Skip to content

Commit

Permalink
increase release 1.5.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Björn Wenzel committed Jun 24, 2020
1 parent 7453c13 commit f5eff6a
Show file tree
Hide file tree
Showing 14 changed files with 398 additions and 14 deletions.
40 changes: 40 additions & 0 deletions deploy/admission-webhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: v1
kind: Service
metadata:
name: vault-crd
namespace: vault-crd
spec:
selector:
app: vault-crd
ports:
- port: 8080
type: ClusterIP
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: vault-crd
name: vault-crd-admission
webhooks:
- name: validate.vault.koudingspawn.de
admissionReviewVersions: ["v1beta1"]
sideEffects: None
rules:
- apiGroups:
- koudingspawn.de
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- vault
failurePolicy: Fail
clientConfig:
service:
namespace: vault-crd
name: vault-crd
path: /validation/vault-crd
port: 8080
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRVENDQWltZ0F3SUJBZ0lVUDk4cG9lNXF0TVExWXhrVS85eHc5ZGp4N05Bd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF4TVBhMjkxWkdsdVozTndZWGR1TG1SbE1CNFhEVEl3TURZeU5ERTVNVEF4TkZvWApEVE13TURZeU1qRTVNVEEwTkZvd0dqRVlNQllHQTFVRUF4TVBhMjkxWkdsdVozTndZWGR1TG1SbE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXNWbklIY2JCeHl2NmpOS3V5YkZpMFNkbEtONlAKU1U2RlJOUzJwQ1NNK3R3eWtCblllZUtacTMxQmZYQW5EMlVrR1dod0gwWHF1QmJ4S3Bsa2lYWVVMT25qTFQwLwpWVG5LN1U2NWFWZ0VMZlZJVFNHRnJFcjMwdTdYbWN5NkNWZmkzd25CMjZkZnR1V2NSWlFoaXIxZUE4VUZjejBQCkxlTWhiSTRybENWcnU2bHFFTzl0bGRId21ScGc5dWYyYnJiTi9PNDlaSUtYVGRBSW5jVTVacnV3d21MOVpnbUIKc2tzaDBvZWFkaXpMbzRuSmNjdVZYQjlwMHJjcjBPdG5qSHo1SGdCUElzTDB6UVZMUzVSZ01CTkxDbTVnZjlrcAp4S1UzQ0ZnU0Z0Vng5WlE3aG9hUEl3VnRqWUNrcCtzQVBycjBQNkk0Um95c2U3RDB2UERQUCs5NDF3SURBUUFCCm8zOHdmVEFPQmdOVkhROEJBZjhFQkFNQ0FRWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVUKa0hrOXBHMkg0eTJac0ZEUVZlNGJVTGhoMCtrd0h3WURWUjBqQkJnd0ZvQVVrSGs5cEcySDR5MlpzRkRRVmU0YgpVTGhoMCtrd0dnWURWUjBSQkJNd0VZSVBhMjkxWkdsdVozTndZWGR1TG1SbE1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFoMW9pMy9iRW5Lb1Rxdkt2NEZZeVJKVDQzMkIxYkp2MG94ZERLaFJndVowYmQ1WXVOMHBnNTcxL2QKb1UvVUN6ellzaUVYZmw3NHREUndNWVUveXhlQVJKQ3B2RWswcVhOdHJlS1hZL0dDU0wxbjlKU1dTMk1xVDBBeQpuTWxqdEkrd3R5Ujh2MW05SnppNFdFNHdWdVRuclhlb1BSeVpKR0F1Q2xRbnk2VW5Fei9LS3ZvQ0pCQW1UY1NKCk5hZkNwYUh3b25sQVp5bXZRN0JQZHZoMk52ckdQazk2aEVZc1lnUVl6VW5KcURoT0Z2RWF1MjRLeEk2NlpXUnIKMGlSNkZmTTQ2ZjBNRVdqdmRSUGRucHh2dDhPbTBiNjVER0czc2hVTHNLZWJENFI4YjdCeTdrVUV0U1FkNVkzcwpHK1k5RTdpbXdWR1hlUTh1eWw3ZGNSV1AwTkJ1Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
50 changes: 48 additions & 2 deletions deploy/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,10 @@ spec:
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
path:
type: string
Expand Down Expand Up @@ -129,8 +131,10 @@ spec:
properties:
context:
type: object
x-kubernetes-preserve-unknown-fields: true
files:
type: object
x-kubernetes-preserve-unknown-fields: true
dockerCfgConfiguration:
type: object
properties:
Expand Down Expand Up @@ -164,9 +168,22 @@ spec:
app: vault-crd
spec:
serviceAccountName: vault-crd-serviceaccount
# initContainers:
# - name: convert-https
# image: shamelesscookie/openssl:1.1.1g
# command:
# - /bin/bash
# args:
# - "-c"
# - "openssl pkcs12 -export -in /opt/certificate/tls.crt -inkey /opt/certificate/tls.key -out /opt/target/keystore.p12 -passout pass:changeit -name admission-tls"
# volumeMounts:
# - mountPath: /opt/certificate
# name: pem-cert
# - mountPath: /opt/target
# name: pkcs12-cert
containers:
