feat(kubernetes): install bank vaults operator

modules/kubernetes/README.md

@@ -30,6 +30,7 @@ No modules.
 | [helm_release.hcloud_ccm](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.hcloud_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.vault](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_secret_v1.hcloud](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [random_integer.ingress_load_balancer_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
 
@@ -50,6 +51,7 @@ No modules.
 | <a name="input_kubeconfig"></a> [kubeconfig](#input\_kubeconfig) | Kubeconfig for the cluster | `string` | n/a | yes |
 | <a name="input_load_balancer_location"></a> [load\_balancer\_location](#input\_load\_balancer\_location) | Location to use for the load balancer | `string` | n/a | yes |
 | <a name="input_load_balancer_type"></a> [load\_balancer\_type](#input\_load\_balancer\_type) | Type of load balancer to use | `string` | `"lb11"` | no |
+| <a name="input_vault_operator_version"></a> [vault\_operator\_version](#input\_vault\_operator\_version) | Version of Bank Vaults to use - defaults to latest | `string` | `null` | no |
 
 ## Outputs
 

modules/kubernetes/variables.tf

@@ -86,3 +86,9 @@ variable "load_balancer_type" {
   description = "Type of load balancer to use"
   default     = "lb11"
 }
+
+variable "vault_operator_version" {
+  type        = string
+  description = "Version of Bank Vaults to use - defaults to latest"
+  default     = null
+}

registry/clusters/dev/components/vault/operator.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-operator
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  project: default
+  source:
+    chart: vault-operator
+    repoURL: ghcr.io/bank-vaults/helm-charts
+    targetRevision: 1.22.3
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vault
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

registry/clusters/dev/components/vault/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-file
+  namespace: vault
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

registry/clusters/dev/components/vault/rbac.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-rbac
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "11"
+spec:
+  project: default
+  source:
+    path: deploy/rbac
+    repoURL: https://github.com/bank-vaults/vault-operator
+    targetRevision: HEAD
+    kustomize:
+      namespace: vault
+  destination:
+    namespace: vault
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

registry/clusters/dev/components/vault/vault.yaml

@@ -0,0 +1,164 @@
+apiVersion: vault.banzaicloud.com/v1alpha1
+kind: Vault
+metadata:
+  name: vault
+  namespace: vault
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+spec:
+  size: 1
+  image: hashicorp/vault:1.18.1
+
+  annotations:
+    common/annotation: "true"
+
+  vaultAnnotations:
+    type/instance: "vault"
+
+  vaultConfigurerAnnotations:
+    type/instance: "vaultconfigurer"
+
+  vaultLabels:
+    example.com/log-format: "json"
+
+  vaultConfigurerLabels:
+    example.com/log-format: "string"
+
+  serviceAccount: vault
+
+  serviceType: ClusterIP
+
+  ingress:
+    annotations: {}
+    spec: {}
+
+  volumes:
+    - name: vault-file
+      persistentVolumeClaim:
+        claimName: vault-file
+
+  volumeMounts:
+    - name: vault-file
+      mountPath: /vault/file
+
+  caNamespaces:
+    - "vswh"
+
+  unsealConfig:
+    options:
+      preFlightChecks: true
+      storeRootToken: true
+      secretShares: 5
+      secretThreshold: 3
+    kubernetes:
+      secretNamespace: vault
+
+  config:
+    storage:
+      file:
+        path: "${ .Env.VAULT_STORAGE_FILE }"
+    listener:
+      tcp:
+        address: "0.0.0.0:8200"
+        # tls_disable: true
+        tls_cert_file: /vault/tls/server.crt
+        tls_key_file: /vault/tls/server.key
+    telemetry:
+      statsd_address: localhost:9125
+    ui: true
+
+  externalConfig:
+    policies:
+      - name: allow_secrets
+        rules: path "secret/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+          }
+      - name: allow_pki
+        rules: path "pki/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+          }
+
+    groups:
+      - name: admin1
+        policies:
+          - allow_secrets
+        metadata:
+          privileged: true
+        type: external
+      - name: admin2
+        policies:
+          - allow_secrets
+        metadata:
+          privileged: true
+        type: external
+
+    group-aliases:
+      - name: admin1
+        mountpath: token
+        group: admin1
+
+    auth:
+      - type: kubernetes
+        roles:
+          - name: default
+            bound_service_account_names:
+              ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_namespaces: ["vault", "vswh"]
+            policies: ["allow_secrets", "allow_pki"]
+            ttl: 1h
+
+    secrets:
+      - path: secret
+        type: kv
+        description: General secrets.
+        options:
+          version: 2
+
+      - path: pki
+        type: pki
+        description: Vault PKI Backend
+        config:
+          default_lease_ttl: 168h
+          max_lease_ttl: 720h
+        configuration:
+          config:
+            - name: urls
+              issuing_certificates: https://vault.vault:8200/v1/pki/ca
+              crl_distribution_points: https://vault.vault:8200/v1/pki/crl
+          root/generate:
+            - name: internal
+              common_name: vault.vault
+          roles:
+            - name: default
+              allowed_domains: localhost,pod,svc,default
+              allow_subdomains: true
+              generate_lease: true
+              ttl: 1m
+
+    startupSecrets:
+      - type: kv
+        path: secret/data/accounts/aws
+        data:
+          data:
+            AWS_ACCESS_KEY_ID: secretId
+            AWS_SECRET_ACCESS_KEY: s3cr3t
+      - type: kv
+        path: secret/data/dockerrepo
+        data:
+          data:
+            DOCKER_REPO_USER: dockerrepouser
+            DOCKER_REPO_PASSWORD: dockerrepopassword
+      - type: kv
+        path: secret/data/mysql
+        data:
+          data:
+            MYSQL_ROOT_PASSWORD: s3cr3t
+            MYSQL_PASSWORD: 3xtr3ms3cr3t
+
+  vaultEnvsConfig:
+    - name: VAULT_LOG_LEVEL
+      value: debug
+    - name: VAULT_STORAGE_FILE
+      value: "/vault/file"
+
+  istioEnabled: false

registry/clusters/dev/vault.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-components
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/mrsimonemms/infrastructure
+    path: registry/clusters/dev/components/vault
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vault
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true