From 5a60063b546f7d722abe298d982f0906a70bdced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Wed, 24 Apr 2024 14:12:14 +0100 Subject: [PATCH 1/7] feat: secret management with vault --- services/vault/00-namespaces.yaml | 11 ++++++ services/vault/01-certificates.yaml | 13 +++++++ services/vault/02-ingress-routes.yaml | 16 +++++++++ services/vault/deploy-vault-dev.sh | 12 +++++++ services/vault/deploy-vault-prod.sh | 12 +++++++ services/vault/vault-dev-values.yaml | 23 +++++++++++++ services/vault/vault-operator-dev-values.yaml | 19 +++++++++++ .../vault/vault-operator-prod-values.yaml | 17 ++++++++++ services/vault/vault-operator-sa.yaml | 6 ++++ services/vault/vault-prod-values.yaml | 34 +++++++++++++++++++ services/vault/vault-sa.yaml | 6 ++++ 11 files changed, 169 insertions(+) create mode 100644 services/vault/00-namespaces.yaml create mode 100644 services/vault/01-certificates.yaml create mode 100644 services/vault/02-ingress-routes.yaml create mode 100755 services/vault/deploy-vault-dev.sh create mode 100755 services/vault/deploy-vault-prod.sh create mode 100644 services/vault/vault-dev-values.yaml create mode 100644 services/vault/vault-operator-dev-values.yaml create mode 100644 services/vault/vault-operator-prod-values.yaml create mode 100644 services/vault/vault-operator-sa.yaml create mode 100644 services/vault/vault-prod-values.yaml create mode 100644 services/vault/vault-sa.yaml diff --git a/services/vault/00-namespaces.yaml b/services/vault/00-namespaces.yaml new file mode 100644 index 0000000..a780fca --- /dev/null +++ b/services/vault/00-namespaces.yaml @@ -0,0 +1,11 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: vault + +--- + +kind: Namespace +apiVersion: v1 +metadata: + name: vault-operator diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml new file mode 100644 index 0000000..2230ad9 --- /dev/null +++ b/services/vault/01-certificates.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: website-cert + namespace: vault +spec: + secretName: website-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: vault.niaefeup.pt + dnsNames: + - vault.niaefeup.pt diff --git a/services/vault/02-ingress-routes.yaml b/services/vault/02-ingress-routes.yaml new file mode 100644 index 0000000..0e4abcc --- /dev/null +++ b/services/vault/02-ingress-routes.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: vault-https + namespace: vault +spec: + entryPoints: + - websecure + routes: + - match: Host(`vault.niaefeup.pt`) + kind: Rule + services: + - name: vault-ui + port: 80 + tls: + secretName: website-cert diff --git a/services/vault/deploy-vault-dev.sh b/services/vault/deploy-vault-dev.sh new file mode 100755 index 0000000..0895ec2 --- /dev/null +++ b/services/vault/deploy-vault-dev.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +helm repo add hashicorp https://helm.releases.hashicorp.com +helm repo update + +kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml +kubectl apply -f "$(dirname "$0")"/01-certificates.yaml +kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml +kubectl apply -f "$(dirname "$0")"/vault-sa.yaml + +helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-dev-values.yaml +helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-dev-values.yaml diff --git a/services/vault/deploy-vault-prod.sh b/services/vault/deploy-vault-prod.sh new file mode 100755 index 0000000..096cf51 --- /dev/null +++ b/services/vault/deploy-vault-prod.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +helm repo add hashicorp https://helm.releases.hashicorp.com +helm repo update + +kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml +kubectl apply -f "$(dirname "$0")"/01-certificates.yaml +kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml +kubectl apply -f "$(dirname "$0")"/vault-sa.yaml + +helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml +helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-prod-values.yaml diff --git a/services/vault/vault-dev-values.yaml b/services/vault/vault-dev-values.yaml new file mode 100644 index 0000000..d02c0c5 --- /dev/null +++ b/services/vault/vault-dev-values.yaml @@ -0,0 +1,23 @@ +#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration +server: + dev: + enabled: true + devRootToken: "root" + logLevel: debug + # A service is not needed since we are not going to be using the vault agent injector +ui: + enabled: true + serviceType: "LoadBalancer" + targetPort: 8200 + externalPort: 8200 + +ha: + enabled: true + raft: + enabled: true + +volumes: + - name: vault-secrets-volume + +injector: + enabled: "false" diff --git a/services/vault/vault-operator-dev-values.yaml b/services/vault/vault-operator-dev-values.yaml new file mode 100644 index 0000000..a82207e --- /dev/null +++ b/services/vault/vault-operator-dev-values.yaml @@ -0,0 +1,19 @@ +# This is the connection used if no other VaultConnection resources are loaded into the cluster +# For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm +defaultVaultConnection: + enabled: true + address: "http://vault.vault.svc.cluster.local:8200" + skipTLSVerify: true +controller: + manager: + clientCache: + persistenceModel: direct-encrypted # Encrypted using the Vault Transit engine + storageEncryption: + enabled: true + mount: vault-operator-auth + keyName: vso-client-cache + namespace: vault-operator + transitMount: vault-operator-transit + kubernetes: + role: vault-operator-role + serviceAccount: vault-operator diff --git a/services/vault/vault-operator-prod-values.yaml b/services/vault/vault-operator-prod-values.yaml new file mode 100644 index 0000000..6ca3989 --- /dev/null +++ b/services/vault/vault-operator-prod-values.yaml @@ -0,0 +1,17 @@ +defaultVaultConnection: + enabled: true + address: "http://vault.vault.svc.cluster.local:8200" + skipTLSVerify: false +controller: + manager: + clientCache: + persistenceModel: direct-encrypted + storageEncryption: + enabled: true + mount: demo-auth-mount + keyName: vso-client-cache + namespace: vault-operator + transitMount: demo-transit + kubernetes: + role: auth-role-operator + serviceAccount: vault-operator diff --git a/services/vault/vault-operator-sa.yaml b/services/vault/vault-operator-sa.yaml new file mode 100644 index 0000000..9c1a794 --- /dev/null +++ b/services/vault/vault-operator-sa.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + # SA bound to the VSO namespace for transit engine auth + namespace: vault-secrets-operator-system + name: demo-operator diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml new file mode 100644 index 0000000..67a0460 --- /dev/null +++ b/services/vault/vault-prod-values.yaml @@ -0,0 +1,34 @@ +#https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration +# global: +# tlsDisable: true +server: + dev: + enabled: false + logLevel: debug +ui: + enabled: true + serviceType: "LoadBalancer" + externalPort: 8200 + +ha: + enabled: true + raft: + enabled: true + config: | + storage "raft" { + path = "./vault/raft_storage" + } + + listener "tcp" { + address = "127.0.0.1:8200" + } + + api_addr = "http://127.0.0.1:8200" + cluster_addr = "https://127.0.0.1:8201" + +dataStorage: + enabled: true + storageClass: "longhorn-locality-retain" + +injector: + enabled: "false" diff --git a/services/vault/vault-sa.yaml b/services/vault/vault-sa.yaml new file mode 100644 index 0000000..3b30d8c --- /dev/null +++ b/services/vault/vault-sa.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + # SA bound to the VSO namespace for transit engine auth + namespace: vault + name: vault-sa From c676fe4a67fb20250e3530de04e29b425a318f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Thu, 4 Jul 2024 11:41:52 +0100 Subject: [PATCH 2/7] feat: set data storage for raft and intial raft setup --- services/cert-manager/deploy-dev.sh | 5 +- .../vault/vault-operator-prod-values.yaml | 2 +- services/vault/vault-prod-values.yaml | 52 ++++++++++++------- 3 files changed, 36 insertions(+), 23 deletions(-) diff --git a/services/cert-manager/deploy-dev.sh b/services/cert-manager/deploy-dev.sh index f534bf8..7032507 100755 --- a/services/cert-manager/deploy-dev.sh +++ b/services/cert-manager/deploy-dev.sh @@ -5,6 +5,7 @@ helm repo update kubectl apply -f $(dirname $0)/00-namespace.yaml -helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager +helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --version v1.14.7 --namespace cert-manager + +kubectl apply -f $(dirname $0)/01-cluster-issuer-dev.yaml -kubectl apply -f $(dirname $0)/01-cluster-issuer-dev.yaml \ No newline at end of file diff --git a/services/vault/vault-operator-prod-values.yaml b/services/vault/vault-operator-prod-values.yaml index 6ca3989..2d82a51 100644 --- a/services/vault/vault-operator-prod-values.yaml +++ b/services/vault/vault-operator-prod-values.yaml @@ -1,6 +1,6 @@ defaultVaultConnection: enabled: true - address: "http://vault.vault.svc.cluster.local:8200" + address: "https://vault.vault.svc.cluster.local:8200" skipTLSVerify: false controller: manager: diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index 67a0460..00388d6 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -1,34 +1,46 @@ #https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration -# global: -# tlsDisable: true server: dev: enabled: false logLevel: debug ui: enabled: true - serviceType: "LoadBalancer" - externalPort: 8200 + serviceType: "ClusterIP" + externalPort: 80 -ha: +dataStorage: enabled: true - raft: - enabled: true - config: | - storage "raft" { - path = "./vault/raft_storage" - } - - listener "tcp" { - address = "127.0.0.1:8200" - } - - api_addr = "http://127.0.0.1:8200" - cluster_addr = "https://127.0.0.1:8201" + size: 2Gi + storageClass: longhorn-locality-retain + mountPath: "opt/vault/raft" + accessMode: ReadWriteOnce -dataStorage: +ha: enabled: true - storageClass: "longhorn-locality-retain" + config: | + disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages + + listener "tcp" { + address = "0.0.0.0:8200" + tls_cert_file = "/opt/vault/tls/vault-cert.pem" + tls_key_file = "/opt/vault/tls/vault-key.pem" + tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" # certificate of the CA root + } + + storage "raft" { + path = "/opt/vault/raft" + #retry_join { + # leader_tls_servername = "vault" + # leader_api_addr = "https://0.0.0.0:8200" + # leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem" + # leader_client_cert_file = "/opt/vault/tls/vault-cert.pem" + # leader_client_key_file = "/opt/vault/tls/vault-key.pem" + #} + } + raft: + enabled: true + replicas: 3 + injector: enabled: "false" From 76fbc43441c86ffb49a4c8e754a251f66c5b4f6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Thu, 1 Aug 2024 21:34:23 +0100 Subject: [PATCH 3/7] feat: started making trust manager work --- services/cert-manager/deploy.sh | 3 +- services/trust-manager/00-namespace.yaml | 5 +++ services/trust-manager/01-ca.yaml | 25 ++++++++++++ services/trust-manager/deploy.sh | 11 +++++ services/vault/01-certificates.yaml | 18 +++++++++ services/vault/03-bundle.yaml | 13 ++++++ services/vault/deploy-vault-prod.sh | 1 + services/vault/vault-operator-dev-values.yaml | 4 +- services/vault/vault-prod-values.yaml | 40 ++++++++++++------- 9 files changed, 102 insertions(+), 18 deletions(-) create mode 100644 services/trust-manager/00-namespace.yaml create mode 100644 services/trust-manager/01-ca.yaml create mode 100755 services/trust-manager/deploy.sh create mode 100644 services/vault/03-bundle.yaml diff --git a/services/cert-manager/deploy.sh b/services/cert-manager/deploy.sh index cb9dbff..54ef263 100755 --- a/services/cert-manager/deploy.sh +++ b/services/cert-manager/deploy.sh @@ -7,4 +7,5 @@ kubectl apply -f $(dirname $0)/00-namespace.yaml helm upgrade --install -f $(dirname $0)/values.yaml cert-manager jetstack/cert-manager --namespace cert-manager -kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml \ No newline at end of file +kubectl apply -f $(dirname $0)/01-cluster-issuer.yaml + diff --git a/services/trust-manager/00-namespace.yaml b/services/trust-manager/00-namespace.yaml new file mode 100644 index 0000000..553f1ec --- /dev/null +++ b/services/trust-manager/00-namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: trust-manager diff --git a/services/trust-manager/01-ca.yaml b/services/trust-manager/01-ca.yaml new file mode 100644 index 0000000..049394a --- /dev/null +++ b/services/trust-manager/01-ca.yaml @@ -0,0 +1,25 @@ +# This a certificate authority +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: trust-manager-selfsigned-issuer +spec: + selfSigned: {} +--- + +# This is the certificate for the certificate authority +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: trust-manager-example-ca +spec: + isCA: true + commonName: trust-manager-ca + secretName: trust-manager-ca-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: trust-manager-selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io diff --git a/services/trust-manager/deploy.sh b/services/trust-manager/deploy.sh new file mode 100755 index 0000000..682ed9c --- /dev/null +++ b/services/trust-manager/deploy.