diff --git a/deploy/admission-webhook.yaml b/deploy/admission-webhook.yaml new file mode 100644 index 0000000..9b402a4 --- /dev/null +++ b/deploy/admission-webhook.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Service +metadata: + name: vault-crd + namespace: vault-crd +spec: + selector: + app: vault-crd + ports: + - port: 8080 + type: ClusterIP +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: vault-crd + name: vault-crd-admission +webhooks: + - name: validate.vault.koudingspawn.de + admissionReviewVersions: ["v1beta1"] + sideEffects: None + rules: + - apiGroups: + - koudingspawn.de + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - vault + failurePolicy: Fail + clientConfig: + service: + namespace: vault-crd + name: vault-crd + path: /validation/vault-crd + port: 8080 + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRVENDQWltZ0F3SUJBZ0lVUDk4cG9lNXF0TVExWXhrVS85eHc5ZGp4N05Bd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF4TVBhMjkxWkdsdVozTndZWGR1TG1SbE1CNFhEVEl3TURZeU5ERTVNVEF4TkZvWApEVE13TURZeU1qRTVNVEEwTkZvd0dqRVlNQllHQTFVRUF4TVBhMjkxWkdsdVozTndZWGR1TG1SbE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXNWbklIY2JCeHl2NmpOS3V5YkZpMFNkbEtONlAKU1U2RlJOUzJwQ1NNK3R3eWtCblllZUtacTMxQmZYQW5EMlVrR1dod0gwWHF1QmJ4S3Bsa2lYWVVMT25qTFQwLwpWVG5LN1U2NWFWZ0VMZlZJVFNHRnJFcjMwdTdYbWN5NkNWZmkzd25CMjZkZnR1V2NSWlFoaXIxZUE4VUZjejBQCkxlTWhiSTRybENWcnU2bHFFTzl0bGRId21ScGc5dWYyYnJiTi9PNDlaSUtYVGRBSW5jVTVacnV3d21MOVpnbUIKc2tzaDBvZWFkaXpMbzRuSmNjdVZYQjlwMHJjcjBPdG5qSHo1SGdCUElzTDB6UVZMUzVSZ01CTkxDbTVnZjlrcAp4S1UzQ0ZnU0Z0Vng5WlE3aG9hUEl3VnRqWUNrcCtzQVBycjBQNkk0Um95c2U3RDB2UERQUCs5NDF3SURBUUFCCm8zOHdmVEFPQmdOVkhROEJBZjhFQkFNQ0FRWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVUKa0hrOXBHMkg0eTJac0ZEUVZlNGJVTGhoMCtrd0h3WURWUjBqQkJnd0ZvQVVrSGs5cEcySDR5MlpzRkRRVmU0YgpVTGhoMCtrd0dnWURWUjBSQkJNd0VZSVBhMjkxWkdsdVozTndZWGR1TG1SbE1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFoMW9pMy9iRW5Lb1Rxdkt2NEZZeVJKVDQzMkIxYkp2MG94ZERLaFJndVowYmQ1WXVOMHBnNTcxL2QKb1UvVUN6ellzaUVYZmw3NHREUndNWVUveXhlQVJKQ3B2RWswcVhOdHJlS1hZL0dDU0wxbjlKU1dTMk1xVDBBeQpuTWxqdEkrd3R5Ujh2MW05SnppNFdFNHdWdVRuclhlb1BSeVpKR0F1Q2xRbnk2VW5Fei9LS3ZvQ0pCQW1UY1NKCk5hZkNwYUh3b25sQVp5bXZRN0JQZHZoMk52ckdQazk2aEVZc1lnUVl6VW5KcURoT0Z2RWF1MjRLeEk2NlpXUnIKMGlSNkZmTTQ2ZjBNRVdqdmRSUGRucHh2dDhPbTBiNjVER0czc2hVTHNLZWJENFI4YjdCeTdrVUV0U1FkNVkzcwpHK1k5RTdpbXdWR1hlUTh1eWw3ZGNSV1AwTkJ1Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index 3d7a150..1223202 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -79,8 +79,10 @@ spec: storage: true schema: openAPIV3Schema: + type: object properties: spec: + type: object properties: path: type: string @@ -129,8 +131,10 @@ spec: properties: context: type: object + x-kubernetes-preserve-unknown-fields: true files: type: object + x-kubernetes-preserve-unknown-fields: true dockerCfgConfiguration: type: object properties: @@ -164,9 +168,22 @@ spec: app: vault-crd spec: serviceAccountName: vault-crd-serviceaccount +# initContainers: +# - name: convert-https +# image: shamelesscookie/openssl:1.1.1g +# command: +# - /bin/bash +# args: +# - "-c" +# - "openssl pkcs12 -export -in /opt/certificate/tls.crt -inkey /opt/certificate/tls.key -out /opt/target/keystore.p12 -passout pass:changeit -name admission-tls" +# volumeMounts: +# - mountPath: /opt/certificate +# name: pem-cert +# - mountPath: /opt/target +# name: pkcs12-cert containers: - name: vault-crd - image: daspawnw/vault-crd:1.4.3 + image: daspawnw/vault-crd:1.5.0 env: - name: KUBERNETES_VAULT_URL value: "http://localhost:8080/v1/" @@ -175,15 +192,35 @@ spec: secretKeyRef: name: vault-token key: token +# - name: SERVER_SSL_KEY-STORE-TYPE +# value: PKCS12 +# - name: SERVER_SSL_KEY-STORE +# value: "/opt/certificate/keystore.p12" +# - name: SERVER_SSL_KEY-STORE-PASSWORD +# value: changeit +# - name: SERVER_SSL_KEY-ALIAS +# value: "admission-tls" + ports: + - containerPort: 8080 livenessProbe: httpGet: port: 8080 path: "/actuator/health" +# scheme: HTTPS initialDelaySeconds: 30 failureThreshold: 3 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 +# volumeMounts: +# - mountPath: /opt/certificate +# name: pkcs12-cert +# volumes: +# - name: pem-cert +# secret: +# secretName: vault-crd-tls +# - name: pkcs12-cert +# emptyDir: {} restartPolicy: Always --- apiVersion: v1 @@ -192,4 +229,13 @@ metadata: name: vault-token namespace: vault-crd data: - token: "ODQ4M2VjMTMtMzJiZC1hOTE0LWFmMmItYWRkNTY4ODJhMWUz" \ No newline at end of file + token: "cm9vdA==" +--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: vault-crd-tls +# namespace: vault-crd +#data: +# tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjakNDQWxxZ0F3SUJBZ0lVY3d6Z0hrdjRhOXpHOE5hQm1rbVFPdGxZM3hjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF4TVBhMjkxWkdsdVozTndZWGR1TG1SbE1CNFhEVEl3TURZeU5ERTVNVEExTUZvWApEVEl3TURjeU5qRTVNVEV5TUZvd0hqRWNNQm9HQTFVRUF4TVRkbUYxYkhRdFkzSmtMblpoZFd4MExXTnlaRENDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTG84Z2lWMjQ5UTArazMvenFnY2xVN3oKTisyT2N1VDNERG5JbXZaYTNiOXZGYjRXNVhOaXlpT0xtbHhnMDB3RGkyV01DcEI1RldmRUQwQU5KQUpWMEdRdwowVmlFTG5TVDRJYTRUcTlxUWlvc0J0RXd5Vkx1QkZSU1RHTDJiSUV5K3dBaGlrQ3dmbEI2L2trN05VbHlXZG8rCkRtcUorbDQ4RnVkbytpdTJyYkxtR0lnMTFDTy8rUTJlRnZCaTBaTTZEUzliUVNYOUYxTmMxdFZyNndtSWNOTHQKNzRHT2JQaG5rbFBaQjMrUzRFTk8xbHhzcCtkNGw0QkZEYWJWMHdCdWVmaFdqdktMSlZNRzlOWWZkWjdBaXArZwpYWWhpYVpPQS9xTlhSTDQzWlY1OXBBS2NtNWlFdUFLMStrYVBuWUdYQUtRRFE3L29hSlJwbEVqT1VLVHRObDBDCkF3RUFBYU9CcXpDQnFEQU9CZ05WSFE4QkFmOEVCQU1DQTZnd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUIwR0ExVWREZ1FXQkJRNjFvN2cwVllHc2pZZTJ2bkVKQ29LTElvYnREQWZCZ05WSFNNRQpHREFXZ0JTUWVUMmtiWWZqTFptd1VOQlY3aHRRdUdIVDZUQTNCZ05WSFJFRU1EQXVnaE4yWVhWc2RDMWpjbVF1CmRtRjFiSFF0WTNKa2doZDJZWFZzZEMxamNtUXVkbUYxYkhRdFkzSmtMbk4yWXpBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFSVTVud05rb24xRWdxZWVQNnRHZzZiNmY5TC94cnd5bHFndURyWVJOUmIyeGl1ZTV0UDREZFNVZAo2eXBVNXdsWGdHTmlmcHBpeVhSbFlIZUtIT09jRUtlTlByb25KYnBaa25Wb3ZpaVU2aWhJNFBLM3lRRW51N2twCjhjdldxVDh2WVVJa2VwV0dEd2NYRTRNNWlSelJ5VXVYSkxXZk4yRnJjTlJ1RUdEL3JKRFlwQ00