Skip to content

Commit

Permalink
Merge pull request #15 from CSCfi/feature/k8s_plan
Browse files Browse the repository at this point in the history
Implementing K8s plan for HPCS Server side
  • Loading branch information
mmatthiesencsc authored Apr 8, 2024
2 parents 53183aa + d39d585 commit d9fdfaa
Show file tree
Hide file tree
Showing 18 changed files with 729 additions and 10 deletions.
246 changes: 246 additions & 0 deletions k8s/deploy-all.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,246 @@
- hosts: localhost
vars:
hpcs_server_policy: |
path "auth/jwt/role/*" {
capabilities = ["sudo","read","create","delete","update"]
}
path "sys/policies/acl/*" {
capabilities = ["sudo","read","create","delete","update"]
}
tasks:
- name: create hpcs namespace
k8s:
state: present
src: hpcs-namespace.yaml

- name: create spire-server account
k8s:
state: present
src: spire-server-account.yaml

- name: create spire-server clusterrole
k8s:
state: present
src: spire-server-cluster-role.yaml

- name: create spire-server configmap
k8s:
state: present
src: spire-server-configmap.yaml

- name: create spire-oidc configmap
k8s:
state: present
src: spire-oidc-configmap.yaml

- name: create spire nginx proxy configmap
k8s:
state: present
src: spire-server-nginx-configmap.yaml

- name: Create spire-oidc private key
openssl_privatekey:
path: /etc/certs/hpcs-spire-oidc/selfsigned.key
size: 4096

- name: Create spire-oidc csr
openssl_csr:
path: /etc/certs/hpcs-spire-oidc/selfsigned.csr
privatekey_path: /etc/certs/hpcs-spire-oidc/selfsigned.key

- name: Create spire-oidc certificate
openssl_certificate:
provider: selfsigned
path: /etc/certs/hpcs-spire-oidc/selfsigned.crt
privatekey_path: /etc/certs/hpcs-spire-oidc/selfsigned.key
csr_path: /etc/certs/hpcs-spire-oidc/selfsigned.csr

- name: create spire-server pod (spire-server, spire-oidc, hpcs-nginx)
k8s:
state: present
src: spire-server-statefulset.yaml

- name: create spire-server service (expose spire server port)
k8s:
state: present
src: spire-server-service.yaml

- name: create spire-server service (expose spire oidc port)
k8s:
state: present
src: spire-oidc-service.yaml

- name: Add hashicorp to helm repositories
kubernetes.core.helm_repository:
name: stable
repo_url: "https://helm.releases.hashicorp.com"

- name: Deploy hashicorp vault
kubernetes.core.helm:
release_name: vault
chart_ref: hashicorp/vault
release_namespace: hpcs
chart_version: 0.27.0

- name: Wait for vault to be created
shell: "kubectl get po -n hpcs vault-0 --output=jsonpath='{.status}'"
register: pod_ready_for_init
until: (pod_ready_for_init.stdout | from_json)['containerStatuses'] is defined
retries: 10
delay: 2

- name: Initialize vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: vault operator init -n 1 -t 1 -format json
register: vault_init
ignore_errors: True

- name: Showing tokens
ansible.builtin.debug:
msg:
- "Please note the unseal token : {{ (vault_init.stdout | from_json)['unseal_keys_b64'][0] }}"
- "Please note the root-token : '{{ (vault_init.stdout | from_json)['root_token' ] }}'"
when: vault_init.rc == 0

- name: Unseal vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: vault operator unseal {{ (vault_init.stdout | from_json)['unseal_keys_b64'][0] }}
when: vault_init.rc == 0
ignore_errors: True

- name: Enable jwt authentication in vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token' ] }} ; vault auth enable jwt"
when: vault_init.rc == 0

- name: Enable kv secrets in vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token' ] }} ; vault secrets enable -version=2 kv"
when: vault_init.rc == 0

- name: Create hpcs-server vault policy file
copy:
content: "{{ hpcs_server_policy }}"
dest: /tmp/policy
when: vault_init.rc == 0

- name: Copy oidc cert to vault's pod
kubernetes.core.k8s_cp:
namespace: hpcs
pod: vault-0
remote_path: /tmp/cert
local_path: /etc/certs/hpcs-spire-oidc/selfsigned.crt
when: vault_init.rc == 0

- name: Write oidc config to vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault write auth/jwt/config oidc_discovery_url=https://spire-oidc oidc_discovery_ca_pem=\"$(cat /tmp/cert)\""
when: vault_init.rc == 0

- name: Copy policy file to vault's pod
kubernetes.core.k8s_cp:
namespace: hpcs
pod: vault-0
remote_path: /tmp/policy
local_path: /tmp/policy
when: vault_init.rc == 0

- name: Write hpcs-server vault policy
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault policy write hpcs-server /tmp/policy"
when: vault_init.rc == 0

- name: Write hpcs-server vault role
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault write auth/jwt/role/hpcs-server role_type=jwt user_claim=sub bound_audiences=TESTING bound_subject=spiffe://hpcs/hpcs-server/workload token_ttl=24h token_policies=hpcs-server"
when: vault_init.rc == 0

