feat: secret management with vault

services/vault/00-namespaces.yaml

@@ -0,0 +1,11 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: vault
+
+---
+
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: vault-operator

services/vault/01-certificates.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: website-cert
+  namespace: vault
+spec:
+  secretName: website-cert
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: vault.niaefeup.pt
+  dnsNames:
+    - vault.niaefeup.pt

services/vault/02-ingress-routes.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vault-https
+  namespace: vault
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`vault.niaefeup.pt`)
+      kind: Rule
+      services:
+        - name: vault-ui
+          port: 80
+  tls:
+    secretName: website-cert

services/vault/deploy-vault-dev.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+helm repo add hashicorp https://helm.releases.hashicorp.com
+helm repo update
+
+kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
+kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
+kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
+kubectl apply -f "$(dirname "$0")"/vault-sa.yaml
+
+helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-dev-values.yaml
+helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-dev-values.yaml

services/vault/deploy-vault-prod.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+helm repo add hashicorp https://helm.releases.hashicorp.com
+helm repo update
+
+kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
+kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
+kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
+kubectl apply -f "$(dirname "$0")"/vault-sa.yaml
+
+helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml
+helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-prod-values.yaml

services/vault/vault-dev-values.yaml

@@ -0,0 +1,23 @@
+#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
+server:
+  dev:
+    enabled: true
+    devRootToken: "root"
+  logLevel: debug
+  # A service is not needed since we are not going to be using the vault agent injector
+ui:
+  enabled: true
+  serviceType: "LoadBalancer"
+  targetPort: 8200
+  externalPort: 8200
+
+ha:
+  enabled: true
+  raft:
+    enabled: true
+
+volumes:
+  - name: vault-secrets-volume  
+
+injector:
+  enabled: "false"

services/vault/vault-operator-dev-values.yaml

@@ -0,0 +1,19 @@
+# This is the connection used if no other VaultConnection resources are loaded into the cluster
+# For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm
+defaultVaultConnection:
+  enabled: true
+  address: "http://vault.vault.svc.cluster.local:8200"
+  skipTLSVerify: true
+controller:
+  manager:
+    clientCache:
+      persistenceModel: direct-encrypted # Encrypted using the Vault Transit engine
+      storageEncryption:
+        enabled: true
+        mount: vault-operator-auth
+        keyName: vso-client-cache
+        namespace: vault-operator
+        transitMount: vault-operator-transit
+        kubernetes:
+          role: vault-operator-role
+          serviceAccount: vault-operator

services/vault/vault-operator-prod-values.yaml

@@ -0,0 +1,17 @@
+defaultVaultConnection:
+  enabled: true
+  address: "http://vault.vault.svc.cluster.local:8200"
+  skipTLSVerify: false
+controller:
+  manager:
+    clientCache:
+      persistenceModel: direct-encrypted
+      storageEncryption:
+        enabled: true
+        mount: demo-auth-mount
+        keyName: vso-client-cache
+        namespace: vault-operator
+        transitMount: demo-transit
+        kubernetes:
+          role: auth-role-operator
+          serviceAccount: vault-operator

services/vault/vault-operator-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  # SA bound to the VSO namespace for transit engine auth
+  namespace: vault-secrets-operator-system
+  name: demo-operator

services/vault/vault-prod-values.yaml

@@ -0,0 +1,34 @@
+#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
+# global:
+#   tlsDisable: true
+server:
+  dev:
+    enabled: false
+  logLevel: debug
+ui:
+  enabled: true
+  serviceType: "LoadBalancer"
+  externalPort: 8200
+
+ha:
+  enabled: true
+  raft:
+    enabled: true
+    config: |
+      storage "raft" {
+        path    = "./vault/raft_storage"
+      }
+
+      listener "tcp" {
+        address     = "127.0.0.1:8200"
+      }
+
+      api_addr = "http://127.0.0.1:8200"
+      cluster_addr = "https://127.0.0.1:8201"
+
+dataStorage:
+  enabled: true
+  storageClass: "longhorn-locality-retain"
+
+injector:
+  enabled: "false"

services/vault/vault-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  # SA bound to the VSO namespace for transit engine auth
+  namespace: vault
+  name: vault-sa