rTDNDd0U5TFgKbmFCaDRJTG1HZjJmMHpZaVZMWTN0bTF4c1E2ZGZCQlZMMHZDZmlBVzlKYkNGbTVSOXRySWttcXdBY09lQTFGUApMdExUNjJ5OHRZbjFFK0h6ZTVneVRBdXpoRHhHbmxXRGtkRDJVSXMrbUxqcWxOVzZrcTI0NHFJOUdZZ3drVFJiCm1DOURyZ2lFRWFIQi9yN2lBZVNaWHZkUzg2ckVpZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +# tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdWp5Q0pYYmoxRFQ2VGYvT3FCeVZUdk0zN1k1eTVQY01PY2lhOWxyZHYyOFZ2aGJsCmMyTEtJNHVhWEdEVFRBT0xaWXdLa0hrVlo4UVBRQTBrQWxYUVpERFJXSVF1ZEpQZ2hyaE9yMnBDS2l3RzBUREoKVXU0RVZGSk1ZdlpzZ1RMN0FDR0tRTEIrVUhyK1NUczFTWEpaMmo0T2FvbjZYandXNTJqNks3YXRzdVlZaURYVQpJNy81RFo0VzhHTFJrem9OTDF0QkpmMFhVMXpXMVd2ckNZaHcwdTN2Z1k1cytHZVNVOWtIZjVMZ1EwN1dYR3luCjUzaVhnRVVOcHRYVEFHNTUrRmFPOG9zbFV3YjAxaDkxbnNDS242QmRpR0pwazREK28xZEV2amRsWG4ya0FweWIKbUlTNEFyWDZSbytkZ1pjQXBBTkR2K2hvbEdtVVNNNVFwTzAyWFFJREFRQUJBb0lCQUh5TjhXRUxGYTZjUy9lVQpxV3NIeXRnRmxKY2RtVHdHK2pjL01seW5RdjFBVnlOTi91RmY1ZDlHQTlQYXNoWjVuR1lxOWZuUDhYLzN3VmRPCk1wSVpRSWx4bU9HQmJleHI1bE5UdXRSWTFhMk15blpvRVkyVVFITUFvN1BnS1l0elJDbS9STTZrKzZYcHpGMi8KNnBDWG1QNThXSG5xay9jb2F3MFR5WlVvMVJ6NjMvemxSYXJBMXdqQVVGMDNJRElNTFlzYWxCZld5Nm9neEhHZQpuOC95Z1E4cyt5Z29UY3FZb1hHYnZ2a01IOVB6b1oyZko3RWlrTW9Cb29jcjRxbjZZYUFIb3BJR0dMYmM5MFdsCmZVUHBheEtkcDMzUTlXK1MzbU11bm9zUk9MbHdqMS9HTHhaKzJWRkZqUTJseHpBOGdqOW1SV0tabzhQYnVHUVEKU0p4cFhVRUNnWUVBNnZhWDFQSm4yUUNxeCtET3k4SnZFNWp6WVBGcTlFR0FpRFg5VENTb3R4U1d2OTVOUVh0MQpBR1d1RmVETE1YSmZqejhibldwdVVuVzRqK0tNRnRaUDNMZ1Nmd3ZTUnVnNGVsQ1RHVEllWmJmQ0pqTGlrNVNPCjJ6SVBiK2xtL3Z3eXU5V3NkZEh3OVIyUjc3eWlzWkkxZlBDMndTTzZzRjlxT21rL2t1RGZibzBDZ1lFQXl1a1YKcjI3andnM2FpMEJLdTNhcmhSRExqbklzSnF5Qy9yUVJEUzlVQjVuTks1L1l4K1o4S0R5M2toMmV2YXNic1Q0cgozcFUxQXdKOGZDQnRXaC93YXRVYlNRZkNOQ0ppZ2hsbUpYcTJDeEVRUUllN1d5MGpNeWpINzJodVgwMGY0dFJWCkt1clVpK2V0SjA3NHBvbHNUaG9DUnZqbzdyaHREY3R3UmM2bUd4RUNnWUVBdUNoS1hJY1p5Y1Z5RlhNbjRpQWsKdXpGNElCVllCTldLRGpoeXJVbFdTeGlDQnlRUFhUR01SS0Z0VG94LzllTjA3bXRDRTZFbGtzL2R0amlVSUJvZApRaHVyczVQcVhkVUkzeVZrQmExNGtiVHpJTWxsT05LSkhWZ2hMVSs4Z0VIZTZjWFJoQTdtVXRlNFdEUjdONzRtCjJpUTR1U3h0MkdzUWNYT29kbEIyRHNrQ2dZRUF5VDZwZ2toaDNlbnRrZVNlK2hSMWd0RW9na3ZjWERNRzdPVGMKY0k0N01ocXBjWlhrNUVaRlo0Ym9yaU53ZUQ3SGhWL2JGTFE1VXBYWnJ5WmVMbCsxQzgvMmN0VWVHS1R0dklqQwpWWFBDTDNHcUE4WmEzTkFFdEUzREZrQW1ENkVuZWNvTCtqZlR2RHAzOHArUlgySzJwek9HaEt1RUlwZUptWC9uCkIyVXdPM0VDZ1lFQTRYK25CRkRsNEdXbFNQU2VKZzZ4L3JWUXFyZUkwcmIrSUViNGhGOVZBcndEc2Z6L0hnb3cKSGpDTkR0N2t0YlJVTzlsNTJaZ3YrbWlOS3Z5dnNCbUNQalA5d0k4Y2hUZlhOZ1ZIYzE5YzJLTWRxTkdIckw1YwpTdytHMkl3MFRjREpQeFZyNGxkN01NNFZtYmtIKzBUVEtyVThLWkZQc2o2RGYraS9mMSs0NEE0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= \ No newline at end of file diff --git a/examples/cert.yml b/examples/cert.yml index 6c9acab..de0419b 100644 --- a/examples/cert.yml +++ b/examples/cert.yml @@ -3,5 +3,5 @@ kind: Vault metadata: name: test-cert spec: - path: "secret/test-url.example.com" + path: "keyvaluev1/vault.koudingspawn.de" type: "CERT" diff --git a/examples/certjks.yml b/examples/certjks.yml index a5722d8..bf0005c 100644 --- a/examples/certjks.yml +++ b/examples/certjks.yml @@ -3,5 +3,5 @@ kind: Vault metadata: name: test-certjks spec: - path: "secret/test-url.example.com" + path: "keyvaluev1/vault.koudingspawn.de" type: "CERTJKS" diff --git a/examples/dockercfg.yml b/examples/dockercfg.yml index abb999a..bb30b48 100644 --- a/examples/dockercfg.yml +++ b/examples/dockercfg.yml @@ -3,5 +3,5 @@ kind: Vault metadata: name: test-dockercfg spec: - path: "secret/docker-hub" + path: "keyvaluev1/docker-hub" type: "DOCKERCFG" diff --git a/examples/keyvalue.yml b/examples/keyvalue.yml index 330cf34..95d5499 100644 --- a/examples/keyvalue.yml +++ b/examples/keyvalue.yml @@ -3,5 +3,5 @@ kind: Vault metadata: name: test-keyvalue spec: - path: "secret/docker-hub" + path: "keyvaluev1/docker-hub" type: "KEYVALUE" diff --git a/examples/keyvaluev2-version.yml b/examples/keyvaluev2-version.yml new file mode 100644 index 0000000..fde511e --- /dev/null +++ b/examples/keyvaluev2-version.yml @@ -0,0 +1,9 @@ +apiVersion: "koudingspawn.de/v1" +kind: Vault +metadata: + name: test-keyvaluev2 +spec: + path: "keyvaluev2/example" + type: "KEYVALUEV2" + versionConfiguration: + version: 2 \ No newline at end of file diff --git a/examples/keyvaluev2.yml b/examples/keyvaluev2.yml index a7221ee..141dbb0 100644 --- a/examples/keyvaluev2.yml +++ b/examples/keyvaluev2.yml @@ -4,6 +4,4 @@ metadata: name: test-keyvaluev2 spec: path: "keyvaluev2/example" - type: "KEYVALUEV2" - versionConfiguration: - version: 4 \ No newline at end of file + type: "KEYVALUEV2" \ No newline at end of file diff --git a/examples/kind/cluster.yaml b/examples/kind/cluster.yaml new file mode 100644 index 0000000..93a3f00 --- /dev/null +++ b/examples/kind/cluster.yaml @@ -0,0 +1,7 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + extraPortMappings: + - containerPort: 30078 + hostPort: 8200 \ No newline at end of file diff --git a/examples/kind/run.sh b/examples/kind/run.sh new file mode 100644 index 0000000..0a407d0 --- /dev/null +++ b/examples/kind/run.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash + +### setup kind cluster +kind create cluster --config $PWD/cluster.yaml +### it exposes at 8200 a port for vault + + +### install vault with a static token +kind get kubeconfig > ~/.kube/kind_config +export KUBECONFIG="$HOME/.kube/kind_config" + +kubectl create namespace vault +kubectl apply -f vault.yaml --namespace vault + +while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8200/ui/)" != "200" ]]; do sleep 5; done +echo "Vault is up and running" + +export VAULT_ADDR="http://localhost:8200" +export VAULT_TOKEN="root" +### end: install vault with a static token + +### deploy vault-crd +kubectl apply -f ../../deploy/rbac.yaml +kubectl apply -f ../../deploy/admission-webhook.yaml +### end: deploy vault-crd + +### configure vault +vault secrets enable -version=1 --path=keyvaluev1 kv + +echo "Configure vault with default values" +vault write keyvaluev1/docker-hub url=registry.gitlab.com username=username password=VERYSECURE email=john.doe@test.com + +vault secrets enable -path=testpki -description=testpki pki +vault