diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 32305f9..29e3776 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -7,11 +7,7 @@ "installTerraformDocs": true }, "ghcr.io/dhoeric/features/trivy:1": {}, - "ghcr.io/devcontainers-contrib/features/argo-cd:1": {}, - "ghcr.io/devcontainers-contrib/features/gh-release:1": { - "repo": "bank-vaults/bank-vaults", - "binaryNames": "bank-vaults" - } + "ghcr.io/devcontainers-contrib/features/argo-cd:1": {} }, "customizations": { "vscode": { @@ -33,14 +29,7 @@ "initializeCommand": { "ensureSSHDirNix": "mkdir -p ${localEnv:HOME}${localEnv:USERPROFILE}/.ssh" }, - "onCreateCommand": { - "vault": "brew tap hashicorp/tap && brew install hashicorp/tap/vault" - }, "postAttachCommand": { "ensureKubeDir": "mkdir -p /home/vscode/.kube" - }, - "containerEnv": { - "VAULT_ADDR": "https://127.0.0.1:8200", - "VAULT_CACERT": "/tmp/vault-ca.crt" } } diff --git a/registry/clusters/dev/components/vault/operator.yaml b/registry/clusters/dev/components/vault/operator.yaml deleted file mode 100644 index ed05edb..0000000 --- a/registry/clusters/dev/components/vault/operator.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-operator - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "10" -spec: - project: default - source: - chart: vault-operator - repoURL: ghcr.io/bank-vaults/helm-charts - targetRevision: 1.22.3 - destination: - server: https://kubernetes.default.svc - namespace: vault - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/registry/clusters/dev/components/vault/rbac.yaml b/registry/clusters/dev/components/vault/rbac.yaml deleted file mode 100644 index c5763fc..0000000 --- a/registry/clusters/dev/components/vault/rbac.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-rbac - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "20" -spec: - project: default - source: - path: deploy/rbac - repoURL: https://github.com/bank-vaults/vault-operator - targetRevision: HEAD - kustomize: - namespace: vault - destination: - namespace: vault - server: https://kubernetes.default.svc - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/registry/clusters/dev/components/vault/vault.yaml b/registry/clusters/dev/components/vault/vault.yaml deleted file mode 100644 index 95a283f..0000000 --- a/registry/clusters/dev/components/vault/vault.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: vault.banzaicloud.com/v1alpha1 -kind: Vault -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - vault_cr: vault - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "30" -spec: - size: 3 - image: hashicorp/vault:1.18.1 - - annotations: - common/annotation: "true" - - vaultAnnotations: - type/instance: vault - - vaultConfigurerAnnotations: - type/instance: vaultconfigurer - - vaultLabels: - example.com/log-format: json - - vaultConfigurerLabels: - example.com/log-format: string - - serviceAccount: vault - - serviceType: ClusterIP - - ingress: - annotations: - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - kubernetes.io/tls-acme: "true" - cert-manager.io/cluster-issuer: letsencrypt-staging - spec: - ingressClassName: nginx - rules: - - host: vault.dev.simonemms.com - http: - paths: - - backend: - service: - name: vault - port: - number: 8200 - path: / - pathType: Prefix - tls: - - hosts: - - vault.dev.simonemms.com - secretName: vault-tls - - volumeClaimTemplates: - - metadata: - name: vault-raft - spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi - - volumeMounts: - - name: vault-raft - mountPath: /vault/file - - # Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods: - # https://velero.io/docs/v1.2.0/hooks/ - veleroEnabled: true - - caNamespaces: - - vswh - - unsealConfig: - options: - preFlightChecks: true - storeRootToken: true - secretShares: 5 - secretThreshold: 3 - kubernetes: - secretNamespace: vault - - config: - storage: - raft: - path: "/vault/file" - listener: - tcp: - address: "0.0.0.0:8200" - tls_cert_file: /vault/tls/server.crt - tls_key_file: /vault/tls/server.key - api_addr: https://vault.vault:8200 - cluster_addr: "https://${.Env.POD_NAME}:8201" - ui: true - - statsdDisabled: true - - serviceRegistrationEnabled: true - - resources: - # A YAML representation of resource ResourceRequirements for vault container - # Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container - vault: - limits: - memory: "512Mi" - cpu: "200m" - requests: - memory: "256Mi" - cpu: "100m" - - # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration - # The repository also contains a lot examples in the test/deploy and operator/deploy directories. - externalConfig: - policies: - - name: allow_secrets - rules: path "secret/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - - groups: - - name: admin1 - policies: - - allow_secrets - metadata: - privileged: true - type: external - - name: admin2 - policies: - - allow_secrets - metadata: - privileged: true - type: external - - group-aliases: - - name: admin1 - mountpath: token - group: admin1 - - auth: - - type: kubernetes - roles: - - name: default - bound_service_account_names: - - default - - vault-secrets-webhook - bound_service_account_namespaces: - - vault - - vswh - policies: - - allow_secrets - ttl: 1h - - secrets: - - path: secret - type: kv - description: General secrets. - options: - version: 2 - - startupSecrets: [] - - vaultEnvsConfig: - - name: VAULT_LOG_LEVEL - value: debug diff --git a/registry/clusters/dev/components/vault/wait.yaml b/registry/clusters/dev/components/vault/wait.yaml deleted file mode 100644 index c49c8f1..0000000 --- a/registry/clusters/dev/components/vault/wait.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: k8s-toolkit - namespace: vault ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: k8s-toolkit - namespace: vault -rules: - - apiGroups: - - "" - - extensions - - apps - resources: - - pods - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: k8s-toolkit - namespace: vault -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: k8s-toolkit -subjects: - - kind: ServiceAccount - name: k8s-toolkit - namespace: vault ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - argocd.argoproj.io/sync-wave: "99" - name: vault-wait - namespace: vault -spec: - template: - spec: - containers: - - args: - - wait - - -n - - vault - - -l - - app.kubernetes.io/name=vault - - pod - - --for=condition=Ready - - --timeout - - 10m - image: bitnami/kubectl:1.31 - imagePullPolicy: IfNotPresent - name: wait - restartPolicy: OnFailure - serviceAccountName: k8s-toolkit diff --git a/registry/clusters/dev/vault.yaml b/registry/clusters/dev/vault.yaml deleted file mode 100644 index c9f4868..0000000 --- a/registry/clusters/dev/vault.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-components - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: '10' - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: https://github.com/mrsimonemms/infrastructure - path: registry/clusters/dev/components/vault - targetRevision: HEAD - destination: - server: https://kubernetes.default.svc - namespace: vault - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/registry/clusters/prod/components/vault/operator.yaml b/registry/clusters/prod/components/vault/operator.yaml deleted file mode 100644 index ed05edb..0000000 --- a/registry/clusters/prod/components/vault/operator.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-operator - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "10" -spec: - project: default - source: - chart: vault-operator - repoURL: ghcr.io/bank-vaults/helm-charts - targetRevision: 1.22.3 - destination: - server: https://kubernetes.default.svc - namespace: vault - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/registry/clusters/prod/components/vault/rbac.yaml b/registry/clusters/prod/components/vault/rbac.yaml deleted file mode 100644 index c5763fc..0000000 --- a/registry/clusters/prod/components/vault/rbac.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-rbac - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "20" -spec: - project: default - source: - path: deploy/rbac - repoURL: https://github.com/bank-vaults/vault-operator - targetRevision: HEAD - kustomize: - namespace: vault - destination: - namespace: vault - server: https://kubernetes.default.svc - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/registry/clusters/prod/components/vault/vault.yaml b/registry/clusters/prod/components/vault/vault.yaml deleted file mode 100644 index 69f38b4..0000000 --- a/registry/clusters/prod/components/vault/vault.