- name: vault-crd
image: daspawnw/vault-crd:1.4.3
image: daspawnw/vault-crd:1.5.0
env:
- name: KUBERNETES_VAULT_URL
value: "http://localhost:8080/v1/"
Expand All @@ -175,15 +192,35 @@ spec:
secretKeyRef:
name: vault-token
key: token
# - name: SERVER_SSL_KEY-STORE-TYPE
# value: PKCS12
# - name: SERVER_SSL_KEY-STORE
# value: "/opt/certificate/keystore.p12"
# - name: SERVER_SSL_KEY-STORE-PASSWORD
# value: changeit
# - name: SERVER_SSL_KEY-ALIAS
# value: "admission-tls"
ports:
- containerPort: 8080
livenessProbe:
httpGet:
port: 8080
path: "/actuator/health"
# scheme: HTTPS
initialDelaySeconds: 30
failureThreshold: 3
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
# volumeMounts:
# - mountPath: /opt/certificate
# name: pkcs12-cert
# volumes:
# - name: pem-cert
# secret:
# secretName: vault-crd-tls
# - name: pkcs12-cert
# emptyDir: {}
restartPolicy: Always
---
apiVersion: v1
Expand All @@ -192,4 +229,13 @@ metadata:
name: vault-token
namespace: vault-crd
data:
token: "ODQ4M2VjMTMtMzJiZC1hOTE0LWFmMmItYWRkNTY4ODJhMWUz"
token: "cm9vdA=="
---
#apiVersion: v1
#kind: Secret
#metadata:
# name: vault-crd-tls
# namespace: vault-crd
#data:
# tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjakNDQWxxZ0F3SUJBZ0lVY3d6Z0hrdjRhOXpHOE5hQm1rbVFPdGxZM3hjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF4TVBhMjkxWkdsdVozTndZWGR1TG1SbE1CNFhEVEl3TURZeU5ERTVNVEExTUZvWApEVEl3TURjeU5qRTVNVEV5TUZvd0hqRWNNQm9HQTFVRUF4TVRkbUYxYkhRdFkzSmtMblpoZFd4MExXTnlaRENDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTG84Z2lWMjQ5UTArazMvenFnY2xVN3oKTisyT2N1VDNERG5JbXZaYTNiOXZGYjRXNVhOaXlpT0xtbHhnMDB3RGkyV01DcEI1RldmRUQwQU5KQUpWMEdRdwowVmlFTG5TVDRJYTRUcTlxUWlvc0J0RXd5Vkx1QkZSU1RHTDJiSUV5K3dBaGlrQ3dmbEI2L2trN05VbHlXZG8rCkRtcUorbDQ4RnVkbytpdTJyYkxtR0lnMTFDTy8rUTJlRnZCaTBaTTZEUzliUVNYOUYxTmMxdFZyNndtSWNOTHQKNzRHT2JQaG5rbFBaQjMrUzRFTk8xbHhzcCtkNGw0QkZEYWJWMHdCdWVmaFdqdktMSlZNRzlOWWZkWjdBaXArZwpYWWhpYVpPQS9xTlhSTDQzWlY1OXBBS2NtNWlFdUFLMStrYVBuWUdYQUtRRFE3L29hSlJwbEVqT1VLVHRObDBDCkF3RUFBYU9CcXpDQnFEQU9CZ05WSFE4QkFmOEVCQU1DQTZnd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUIwR0ExVWREZ1FXQkJRNjFvN2cwVllHc2pZZTJ2bkVKQ29LTElvYnREQWZCZ05WSFNNRQpHREFXZ0JTUWVUMmtiWWZqTFptd1VOQlY3aHRRdUdIVDZUQTNCZ05WSFJFRU1EQXVnaE4yWVhWc2RDMWpjbVF1CmRtRjFiSFF0WTNKa2doZDJZWFZzZEMxamNtUXVkbUYxYkhRdFkzSmtMbk4yWXpBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFSVTVud05rb24xRWdxZWVQNnRHZzZiNmY5TC94cnd5bHFndURyWVJOUmIyeGl1ZTV0UDREZFNVZAo2eXBVNXdsWGdHTmlmcHBpeVhSbFlIZUtIT09jRUtlTlByb25KYnBaa25Wb3ZpaVU2aWhJNFBLM3lRRW51N2twCjhjdldxVDh2WVVJa2VwV0dEd2NYRTRNNWlSelJ5VXVYSkxXZk4yRnJjTlJ1RUdEL3JKRFlwQ00rTDNDd0U5TFgKbmFCaDRJTG1HZjJmMHpZaVZMWTN0bTF4c1E2ZGZCQlZMMHZDZmlBVzlKYkNGbTVSOXRySWttcXdBY09lQTFGUApMdExUNjJ5OHRZbjFFK0h6ZTVneVRBdXpoRHhHbmxXRGtkRDJVSXMrbUxqcWxOVzZrcTI0NHFJOUdZZ3drVFJiCm1DOURyZ2lFRWFIQi9yN2lBZVNaWHZkUzg2ckVpZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
# tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdWp5Q0pYYmoxRFQ2VGYvT3FCeVZUdk0zN1k1eTVQY01PY2lhOWxyZHYyOFZ2aGJsCmMyTEtJNHVhWEdEVFRBT0xaWXdLa0hrVlo4UVBRQTBrQWxYUVpERFJXSVF1ZEpQZ2hyaE9yMnBDS2l3RzBUREoKVXU0RVZGSk1ZdlpzZ1RMN0FDR0tRTEIrVUhyK1NUczFTWEpaMmo0T2FvbjZYandXNTJqNks3YXRzdVlZaURYVQpJNy81RFo0VzhHTFJrem9OTDF0QkpmMFhVMXpXMVd2ckNZaHcwdTN2Z1k1cytHZVNVOWtIZjVMZ1EwN1dYR3luCjUzaVhnRVVOcHRYVEFHNTUrRmFPOG9zbFV3YjAxaDkxbnNDS242QmRpR0pwazREK28xZEV2amRsWG4ya0FweWIKbUlTNEFyWDZSbytkZ1pjQXBBTkR2K2hvbEdtVVNNNVFwTzAyWFFJREFRQUJBb0lCQUh5TjhXRUxGYTZjUy9lVQpxV3NIeXRnRmxKY2RtVHdHK2pjL01seW5RdjFBVnlOTi91RmY1ZDlHQTlQYXNoWjVuR1lxOWZuUDhYLzN3VmRPCk1wSVpRSWx4bU9HQmJleHI1bE5UdXRSWTFhMk15blpvRVkyVVFITUFvN1BnS1l0elJDbS9STTZrKzZYcHpGMi8KNnBDWG1QNThXSG5xay9jb2F3MFR5WlVvMVJ6NjMvemxSYXJBMXdqQVVGMDNJRElNTFlzYWxCZld5Nm9neEhHZQpuOC95Z1E4cyt5Z29UY3FZb1hHYnZ2a01IOVB6b1oyZko3RWlrTW9Cb29jcjRxbjZZYUFIb3BJR0dMYmM5MFdsCmZVUHBheEtkcDMzUTlXK1MzbU11bm9zUk9MbHdqMS9HTHhaKzJWRkZqUTJseHpBOGdqOW1SV0tabzhQYnVHUVEKU0p4cFhVRUNnWUVBNnZhWDFQSm4yUUNxeCtET3k4SnZFNWp6WVBGcTlFR0FpRFg5VENTb3R4U1d2OTVOUVh0MQpBR1d1RmVETE1YSmZqejhibldwdVVuVzRqK0tNRnRaUDNMZ1Nmd3ZTUnVnNGVsQ1RHVEllWmJmQ0pqTGlrNVNPCjJ6SVBiK2xtL3Z3eXU5V3NkZEh3OVIyUjc3eWlzWkkxZlBDMndTTzZzRjlxT21rL2t1RGZibzBDZ1lFQXl1a1YKcjI3andnM2FpMEJLdTNhcmhSRExqbklzSnF5Qy9yUVJEUzlVQjVuTks1L1l4K1o4S0R5M2toMmV2YXNic1Q0cgozcFUxQXdKOGZDQnRXaC93YXRVYlNRZkNOQ0ppZ2hsbUpYcTJDeEVRUUllN1d5MGpNeWpINzJodVgwMGY0dFJWCkt1clVpK2V0SjA3NHBvbHNUaG9DUnZqbzdyaHREY3R3UmM2bUd4RUNnWUVBdUNoS1hJY1p5Y1Z5RlhNbjRpQWsKdXpGNElCVllCTldLRGpoeXJVbFdTeGlDQnlRUFhUR01SS0Z0VG94LzllTjA3bXRDRTZFbGtzL2R0amlVSUJvZApRaHVyczVQcVhkVUkzeVZrQmExNGtiVHpJTWxsT05LSkhWZ2hMVSs4Z0VIZTZjWFJoQTdtVXRlNFdEUjdONzRtCjJpUTR1U3h0MkdzUWNYT29kbEIyRHNrQ2dZRUF5VDZwZ2toaDNlbnRrZVNlK2hSMWd0RW9na3ZjWERNRzdPVGMKY0k0N01ocXBjWlhrNUVaRlo0Ym9yaU53ZUQ3SGhWL2JGTFE1VXBYWnJ5WmVMbCsxQzgvMmN0VWVHS1R0dklqQwpWWFBDTDNHcUE4WmEzTkFFdEUzREZrQW1ENkVuZWNvTCtqZlR2RHAzOHArUlgySzJwek9HaEt1RUlwZUptWC9uCkIyVXdPM0VDZ1lFQTRYK25CRkRsNEdXbFNQU2VKZzZ4L3JWUXFyZUkwcmIrSUViNGhGOVZBcndEc2Z6L0hnb3cKSGpDTkR0N2t0YlJVTzlsNTJaZ3YrbWlOS3Z5dnNCbUNQalA5d0k4Y2hUZlhOZ1ZIYzE5YzJLTWRxTkdIckw1YwpTdytHMkl3MFRjREpQeFZyNGxkN01NNFZtYmtIKzBUVEtyVThLWkZQc2o2RGYraS9mMSs0NEE0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
2 changes: 1 addition & 1 deletion examples/cert.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@ kind: Vault
metadata:
name: test-cert
spec:
path: "secret/test-url.example.com"
path: "keyvaluev1/vault.koudingspawn.de"
type: "CERT"
2 changes: 1 addition & 1 deletion examples/certjks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@ kind: Vault
metadata:
name: test-certjks
spec:
path: "secret/test-url.example.com"
path: "keyvaluev1/vault.koudingspawn.de"
type: "CERTJKS"
2 changes: 1 addition & 1 deletion examples/dockercfg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@ kind: Vault
metadata:
name: test-dockercfg
spec:
path: "secret/docker-hub"
path: "keyvaluev1/docker-hub"
type: "DOCKERCFG"
2 changes: 1 addition & 1 deletion examples/keyvalue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@ kind: Vault
metadata:
name: test-keyvalue
spec:
path: "secret/docker-hub"
path: "keyvaluev1/docker-hub"
type: "KEYVALUE"
9 changes: 9 additions & 0 deletions examples/keyvaluev2-version.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
name: test-keyvaluev2
spec:
path: "keyvaluev2/example"
type: "KEYVALUEV2"
versionConfiguration:
version: 2
4 changes: 1 addition & 3 deletions examples/keyvaluev2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,4 @@ metadata:
name: test-keyvaluev2
spec:
path: "keyvaluev2/example"
type: "KEYVALUEV2"
versionConfiguration:
version: 4
type: "KEYVALUEV2"
7 changes: 7 additions & 0 deletions examples/kind/cluster.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 30078
hostPort: 8200
55 changes: 55 additions & 0 deletions examples/kind/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#!/usr/bin/env bash