- name: Check cgroups version
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "cat /proc/filesystems | grep cgroup2"
register: cgroups_check

- name: Register node uid and nodename
shell: "kubectl get nodes -o json"
register: kubectl_node_info

- name: Register hpcs-server identity
kubernetes.core.k8s_exec:
namespace: hpcs
pod: spire-server-0
container: spire-server
command: ./bin/spire-server entry create -parentID spiffe://hpcs/spire/agent/k8s_psat/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['name'] }}/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['uid'] }} -spiffeID spiffe://hpcs/hpcs-server/workload -selector unix:uid:0
register: cgroups_check
when: cgroups_check.rc == 0
ignore_errors: True

- name: Register hpcs-server identity
kubernetes.core.k8s_exec:
namespace: hpcs
pod: spire-server-0
container: spire-server
command: ./bin/spire-server entry create -parentID spiffe://hpcs/spire/agent/k8s_psat/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['name'] }}/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['uid'] }} -spiffeID spiffe://hpcs/hpcs-server/workload -selector k8s:pod-name:hpcs-server
register: cgroups_check
when: cgroups_check.rc == 1
ignore_errors: True

- name: Expose vault's web port
kubernetes.core.k8s_service:
state: present
name: vault-external
type: NodePort
namespace: hpcs
ports:
- port: 8200
protocol: TCP
selector:
service: vault

- name: Create hpcs-server account
k8s:
state: present
src: hpcs-server-account.yaml

- name: Create hpcs-spire account
k8s:
state: present
src: hpcs-spire-account.yaml

- name: Create hpcs-server configmap
k8s:
state: present
src: hpcs-server-configmap.yaml

- name: Create hpcs-server statefulset and pod
k8s:
state: present
src: hpcs-server-statefulset.yaml

- name: Expose hpcs-server's web port
kubernetes.core.k8s_service:
state: present
name: hpcs-external
type: NodePort
namespace: hpcs
ports:
- port: 10080
protocol: TCP
selector:
service: hpcs-server
4 changes: 4 additions & 0 deletions k8s/hpcs-namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: hpcs
5 changes: 5 additions & 0 deletions k8s/hpcs-server-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: hpcs-server
namespace: hpcs
61 changes: 61 additions & 0 deletions k8s/hpcs-server-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: hpcs-server
namespace: hpcs
data:
hpcs-server.conf: |
[spire-server]
address = localhost
port = 8081
trust-domain = hpcs
pre-command = ""
spire-server-bin = spire-server
socket-path = /var/run/sockets/server/api.sock
[spire-agent]
spire-agent-socket = /run/sockets/agent/agent.sock
[vault]
url = http://vault:8200
server-role = hpcs-server
agent.conf: |
agent {
data_dir = "./data/agent"
log_level = "DEBUG"
trust_domain = "hpcs"
server_address = "spire-server"
server_port = 8081
socket_path = "/var/run/sockets/agent/agent.sock"
admin_socket_path = "/var/run/sockets/admin/admin.sock"
# Insecure bootstrap is NOT appropriate for production use but is ok for
# simple testing/evaluation purposes.
insecure_bootstrap = true
}
plugins {
KeyManager "disk" {
plugin_data {
directory = "./data/agent"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
cluster = "docker-desktop"
}
}
WorkloadAttestor "k8s" {
plugin_data {
}
}
WorkloadAttestor "unix" {
plugin_data {
discover_workload_path = true
}
}
}
14 changes: 14 additions & 0 deletions k8s/hpcs-server-service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Service definition for spire-oidc (expose the OIDC socket)
apiVersion: v1
kind: Service
metadata:
name: hpcs-server
namespace: hpcs
spec:
clusterIP: None
selector:
app: hpcs-server
ports:
- name: https
port: 10080
targetPort: hpcs-server
62 changes: 62 additions & 0 deletions k8s/hpcs-server-statefulset.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: hpcs-server
namespace: hpcs
labels:
app: hpcs-server
spec:
replicas: 1
selector:
matchLabels:
app: hpcs-server
serviceName: hpcs-server
template:
metadata:
namespace: hpcs
labels:
app: hpcs-server
spec:
serviceAccountName: hpcs-server
shareProcessNamespace: true
containers:
- name: hpcs-server
image: ghcr.io/cscfi/hpcs/server:0.1.1
ports:
- containerPort: 10080
name: hpcs-server
volumeMounts:
- name: hpcs-server-configs
mountPath: /tmp/
readOnly: false
- name: hpcs-spire-sockets
mountPath: /var/run/sockets
readOnly: false
- name: hpcs-spire-agent-token
mountPath: /var/run/secrets/tokens
readOnly: true
volumes:
- name: hpcs-server-configs
configMap:
name: hpcs-server
- name: hpcs-spire-sockets
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
- name: hpcs-spire-agent-token
projected:
sources:
- serviceAccountToken:
path: spire-agent
expirationSeconds: 7200
audience: spire-server
volumeClaimTemplates:
- metadata:
name: spire-agent-data
namespace: hpcs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
Loading

0 comments on commit d9fdfaa

Please sign in to comment.