From 5a60063b546f7d722abe298d982f0906a70bdced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Wed, 24 Apr 2024 14:12:14 +0100 Subject: [PATCH] feat: secret management with vault --- services/vault/00-namespaces.yaml | 11 ++++++ services/vault/01-certificates.yaml | 13 +++++++ services/vault/02-ingress-routes.yaml | 16 +++++++++ services/vault/deploy-vault-dev.sh | 12 +++++++ services/vault/deploy-vault-prod.sh | 12 +++++++ services/vault/vault-dev-values.yaml | 23 +++++++++++++ services/vault/vault-operator-dev-values.yaml | 19 +++++++++++ .../vault/vault-operator-prod-values.yaml | 17 ++++++++++ services/vault/vault-operator-sa.yaml | 6 ++++ services/vault/vault-prod-values.yaml | 34 +++++++++++++++++++ services/vault/vault-sa.yaml | 6 ++++ 11 files changed, 169 insertions(+) create mode 100644 services/vault/00-namespaces.yaml create mode 100644 services/vault/01-certificates.yaml create mode 100644 services/vault/02-ingress-routes.yaml create mode 100755 services/vault/deploy-vault-dev.sh create mode 100755 services/vault/deploy-vault-prod.sh create mode 100644 services/vault/vault-dev-values.yaml create mode 100644 services/vault/vault-operator-dev-values.yaml create mode 100644 services/vault/vault-operator-prod-values.yaml create mode 100644 services/vault/vault-operator-sa.yaml create mode 100644 services/vault/vault-prod-values.yaml create mode 100644 services/vault/vault-sa.yaml diff --git a/services/vault/00-namespaces.yaml b/services/vault/00-namespaces.yaml new file mode 100644 index 0000000..a780fca --- /dev/null +++ b/services/vault/00-namespaces.yaml @@ -0,0 +1,11 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: vault + +--- + +kind: Namespace +apiVersion: v1 +metadata: + name: vault-operator diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml new file mode 100644 index 0000000..2230ad9 --- /dev/null +++ b/services/vault/01-certificates.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: website-cert + namespace: vault +spec: + secretName: website-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: vault.niaefeup.pt + dnsNames: + - vault.niaefeup.pt diff --git a/services/vault/02-ingress-routes.yaml b/services/vault/02-ingress-routes.yaml new file mode 100644 index 0000000..0e4abcc --- /dev/null +++ b/services/vault/02-ingress-routes.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: vault-https + namespace: vault +spec: + entryPoints: + - websecure + routes: + - match: Host(`vault.niaefeup.pt`) + kind: Rule + services: + - name: vault-ui + port: 80 + tls: + secretName: website-cert diff --git a/services/vault/deploy-vault-dev.sh b/services/vault/deploy-vault-dev.sh new file mode 100755 index 0000000..0895ec2 --- /dev/null +++ b/services/vault/deploy-vault-dev.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +helm repo add hashicorp https://helm.releases.hashicorp.com +helm repo update + +kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml +kubectl apply -f "$(dirname "$0")"/01-certificates.yaml +kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml +kubectl apply -f "$(dirname "$0")"/vault-sa.yaml + +helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-dev-values.yaml +helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-dev-values.yaml diff --git a/services/vault/deploy-vault-prod.sh b/services/vault/deploy-vault-prod.sh new file mode 100755 index 0000000..096cf51 --- /dev/null +++ b/services/vault/deploy-vault-prod.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +helm repo add hashicorp https://helm.releases.hashicorp.com +helm repo update + +kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml +kubectl apply -f "$(dirname "$0")"/01-certificates.yaml +kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml +kubectl apply -f "$(dirname "$0")"/vault-sa.yaml + +helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml +helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-prod-values.yaml diff --git a/services/vault/vault-dev-values.yaml b/services/vault/vault-dev-values.yaml new file mode 100644 index 0000000..d02c0c5 --- /dev/null +++ b/services/vault/vault-dev-values.yaml @@ -0,0 +1,23 @@ +#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration +server: + dev: + enabled: true + devRootToken: "root" + logLevel: debug + # A service is not needed since we are not going to be using the vault agent injector +ui: + enabled: true + serviceType: "LoadBalancer" + targetPort: 8200 + externalPort: 8200 + +ha: + enabled: true + raft: + enabled: true + +volumes: + - name: vault-secrets-volume + +injector: + enabled: "false" diff --git a/services/vault/vault-operator-dev-values.yaml b/services/vault/vault-operator-dev-values.yaml new file mode 100644 index 0000000..a82207e --- /dev/null +++ b/services/vault/vault-operator-dev-values.yaml @@ -0,0 +1,19 @@ +# This is the connection used if no other VaultConnection resources are loaded into the cluster +# For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm +defaultVaultConnection: + enabled: true + address: "http://vault.vault.svc.cluster.local:8200" + skipTLSVerify: true +controller: + manager: + clientCache: + persistenceModel: direct-encrypted # Encrypted using the Vault Transit engine + storageEncryption: + enabled: true + mount: vault-operator-auth + keyName: vso-client-cache + namespace: vault-operator + transitMount: vault-operator-transit + kubernetes: + role: vault-operator-role + serviceAccount: vault-operator diff --git a/services/vault/vault-operator-prod-values.yaml b/services/vault/vault-operator-prod-values.yaml new file mode 100644 index 0000000..6ca3989 --- /dev/null +++ b/services/vault/vault-operator-prod-values.yaml @@ -0,0 +1,17 @@ +defaultVaultConnection: + enabled: true + address: "http://vault.vault.svc.cluster.local:8200" + skipTLSVerify: false +controller: + manager: + clientCache: + persistenceModel: direct-encrypted + storageEncryption: + enabled: true + mount: demo-auth-mount + keyName: vso-client-cache + namespace: vault-operator + transitMount: demo-transit + kubernetes: + role: auth-role-operator + serviceAccount: vault-operator diff --git a/services/vault/vault-operator-sa.yaml b/services/vault/vault-operator-sa.yaml new file mode 100644 index 0000000..9c1a794 --- /dev/null +++ b/services/vault/vault-operator-sa.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + # SA bound to the VSO namespace for transit engine auth + namespace: vault-secrets-operator-system + name: demo-operator diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml new file mode 100644 index 0000000..67a0460 --- /dev/null +++ b/services/vault/vault-prod-values.yaml @@ -0,0 +1,34 @@ +#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration +# global: +# tlsDisable: true +server: + dev: + enabled: false + logLevel: debug +ui: + enabled: true + serviceType: "LoadBalancer" + externalPort: 8200 + +ha: + enabled: true + raft: + enabled: true + config: | + storage "raft" { + path = "./vault/raft_storage" + } + + listener "tcp" { + address = "127.0.0.1:8200" + } + + api_addr = "http://127.0.0.1:8200" + cluster_addr = "https://127.0.0.1:8201" + +dataStorage: + enabled: true + storageClass: "longhorn-locality-retain" + +injector: + enabled: "false" diff --git a/services/vault/vault-sa.yaml b/services/vault/vault-sa.yaml new file mode 100644 index 0000000..3b30d8c --- /dev/null +++ b/services/vault/vault-sa.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + # SA bound to the VSO namespace for transit engine auth + namespace: vault + name: vault-sa