"` | no |
| <a name="input_vault_operator_version"></a> [vault\_operator\_version](#input\_vault\_operator\_version) | Version of Bank Vaults to use - defaults to latest | `string` | `null` | no |

## Outputs

Expand Down
6 changes: 6 additions & 0 deletions modules/kubernetes/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,9 @@ variable "load_balancer_type" {
description = "Type of load balancer to use"
default = "lb11"
}

variable "vault_operator_version" {
type = string
description = "Version of Bank Vaults to use - defaults to latest"
default = null
}
25 changes: 25 additions & 0 deletions modules/kubernetes/vault.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Copyright 2024 Simon Emms <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

resource "helm_release" "vault" {
chart = "oci://ghcr.io/bank-vaults/helm-charts/vault-operator"
name = "vault"
atomic = true
cleanup_on_fail = true
create_namespace = true
namespace = "vault"
reset_values = true
version = var.vault_operator_version
wait = true
}
165 changes: 165 additions & 0 deletions registry/clusters/dev/components/vault/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: vault-operator
app.kubernetes.io/instance: vault-sa
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: serviceaccount
app.kubernetes.io/part-of: vault-operator
annotations:
argocd.argoproj.io/sync-wave: "10"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: vault
namespace: vault
annotations:
argocd.argoproj.io/sync-wave: "10"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
namespace: vault
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: vault-operator
app.kubernetes.io/instance: leader-election-role
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: role
app.kubernetes.io/part-of: vault-operator
annotations:
argocd.argoproj.io/sync-wave: "10"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
namespace: vault
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: vault-operator
app.kubernetes.io/instance: leader-election-rolebinding
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: rolebinding
app.kubernetes.io/part-of: vault-operator
annotations:
argocd.argoproj.io/sync-wave: "10"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vault
namespace: vault
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: vault-operator
app.kubernetes.io/instance: manager-rolebinding
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: rolebinding
app.kubernetes.io/part-of: vault-operator
annotations:
argocd.argoproj.io/sync-wave: "10"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vault
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-auth-delegator
namespace: vault
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: vault-operator
app.kubernetes.io/instance: manager-rolebinding
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/part-of: vault-operator
annotations:
argocd.argoproj.io/sync-wave: "10"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
121 changes: 121 additions & 0 deletions registry/clusters/dev/components/vault/vault.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
apiVersion: vault.banzaicloud.com/v1alpha1
kind: Vault
metadata:
name: vault
labels:
app.kubernetes.io/name: vault
vault_cr: vault
spec:
size: 3
image: hashicorp/vault:1.18.1

annotations:
common/annotation: "true"

vaultAnnotations:
type/instance: vault

vaultConfigurerAnnotations:
type/instance: vaultconfigurer

vaultLabels:
example.com/log-format: json

vaultConfigurerLabels:
example.com/log-format: string

affinity: {}

nodeSelector: {}

tolerations: []

serviceAccount: vault

serviceType: ClusterIP

ingress:
# Specify Ingress object annotations here, if TLS is enabled (which is by default)
# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
# to support TLS backends
annotations: {}
# Override the default Ingress specification here
# This follows the same format as the standard Kubernetes Ingress
# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
spec: {}

vaultInitContainers: []

volumeClaimTemplates: []

volumeMounts:
- name: vault-raft
mountPath: /vault/file

veleroEnabled: false

caNamespaces:
- "vswh"

unsealConfig:
options:
preFlightChecks: true
storeRootToken: true
secretShares: 5
secretThreshold: 3
kubernetes:
secretNamespace: default

config:
storage:
raft:
path: "/vault/file"
listener:
tcp:
address: "0.0.0.0:8200"
tls_cert_file: /vault/tls/server.crt
tls_key_file: /vault/tls/server.key
api_addr: https://vault.default:8200
cluster_addr: "https://${.Env.POD_NAME}:8201"
ui: true

statsdDisabled: true

serviceRegistrationEnabled: true

resources:
vault:
limits:
memory: "512Mi"
cpu: "200m"
requests:
memory: "256Mi"
cpu: "100m"

externalConfig:
policies:
- name: allow_secrets
rules: path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
auth:
- type: kubernetes
roles:
- name: default
bound_service_account_names: ["default", "vault-secrets-webhook"]
bound_service_account_namespaces: ["default", "vswh"]
policies: allow_secrets
ttl: 1h

secrets:
- path: secret
type: kv
description: General secrets.
options:
version: 2

startupSecrets: []

vaultEnvsConfig:
- name: VAULT_LOG_LEVEL
value: debug
22 changes: 22 additions & 0 deletions registry/clusters/dev/vault.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault-components
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://github.com/mrsimonemms/infrastructure
path: registry/clusters/dev/components/vault
targetRevision: HEAD
destination:
server: https://kubernetes.default.svc
namespace: vault
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

0 comments on commit 014894b

Please sign in to comment.