### setup kind cluster
kind create cluster --config $PWD/cluster.yaml
### it exposes at 8200 a port for vault


### install vault with a static token
kind get kubeconfig > ~/.kube/kind_config
export KUBECONFIG="$HOME/.kube/kind_config"

kubectl create namespace vault
kubectl apply -f vault.yaml --namespace vault

while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8200/ui/)" != "200" ]]; do sleep 5; done
echo "Vault is up and running"

export VAULT_ADDR="http://localhost:8200"
export VAULT_TOKEN="root"
### end: install vault with a static token

### deploy vault-crd
kubectl apply -f ../../deploy/rbac.yaml
kubectl apply -f ../../deploy/admission-webhook.yaml
### end: deploy vault-crd

### configure vault
vault secrets enable -version=1 --path=keyvaluev1 kv

echo "Configure vault with default values"
vault write keyvaluev1/docker-hub url=registry.gitlab.com username=username password=VERYSECURE [email protected]

vault secrets enable -path=testpki -description=testpki pki
vault secrets tune -max-lease-ttl=8760h testpki
vault write testpki/root/generate/internal \
common_name=koudingspawn.de \
ttl=8500h
vault write testpki/roles/testrole \
allowed_domains=koudingspawn.de \
allow_subdomains=true \
max_ttl=200h

vault write -format=json testpki/issue/testrole common_name=vault.koudingspawn.de > data.json
vault write keyvaluev1/vault.koudingspawn.de @data.json
rm data.json

vault secrets enable -version=2 --path=keyvaluev2 kv
vault kv put keyvaluev2/example key=first-version value=first-version
vault kv put keyvaluev2/example key=second-version value=second-version
vault kv put keyvaluev2/example key=third-version value=third-version
vault kv put keyvaluev2/example key=fourth-version value=fourth-version

vault kv put keyvaluev2/database/root username=root password=really
vault write keyvaluev1/database/host host=localhost
### end: configure vault
Loading

0 comments on commit f5eff6a

Please sign in to comment.