From 7e2b8a013d0fcdb1b6d18b76497b0176dbc34524 Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Sun, 3 Nov 2024 20:20:17 +0000 Subject: [PATCH] feat(kubernetes): install bank vaults operator --- modules/kubernetes/README.md | 2 + modules/kubernetes/variables.tf | 6 + .../dev/components/vault/operator.yaml | 22 +++ .../clusters/dev/components/vault/pvc.yaml | 13 ++ .../clusters/dev/components/vault/rbac.yaml | 24 +++ .../clusters/dev/components/vault/vault.yaml | 164 ++++++++++++++++++ registry/clusters/dev/vault.yaml | 22 +++ 7 files changed, 253 insertions(+) create mode 100644 registry/clusters/dev/components/vault/operator.yaml create mode 100644 registry/clusters/dev/components/vault/pvc.yaml create mode 100644 registry/clusters/dev/components/vault/rbac.yaml create mode 100644 registry/clusters/dev/components/vault/vault.yaml create mode 100644 registry/clusters/dev/vault.yaml diff --git a/modules/kubernetes/README.md b/modules/kubernetes/README.md index 7ae8508..177a5b1 100644 --- a/modules/kubernetes/README.md +++ b/modules/kubernetes/README.md @@ -30,6 +30,7 @@ No modules. | [helm_release.hcloud_ccm](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.hcloud_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.vault](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_secret_v1.hcloud](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource | | [random_integer.ingress_load_balancer_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource | @@ -50,6 +51,7 @@ No modules. | [kubeconfig](#input\_kubeconfig) | Kubeconfig for the cluster | `string` | n/a | yes | | [load\_balancer\_location](#input\_load\_balancer\_location) | Location to use for the load balancer | `string` | n/a | yes | | [load\_balancer\_type](#input\_load\_balancer\_type) | Type of load balancer to use | `string` | `"lb11"` | no | +| [vault\_operator\_version](#input\_vault\_operator\_version) | Version of Bank Vaults to use - defaults to latest | `string` | `null` | no | ## Outputs diff --git a/modules/kubernetes/variables.tf b/modules/kubernetes/variables.tf index 2d97652..920b6da 100644 --- a/modules/kubernetes/variables.tf +++ b/modules/kubernetes/variables.tf @@ -86,3 +86,9 @@ variable "load_balancer_type" { description = "Type of load balancer to use" default = "lb11" } + +variable "vault_operator_version" { + type = string + description = "Version of Bank Vaults to use - defaults to latest" + default = null +} diff --git a/registry/clusters/dev/components/vault/operator.yaml b/registry/clusters/dev/components/vault/operator.yaml new file mode 100644 index 0000000..ed05edb --- /dev/null +++ b/registry/clusters/dev/components/vault/operator.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "10" +spec: + project: default + source: + chart: vault-operator + repoURL: ghcr.io/bank-vaults/helm-charts + targetRevision: 1.22.3 + destination: + server: https://kubernetes.default.svc + namespace: vault + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/clusters/dev/components/vault/pvc.yaml b/registry/clusters/dev/components/vault/pvc.yaml new file mode 100644 index 0000000..b95a5d8 --- /dev/null +++ b/registry/clusters/dev/components/vault/pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-file + namespace: vault + annotations: + argocd.argoproj.io/sync-wave: "12" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/registry/clusters/dev/components/vault/rbac.yaml b/registry/clusters/dev/components/vault/rbac.yaml new file mode 100644 index 0000000..51cfc85 --- /dev/null +++ b/registry/clusters/dev/components/vault/rbac.