From 692a61660400e09ae009fdb5936c5bbf92a70f8a Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Thu, 7 Nov 2024 22:16:03 +0000 Subject: [PATCH] feat: add vault to prod cluster --- registry/clusters/prod/components/vault.yaml | 22 +++ .../prod/components/vault/operator.yaml | 22 +++ .../clusters/prod/components/vault/rbac.yaml | 24 +++ .../clusters/prod/components/vault/vault.yaml | 171 ++++++++++++++++++ .../clusters/prod/components/vault/wait.yaml | 62 +++++++ 5 files changed, 301 insertions(+) create mode 100644 registry/clusters/prod/components/vault.yaml create mode 100644 registry/clusters/prod/components/vault/operator.yaml create mode 100644 registry/clusters/prod/components/vault/rbac.yaml create mode 100644 registry/clusters/prod/components/vault/vault.yaml create mode 100644 registry/clusters/prod/components/vault/wait.yaml diff --git a/registry/clusters/prod/components/vault.yaml b/registry/clusters/prod/components/vault.yaml new file mode 100644 index 0000000..8080608 --- /dev/null +++ b/registry/clusters/prod/components/vault.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-components + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mrsimonemms/infrastructure + path: registry/clusters/prod/components/vault + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: vault + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/clusters/prod/components/vault/operator.yaml b/registry/clusters/prod/components/vault/operator.yaml new file mode 100644 index 0000000..ed05edb --- /dev/null +++ b/registry/clusters/prod/components/vault/operator.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "10" +spec: + project: default + source: + chart: vault-operator + repoURL: ghcr.io/bank-vaults/helm-charts + targetRevision: 1.22.3 + destination: + server: https://kubernetes.default.svc + namespace: vault + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/clusters/prod/components/vault/rbac.yaml b/registry/clusters/prod/components/vault/rbac.yaml new file mode 100644 index 0000000..c5763fc --- /dev/null +++ b/registry/clusters/prod/components/vault/rbac.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-rbac + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "20" +spec: + project: default + source: + path: deploy/rbac + repoURL: https://github.com/bank-vaults/vault-operator + targetRevision: HEAD + kustomize: + namespace: vault + destination: + namespace: vault + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/clusters/prod/components/vault/vault.yaml b/registry/clusters/prod/components/vault/vault.yaml new file mode 100644 index 0000000..69f38b4 --- /dev/null +++ b/registry/clusters/prod/components/vault/vault.yaml @@ -0,0 +1,171 @@ +apiVersion: vault.banzaicloud.com/v1alpha1 +kind: Vault +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + vault_cr: vault + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "30" +spec: + size: 3 + image: hashicorp/vault:1.18.1 + + annotations: + common/annotation: "true" + + vaultAnnotations: + type/instance: vault + + vaultConfigurerAnnotations: + type/instance: vaultconfigurer + + vaultLabels: + example.com/log-format: json + + vaultConfigurerLabels: + example.com/log-format: string + + serviceAccount: vault + + serviceType: ClusterIP + + ingress: + annotations: + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt + spec: + ingressClassName: nginx + rules: + - host: vault.simonemms.com + http: + paths: + - backend: + service: + name: vault + port: + number: 8200 + path: / + pathType: Prefix + tls: + - hosts: + - vault.simonemms.com + secretName: vault-tls + + volumeClaimTemplates: + - metadata: + name: vault-raft + spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi + + volumeMounts: + - name: vault-raft + mountPath: /vault/file + + # Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods: + # https://velero.io/docs/v1.2.0/hooks/ + veleroEnabled: true + + caNamespaces: + - vswh + + unsealConfig: + options: + preFlightChecks: true + storeRootToken: true + secretShares: 5 + secretThreshold: 3 + kubernetes: + secretNamespace: vault + + config: + storage: + raft: + path: "/vault/file" + listener: + tcp: + address: "0.0.0.0:8200" + tls_cert_file: /vault/tls/server.crt + tls_key_file: /vault/tls/server.key + api_addr: https://vault.vault:8200 + cluster_addr: "https://${.Env.POD_NAME}:8201" + ui: true + + statsdDisabled: true + + serviceRegistrationEnabled: true + + resources: + # A YAML representation of resource ResourceRequirements for vault container + # Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container + vault: + limits: + memory: "512Mi" + cpu: "200m" + requests: + memory: "256Mi" + cpu: "100m" + + # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration + # The repository also contains a lot examples in the test/deploy and operator/deploy directories. + externalConfig: + policies: + - name: allow_secrets + rules: path "secret/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + + groups: + - name: admin1 + policies: + - allow_secrets + metadata: + privileged: true + type: external + - name: admin2 + policies: + - allow_secrets + metadata: + privileged: true + type: external + + group-aliases: + - name: admin1 + mountpath: token + group: admin1 + + auth: + - type: kubernetes + roles: + - name: default + bound_service_account_names: + - default + - vault-secrets-webhook + bound_service_account_namespaces: + - vault + - vswh + policies: + - allow_secrets + ttl: 1h + + secrets: + - path: secret + type: kv + description: General secrets. + options: + version: 2 + + startupSecrets: [] + + vaultEnvsConfig: + - name: VAULT_LOG_LEVEL + value: debug diff --git a/registry/clusters/prod/components/vault/wait.yaml b/registry/clusters/prod/components/vault/wait.yaml new file mode 100644 index 0000000..c49c8f1 --- /dev/null +++ b/registry/clusters/prod/components/vault/wait.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8s-toolkit + namespace: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: k8s-toolkit + namespace: vault +rules: + - apiGroups: + - "" + - extensions + - apps + resources: + - pods + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: k8s-toolkit + namespace: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: k8s-toolkit +subjects: + - kind: ServiceAccount + name: k8s-toolkit + namespace: vault +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/sync-wave: "99" + name: vault-wait + namespace: vault +spec: + template: + spec: + containers: + - args: + - wait + - -n + - vault + - -l + - app.kubernetes.io/name=vault + - pod + - --for=condition=Ready + - --timeout + - 10m + image: bitnami/kubectl:1.31 + imagePullPolicy: IfNotPresent + name: wait + restartPolicy: OnFailure + serviceAccountName: k8s-toolkit