secrets tune -max-lease-ttl=8760h testpki +vault write testpki/root/generate/internal \ + common_name=koudingspawn.de \ + ttl=8500h +vault write testpki/roles/testrole \ + allowed_domains=koudingspawn.de \ + allow_subdomains=true \ + max_ttl=200h + +vault write -format=json testpki/issue/testrole common_name=vault.koudingspawn.de > data.json +vault write keyvaluev1/vault.koudingspawn.de @data.json +rm data.json + +vault secrets enable -version=2 --path=keyvaluev2 kv +vault kv put keyvaluev2/example key=first-version value=first-version +vault kv put keyvaluev2/example key=second-version value=second-version +vault kv put keyvaluev2/example key=third-version value=third-version +vault kv put keyvaluev2/example key=fourth-version value=fourth-version + +vault kv put keyvaluev2/database/root username=root password=really +vault write keyvaluev1/database/host host=localhost +### end: configure vault \ No newline at end of file diff --git a/examples/kind/vault.yaml b/examples/kind/vault.yaml new file mode 100644 index 0000000..fd81f84 --- /dev/null +++ b/examples/kind/vault.yaml @@ -0,0 +1,229 @@ +--- +# Source: vault/templates/server-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + namespace: vault + labels: + helm.sh/chart: vault-0.6.0 + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/managed-by: Helm +--- +# Source: vault/templates/server-clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: vault-server-binding + labels: + helm.sh/chart: vault-0.6.0 + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: vault + namespace: vault +--- +# Source: vault/templates/server-headless-service.yaml +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: vault-internal + namespace: vault + labels: + helm.sh/chart: vault-0.6.0 + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/managed-by: Helm + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + +spec: + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "http" + port: 8200 + targetPort: 8200 + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + component: server +--- +# Source: vault/templates/server-service.yaml +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: vault + namespace: vault + labels: + helm.sh/chart: vault-0.6.0 + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/managed-by: Helm + annotations: + # This must be set in addition to publishNotReadyAddresses due + # to an open issue where it may not work: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + +spec: + type: NodePort + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + nodePort: 30078 + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + component: server +--- +# Source: vault/templates/server-statefulset.yaml +# StatefulSet to run the actual vault server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vault + namespace: vault + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + app.kubernetes.io/managed-by: Helm +spec: + serviceName: vault-internal + podManagementPolicy: Parallel + replicas: 1 + updateStrategy: + type: OnDelete + selector: + matchLabels: + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + component: server + template: + metadata: + labels: + helm.sh/chart: vault-0.6.0 + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + component: server + spec: + + + + terminationGracePeriodSeconds: 10 + serviceAccountName: vault + + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + volumes: + + - name: home + emptyDir: {} + containers: + - name: vault + + image: vault:1.4.2 + imagePullPolicy: IfNotPresent + command: + args: + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VAULT_ADDR + value: "http://127.0.0.1:8200" + - name: VAULT_API_ADDR + value: "http://$(POD_IP):8200" + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_CLUSTER_ADDR + value: "https://$(HOSTNAME).vault-internal:8201" + - name: HOME + value: "/home/vault" + + - name: VAULT_DEV_ROOT_TOKEN_ID + value: "root" + + + + volumeMounts: + + + + - name: home + mountPath: /home/vault + ports: + - containerPort: 8200 + name: http + - containerPort: 8201 + name: https-internal + - containerPort: 8202 + name: http-rep + readinessProbe: + # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed + exec: + command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + lifecycle: + # Vault container doesn't receive SIGTERM from Kubernetes + # and after the grace period ends, Kube sends SIGKILL. This + # causes issues with graceful shutdowns such as deregistering itself + # from Consul (zombie services). + preStop: + exec: + command: [ + "/bin/sh", "-c", + # Adding a sleep here to give the pod eviction a + # chance to propagate, so requests will not be made + # to this pod while it's terminating + "sleep 5 && kill -SIGTERM $(pidof vault)", + ] diff --git a/examples/pki.yml b/examples/pki.yml index 6f4f0b1..a04dacb 100644 --- a/examples/pki.yml +++ b/examples/pki.yml @@ -6,5 +6,5 @@ spec: path: "testpki/issue/testrole" type: "PKI" pkiConfiguration: - commonName: "localhost" + commonName: "vault.koudingspawn.de" ttl: "7m" diff --git a/examples/pkijks.yml b/examples/pkijks.yml index 6b5b163..eec51ba 100644 --- a/examples/pkijks.yml +++ b/examples/pkijks.yml @@ -6,5 +6,5 @@ spec: path: "testpki/issue/testrole" type: "PKIJKS" pkiConfiguration: - commonName: "localhost" + commonName: "vault.koudingspawn.de" ttl: "7m" diff --git a/examples/properties.yml b/examples/properties.yml index 6d92b7d..d818829 100644 --- a/examples/properties.yml +++ b/examples/properties.yml @@ -10,6 +10,6 @@ spec: files: test.properties: | test={{ contextKey }} - datasource.username={{ vault.lookupV2('database/root').get('username') }} - datasource.password={{ vault.lookupV2('database/root').get('password') }} - datasource.host={{ vault.lookup('datasource/host', 'host') }} + datasource.username={{ vault.lookupV2('keyvaluev2/database/root').get('username') }} + datasource.password={{ vault.lookupV2('keyvaluev2/database/root').get('password') }} + datasource.host={{ vault.lookup('keyvaluev1/database/host', 'host') }}