From 76fbc43441c86ffb49a4c8e754a251f66c5b4f6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1s=20Palma?= <up202108880@edu.fe.up.pt>
Date: Thu, 1 Aug 2024 21:34:23 +0100
Subject: [PATCH] feat: started making trust manager work

---
 services/cert-manager/deploy.sh               |  3 +-
 services/trust-manager/00-namespace.yaml      |  5 +++
 services/trust-manager/01-ca.yaml             | 25 ++++++++++++
 services/trust-manager/deploy.sh              | 11 +++++
 services/vault/01-certificates.yaml           | 18 +++++++++
 services/vault/03-bundle.yaml                 | 13 ++++++
 services/vault/deploy-vault-prod.sh           |  1 +
 services/vault/vault-operator-dev-values.yaml |  4 +-
 services/vault/vault-prod-values.yaml         | 40 ++++++++++++-------
 9 files changed, 102 insertions(+), 18 deletions(-)
 create mode 100644 services/trust-manager/00-namespace.yaml
 create mode 100644 services/trust-manager/01-ca.yaml
 create mode 100755 services/trust-manager/deploy.sh
 create mode 100644 services/vault/03-bundle.yaml

diff --git a/services/cert-manager/deploy.sh b/services/cert-manager/deploy.sh
index cb9dbff..54ef263 100755
--- a/services/cert-manager/deploy.sh
+++ b/services/cert-manager/deploy.sh
@@ -7,4 +7,5 @@ kubectl apply -f $(dirname $0)/00-namespace.yaml
 
 helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager
 
-kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml
\ No newline at end of file
+kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml
+
diff --git a/services/trust-manager/00-namespace.yaml b/services/trust-manager/00-namespace.yaml
new file mode 100644
index 0000000..553f1ec
--- /dev/null
+++ b/services/trust-manager/00-namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: trust-manager
diff --git a/services/trust-manager/01-ca.yaml b/services/trust-manager/01-ca.yaml
new file mode 100644
index 0000000..049394a
--- /dev/null
+++ b/services/trust-manager/01-ca.yaml
@@ -0,0 +1,25 @@
+# This a certificate authority
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: trust-manager-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+
+# This is the certificate for the certificate authority
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: trust-manager-example-ca
+spec:
+  isCA: true
+  commonName: trust-manager-ca
+  secretName: trust-manager-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: trust-manager-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/services/trust-manager/deploy.sh b/services/trust-manager/deploy.sh
new file mode 100755
index 0000000..682ed9c
--- /dev/null
+++ b/services/trust-manager/deploy.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+kubectl apply -f "$(dirname "$0")"
+
+helm repo add jetstack https://charts.jetstack.io --force-update
+
+helm upgrade --install trust-manager jetstack/trust-manager \
+	--namespace trust-manager \
+	--wait
+# --set app.webhook.tls.approverPolicy.enabled=true \
+# --set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager
diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml
index 2230ad9..41e7b13 100644
--- a/services/vault/01-certificates.yaml
+++ b/services/vault/01-certificates.yaml
@@ -11,3 +11,21 @@ spec:
   commonName: vault.niaefeup.pt
   dnsNames:
     - vault.niaefeup.pt
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-cluster-ca
+  namespace: vault
+spec:
+  isCA: true
+  commonName: "*"
+  secretName: vault-cluster-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: trust-manager-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/services/vault/03-bundle.yaml b/services/vault/03-bundle.yaml
new file mode 100644
index 0000000..35be017
--- /dev/null
+++ b/services/vault/03-bundle.yaml
@@ -0,0 +1,13 @@
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: vault-cluster-bundle # The bundle name will also be used for the target
+spec:
+  sources:
+  - useDefaultCAs: true
+  - secret:
+      name: "vault-cluster-ca-secret"
+      key: "tls.crt"
+  target:
+    configMap:
+      key: "trust-bundle.pem"
diff --git a/services/vault/deploy-vault-prod.sh b/services/vault/deploy-vault-prod.sh
index 096cf51..b047301 100755
--- a/services/vault/deploy-vault-prod.sh
+++ b/services/vault/deploy-vault-prod.sh
@@ -6,6 +6,7 @@ helm repo update
 kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml
 kubectl apply -f "$(dirname "$0")"/01-certificates.yaml
 kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml
+kubectl apply -f "$(dirname "$0")"/03-bundle.yaml
 kubectl apply -f "$(dirname "$0")"/vault-sa.yaml
 
 helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml
diff --git a/services/vault/vault-operator-dev-values.yaml b/services/vault/vault-operator-dev-values.yaml
index a82207e..018b745 100644
--- a/services/vault/vault-operator-dev-values.yaml
+++ b/services/vault/vault-operator-dev-values.yaml
@@ -2,8 +2,8 @@
 # For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm
 defaultVaultConnection:
   enabled: true
-  address: "http://vault.vault.svc.cluster.local:8200"
-  skipTLSVerify: true
+  address: "https://vault.vault.svc.cluster.local:8200"
+  skipTLSVerify: false
 controller:
   manager:
     clientCache:
diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml
index 00388d6..714be36 100644
--- a/services/vault/vault-prod-values.yaml
+++ b/services/vault/vault-prod-values.yaml
@@ -1,42 +1,52 @@
 #https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration
+global:
+  enabled: true
+  tlsDisable: false
+  namespace: vault
+
 server:
   dev:
     enabled: false
   logLevel: debug
+  volumes:
+    - name: tls
+      secret:
+        secretName: vault-cluster-ca-secret
+  volumeMounts:
+    - name: tls
+      mountPath: "/opt/vault/tls"
+      readOnly: true
+
 ui:
   enabled: true
-  serviceType: "ClusterIP"
-  externalPort: 80
+  serviceType: "LoadBalancer"
+  targetPort: 8200
+  externalPort: 8200
 
 dataStorage:
   enabled: true
   size: 2Gi
   storageClass: longhorn-locality-retain
-  mountPath: "opt/vault/raft"
+  mountPath: "/opt/vault/raft"
   accessMode: ReadWriteOnce
 
 ha:
   enabled: true
   config: |
+    ui = true
     disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages
     
     listener "tcp" {
       address = "0.0.0.0:8200"
-      tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
-      tls_key_file       = "/opt/vault/tls/vault-key.pem"
-      tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" # certificate of the CA root
+      cluster_address = "0.0.0.0:8201"
+      tls_disable = false
+      tls_cert_file      = "/opt/vault/tls/tls.crt"
+      tls_key_file       = "/opt/vault/tls/tls.key"
+      tls_client_ca_file = "/opt/vault/tls/ca.crt" # certificate of the CA root
     }
 
     storage "raft" {
-      path    = "/opt/vault/raft"
-
-      #retry_join {
-      #  leader_tls_servername   = "vault"
-      #  leader_api_addr         = "https://0.0.0.0:8200"
-      #  leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
-      #  leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
-      #   leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
-      #}
+      path = "/opt/vault/raft"
     }
   raft:
     enabled: true