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: vault.banzaicloud.com/v1alpha1 -kind: Vault -metadata: - name: vault - namespace: vault - labels: - app.kubernetes.io/name: vault - vault_cr: vault - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "30" -spec: - size: 3 - image: hashicorp/vault:1.18.1 - - annotations: - common/annotation: "true" - - vaultAnnotations: - type/instance: vault - - vaultConfigurerAnnotations: - type/instance: vaultconfigurer - - vaultLabels: - example.com/log-format: json - - vaultConfigurerLabels: - example.com/log-format: string - - serviceAccount: vault - - serviceType: ClusterIP - - ingress: - annotations: - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - kubernetes.io/tls-acme: "true" - cert-manager.io/cluster-issuer: letsencrypt - spec: - ingressClassName: nginx - rules: - - host: vault.simonemms.com - http: - paths: - - backend: - service: - name: vault - port: - number: 8200 - path: / - pathType: Prefix - tls: - - hosts: - - vault.simonemms.com - secretName: vault-tls - - volumeClaimTemplates: - - metadata: - name: vault-raft - spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi - - volumeMounts: - - name: vault-raft - mountPath: /vault/file - - # Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods: - # https://velero.io/docs/v1.2.0/hooks/ - veleroEnabled: true - - caNamespaces: - - vswh - - unsealConfig: - options: - preFlightChecks: true - storeRootToken: true - secretShares: 5 - secretThreshold: 3 - kubernetes: - secretNamespace: vault - - config: - storage: - raft: - path: "/vault/file" - listener: - tcp: - address: "0.0.0.0:8200" - tls_cert_file: /vault/tls/server.crt - tls_key_file: /vault/tls/server.key - api_addr: https://vault.vault:8200 - cluster_addr: "https://${.Env.POD_NAME}:8201" - ui: true - - statsdDisabled: true - - serviceRegistrationEnabled: true - - resources: - # A YAML representation of resource ResourceRequirements for vault container - # Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container - vault: - limits: - memory: "512Mi" - cpu: "200m" - requests: - memory: "256Mi" - cpu: "100m" - - # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration - # The repository also contains a lot examples in the test/deploy and operator/deploy directories. - externalConfig: - policies: - - name: allow_secrets - rules: path "secret/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - - groups: - - name: admin1 - policies: - - allow_secrets - metadata: - privileged: true - type: external - - name: admin2 - policies: - - allow_secrets - metadata: - privileged: true - type: external - - group-aliases: - - name: admin1 - mountpath: token - group: admin1 - - auth: - - type: kubernetes - roles: - - name: default - bound_service_account_names: - - default - - vault-secrets-webhook - bound_service_account_namespaces: - - vault - - vswh - policies: - - allow_secrets - ttl: 1h - - secrets: - - path: secret - type: kv - description: General secrets. - options: - version: 2 - - startupSecrets: [] - - vaultEnvsConfig: - - name: VAULT_LOG_LEVEL - value: debug diff --git a/registry/clusters/prod/components/vault/wait.yaml b/registry/clusters/prod/components/vault/wait.yaml deleted file mode 100644 index c49c8f1..0000000 --- a/registry/clusters/prod/components/vault/wait.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: k8s-toolkit - namespace: vault ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: k8s-toolkit - namespace: vault -rules: - - apiGroups: - - "" - - extensions - - apps - resources: - - pods - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: k8s-toolkit - namespace: vault -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: k8s-toolkit -subjects: - - kind: ServiceAccount - name: k8s-toolkit - namespace: vault ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - argocd.argoproj.io/sync-wave: "99" - name: vault-wait - namespace: vault -spec: - template: - spec: - containers: - - args: - - wait - - -n - - vault - - -l - - app.kubernetes.io/name=vault - - pod - - --for=condition=Ready - - --timeout - - 10m - image: bitnami/kubectl:1.31 - imagePullPolicy: IfNotPresent - name: wait - restartPolicy: OnFailure - serviceAccountName: k8s-toolkit diff --git a/registry/clusters/prod/vault.yaml b/registry/clusters/prod/vault.yaml deleted file mode 100644 index 1bf6d09..0000000 --- a/registry/clusters/prod/vault.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-components - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "10" - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: https://github.com/mrsimonemms/infrastructure - path: registry/clusters/prod/components/vault - targetRevision: HEAD - destination: - server: https://kubernetes.default.svc - namespace: vault - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true