Skip to content

Commit

Permalink
feat: started making trust manager work
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomaspalma
tomaspalma committed Aug 13, 2024
1 parent c676fe4 commit 76fbc43
Show file tree
Hide file tree
Showing 9 changed files with 102 additions and 18 deletions.
3 changes: 2 additions & 1 deletion services/cert-manager/deploy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ kubectl apply -f $(dirname $0)/00-namespace.yaml

helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager

kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml
kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml

5 changes: 5 additions & 0 deletions services/trust-manager/00-namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: trust-manager
25 changes: 25 additions & 0 deletions services/trust-manager/01-ca.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# This a certificate authority
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: trust-manager-selfsigned-issuer
spec:
selfSigned: {}
---

# This is the certificate for the certificate authority
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: trust-manager-example-ca
spec:
isCA: true
commonName: trust-manager-ca
secretName: trust-manager-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: trust-manager-selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
11 changes: 11 additions & 0 deletions services/trust-manager/deploy.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash

kubectl apply -f "$(dirname "$0")"

helm repo add jetstack https://charts.jetstack.io --force-update

helm upgrade --install trust-manager jetstack/trust-manager \
--namespace trust-manager \
--wait
# --set app.webhook.tls.approverPolicy.enabled=true \
# --set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager
18 changes: 18 additions & 0 deletions services/vault/01-certificates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,21 @@ spec:
commonName: vault.niaefeup.pt
dnsNames:
- vault.niaefeup.pt
---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vault-cluster-ca
namespace: vault
spec:
isCA: true
commonName: "*"
secretName: vault-cluster-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: trust-manager-selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
13 changes: 13 additions & 0 deletions services/vault/03-bundle.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: vault-cluster-bundle # The bundle name will also be used for the target
spec:
sources:
- useDefaultCAs: true
- secret:
name: "vault-cluster-ca-secret"
key: "tls.crt"
target:
configMap:
key: "trust-bundle.pem"
1 change: 1 addition & 0 deletions services/vault/deploy-vault-prod.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ helm repo update
kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
kubectl apply -f "$(dirname "$0")"/03-bundle.yaml
kubectl apply -f "$(dirname "$0")"/vault-sa.yaml

helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml
Expand Down
4 changes: 2 additions & 2 deletions services/vault/vault-operator-dev-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
# For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm
defaultVaultConnection:
enabled: true
address: "http://vault.vault.svc.cluster.local:8200"
skipTLSVerify: true
address: "https://vault.vault.svc.cluster.local:8200"
skipTLSVerify: false
controller:
manager:
clientCache:
Expand Down
40 changes: 25 additions & 15 deletions services/vault/vault-prod-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,42 +1,52 @@
#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
global:
enabled: true
tlsDisable: false
namespace: vault

server:
dev:
enabled: false
logLevel: debug
volumes:
- name: tls
secret:
secretName: vault-cluster-ca-secret
volumeMounts:
- name: tls
mountPath: "/opt/vault/tls"
readOnly: true

ui:
enabled: true
serviceType: "ClusterIP"
externalPort: 80
serviceType: "LoadBalancer"
targetPort: 8200
externalPort: 8200

dataStorage:
enabled: true
size: 2Gi
storageClass: longhorn-locality-retain
mountPath: "opt/vault/raft"
mountPath: "/opt/vault/raft"
accessMode: ReadWriteOnce

ha:
enabled: true
config: |
ui = true
disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/vault-cert.pem"
tls_key_file = "/opt/vault/tls/vault-key.pem"
tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" # certificate of the CA root
cluster_address = "0.0.0.0:8201"
tls_disable = false
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
tls_client_ca_file = "/opt/vault/tls/ca.crt" # certificate of the CA root
}
storage "raft" {
path = "/opt/vault/raft"
#retry_join {
# leader_tls_servername = "vault"
# leader_api_addr = "https://0.0.0.0:8200"
# leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
# leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
# leader_client_key_file = "/opt/vault/tls/vault-key.pem"
#}
path = "/opt/vault/raft"
}
raft:
enabled: true
Expand Down

0 comments on commit 76fbc43

Please sign in to comment.