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-rbac + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "11" +spec: + project: default + source: + path: deploy/rbac + repoURL: https://github.com/bank-vaults/vault-operator + targetRevision: HEAD + kustomize: + namespace: vault + destination: + namespace: vault + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/registry/clusters/dev/components/vault/vault.yaml b/registry/clusters/dev/components/vault/vault.yaml new file mode 100644 index 0000000..89dfff4 --- /dev/null +++ b/registry/clusters/dev/components/vault/vault.yaml @@ -0,0 +1,164 @@ +apiVersion: vault.banzaicloud.com/v1alpha1 +kind: Vault +metadata: + name: vault + namespace: vault + annotations: + argocd.argoproj.io/sync-wave: "12" +spec: + size: 1 + image: hashicorp/vault:1.18.1 + + annotations: + common/annotation: "true" + + vaultAnnotations: + type/instance: "vault" + + vaultConfigurerAnnotations: + type/instance: "vaultconfigurer" + + vaultLabels: + example.com/log-format: "json" + + vaultConfigurerLabels: + example.com/log-format: "string" + + serviceAccount: vault + + serviceType: ClusterIP + + ingress: + annotations: {} + spec: {} + + volumes: + - name: vault-file + persistentVolumeClaim: + claimName: vault-file + + volumeMounts: + - name: vault-file + mountPath: /vault/file + + caNamespaces: + - "vswh" + + unsealConfig: + options: + preFlightChecks: true + storeRootToken: true + secretShares: 5 + secretThreshold: 3 + kubernetes: + secretNamespace: vault + + config: + storage: + file: + path: "${ .Env.VAULT_STORAGE_FILE }" + listener: + tcp: + address: "0.0.0.0:8200" + # tls_disable: true + tls_cert_file: /vault/tls/server.crt + tls_key_file: /vault/tls/server.key + telemetry: + statsd_address: localhost:9125 + ui: true + + externalConfig: + policies: + - name: allow_secrets + rules: path "secret/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + - name: allow_pki + rules: path "pki/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + + groups: + - name: admin1 + policies: + - allow_secrets + metadata: + privileged: true + type: external + - name: admin2 + policies: + - allow_secrets + metadata: + privileged: true + type: external + + group-aliases: + - name: admin1 + mountpath: token + group: admin1 + + auth: + - type: kubernetes + roles: + - name: default + bound_service_account_names: + ["default", "vault-secrets-webhook", "vault"] + bound_service_account_namespaces: ["vault", "vswh"] + policies: ["allow_secrets", "allow_pki"] + ttl: 1h + + secrets: + - path: secret + type: kv + description: General secrets. + options: + version: 2 + + - path: pki + type: pki + description: Vault PKI Backend + config: + default_lease_ttl: 168h + max_lease_ttl: 720h + configuration: + config: + - name: urls + issuing_certificates: https://vault.vault:8200/v1/pki/ca + crl_distribution_points: https://vault.vault:8200/v1/pki/crl + root/generate: + - name: internal + common_name: vault.vault + roles: + - name: default + allowed_domains: localhost,pod,svc,default + allow_subdomains: true + generate_lease: true + ttl: 1m + + startupSecrets: + - type: kv + path: secret/data/accounts/aws + data: + data: + AWS_ACCESS_KEY_ID: secretId + AWS_SECRET_ACCESS_KEY: s3cr3t + - type: kv + path: secret/data/dockerrepo + data: + data: + DOCKER_REPO_USER: dockerrepouser + DOCKER_REPO_PASSWORD: dockerrepopassword + - type: kv + path: secret/data/mysql + data: + data: + MYSQL_ROOT_PASSWORD: s3cr3t + MYSQL_PASSWORD: 3xtr3ms3cr3t + + vaultEnvsConfig: + - name: VAULT_LOG_LEVEL + value: debug + - name: VAULT_STORAGE_FILE + value: "/vault/file" + + istioEnabled: false diff --git a/registry/clusters/dev/vault.yaml b/registry/clusters/dev/vault.yaml new file mode 100644 index 0000000..572d2e0 --- /dev/null +++ b/registry/clusters/dev/vault.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-components + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mrsimonemms/infrastructure + path: registry/clusters/dev/components/vault + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: vault + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true