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +kubectl apply -f "$(dirname "$0")" + +helm repo add jetstack https://charts.jetstack.io --force-update + +helm upgrade --install trust-manager jetstack/trust-manager \ + --namespace trust-manager \ + --wait +# --set app.webhook.tls.approverPolicy.enabled=true \ +# --set app.webhook.tls.approverPolicy.certManagerNamespace=cert-manager diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml index 2230ad9..41e7b13 100644 --- a/services/vault/01-certificates.yaml +++ b/services/vault/01-certificates.yaml @@ -11,3 +11,21 @@ spec: commonName: vault.niaefeup.pt dnsNames: - vault.niaefeup.pt +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: vault-cluster-ca + namespace: vault +spec: + isCA: true + commonName: "*" + secretName: vault-cluster-ca-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: trust-manager-selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io diff --git a/services/vault/03-bundle.yaml b/services/vault/03-bundle.yaml new file mode 100644 index 0000000..35be017 --- /dev/null +++ b/services/vault/03-bundle.yaml @@ -0,0 +1,13 @@ +apiVersion: trust.cert-manager.io/v1alpha1 +kind: Bundle +metadata: + name: vault-cluster-bundle # The bundle name will also be used for the target +spec: + sources: + - useDefaultCAs: true + - secret: + name: "vault-cluster-ca-secret" + key: "tls.crt" + target: + configMap: + key: "trust-bundle.pem" diff --git a/services/vault/deploy-vault-prod.sh b/services/vault/deploy-vault-prod.sh index 096cf51..b047301 100755 --- a/services/vault/deploy-vault-prod.sh +++ b/services/vault/deploy-vault-prod.sh @@ -6,6 +6,7 @@ helm repo update kubectl apply -f "$(dirname "$0")"/00-namespaces.yaml kubectl apply -f "$(dirname "$0")"/01-certificates.yaml kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml +kubectl apply -f "$(dirname "$0")"/03-bundle.yaml kubectl apply -f "$(dirname "$0")"/vault-sa.yaml helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml diff --git a/services/vault/vault-operator-dev-values.yaml b/services/vault/vault-operator-dev-values.yaml index a82207e..018b745 100644 --- a/services/vault/vault-operator-dev-values.yaml +++ b/services/vault/vault-operator-dev-values.yaml @@ -2,8 +2,8 @@ # For more configuration options, go to https://developer.hashicorp.com/vault/docs/platform/k8s/vso/helm defaultVaultConnection: enabled: true - address: "http://vault.vault.svc.cluster.local:8200" - skipTLSVerify: true + address: "https://vault.vault.svc.cluster.local:8200" + skipTLSVerify: false controller: manager: clientCache: diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index 00388d6..714be36 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -1,42 +1,52 @@ #https://developer.hashicorp.com/vault/docs/platform/k8s/helm/configuration +global: + enabled: true + tlsDisable: false + namespace: vault + server: dev: enabled: false logLevel: debug + volumes: + - name: tls + secret: + secretName: vault-cluster-ca-secret + volumeMounts: + - name: tls + mountPath: "/opt/vault/tls" + readOnly: true + ui: enabled: true - serviceType: "ClusterIP" - externalPort: 80 + serviceType: "LoadBalancer" + targetPort: 8200 + externalPort: 8200 dataStorage: enabled: true size: 2Gi storageClass: longhorn-locality-retain - mountPath: "opt/vault/raft" + mountPath: "/opt/vault/raft" accessMode: ReadWriteOnce ha: enabled: true config: | + ui = true disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages listener "tcp" { address = "0.0.0.0:8200" - tls_cert_file = "/opt/vault/tls/vault-cert.pem" - tls_key_file = "/opt/vault/tls/vault-key.pem" - tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" # certificate of the CA root + cluster_address = "0.0.0.0:8201" + tls_disable = false + tls_cert_file = "/opt/vault/tls/tls.crt" + tls_key_file = "/opt/vault/tls/tls.key" + tls_client_ca_file = "/opt/vault/tls/ca.crt" # certificate of the CA root } storage "raft" { - path = "/opt/vault/raft" - - #retry_join { - # leader_tls_servername = "vault" - # leader_api_addr = "https://0.0.0.0:8200" - # leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem" - # leader_client_cert_file = "/opt/vault/tls/vault-cert.pem" - # leader_client_key_file = "/opt/vault/tls/vault-key.pem" - #} + path = "/opt/vault/raft" } raft: enabled: true From 784cd22b903f31903a844e3cd4aaff3b665dbdcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Wed, 14 Aug 2024 15:43:32 +0100 Subject: [PATCH 4/7] fix: wrong vault values yaml format was not configuring right --- services/vault/vault-dev-values.yaml | 8 ---- services/vault/vault-prod-values.yaml | 55 ++++++++++++++------------- 2 files changed, 28 insertions(+), 35 deletions(-) diff --git a/services/vault/vault-dev-values.yaml b/services/vault/vault-dev-values.yaml index d02c0c5..57964c3 100644 --- a/services/vault/vault-dev-values.yaml +++ b/services/vault/vault-dev-values.yaml @@ -11,13 +11,5 @@ ui: targetPort: 8200 externalPort: 8200 -ha: - enabled: true - raft: - enabled: true - -volumes: - - name: vault-secrets-volume - injector: enabled: "false" diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index 714be36..a0b2d62 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -16,6 +16,34 @@ server: - name: tls mountPath: "/opt/vault/tls" readOnly: true + dataStorage: + enabled: true + size: 2Gi + storageClass: longhorn-locality-retain + mountPath: "/opt/vault/raft" + accessMode: ReadWriteOnce + ha: + enabled: true + raft: + enabled: true + replicas: 3 + setNodeId: true + config: | + ui = true + disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages + + listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + tls_disable = "false" + tls_cert_file = "/opt/vault/tls/tls.crt" + tls_key_file = "/opt/vault/tls/tls.key" + tls_client_ca_file = "/opt/vault/tls/ca.crt" # certificate of the CA root + } + + storage "raft" { + path = "/opt/vault/raft" + } ui: enabled: true @@ -23,34 +51,7 @@ ui: targetPort: 8200 externalPort: 8200 -dataStorage: - enabled: true - size: 2Gi - storageClass: longhorn-locality-retain - mountPath: "/opt/vault/raft" - accessMode: ReadWriteOnce -ha: - enabled: true - config: | - ui = true - disable_mlock = true # avoids out of memory errors by blocking swapping of its virtual pages - - listener "tcp" { - address = "0.0.0.0:8200" - cluster_address = "0.0.0.0:8201" - tls_disable = false - tls_cert_file = "/opt/vault/tls/tls.crt" - tls_key_file = "/opt/vault/tls/tls.key" - tls_client_ca_file = "/opt/vault/tls/ca.crt" # certificate of the CA root - } - - storage "raft" { - path = "/opt/vault/raft" - } - raft: - enabled: true - replicas: 3 injector: enabled: "false" From 4094ee248362a8cd0d4ea319e9eb2a32338809cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Wed, 14 Aug 2024 18:14:46 +0100 Subject: [PATCH 5/7] feat: tls between vault and vault-operator working --- services/vault/00-namespaces.yaml | 7 ------- services/vault/01-certificates.yaml | 4 ++++ services/vault/deploy-vault-dev.sh | 2 +- services/vault/deploy-vault-prod.sh | 2 +- services/vault/vault-operator-prod-values.yaml | 2 ++ services/vault/vault-prod-values.yaml | 4 ++++ 6 files changed, 12 insertions(+), 9 deletions(-) diff --git a/services/vault/00-namespaces.yaml b/services/vault/00-namespaces.yaml index a780fca..a83bfa2 100644 --- a/services/vault/00-namespaces.yaml +++ b/services/vault/00-namespaces.yaml @@ -2,10 +2,3 @@ kind: Namespace apiVersion: v1 metadata: name: vault - ---- - -kind: Namespace -apiVersion: v1 -metadata: - name: vault-operator diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml index 41e7b13..a38af8d 100644 --- a/services/vault/01-certificates.yaml +++ b/services/vault/01-certificates.yaml @@ -21,6 +21,10 @@ metadata: spec: isCA: true commonName: "*" + ipAddresses: + - 127.0.0.1 + dnsNames: + - vault.vault.svc.cluster.local secretName: vault-cluster-ca-secret privateKey: algorithm: ECDSA diff --git a/services/vault/deploy-vault-dev.sh b/services/vault/deploy-vault-dev.sh index 0895ec2..75bc18d 100755 --- a/services/vault/deploy-vault-dev.sh +++ b/services/vault/deploy-vault-dev.sh @@ -9,4 +9,4 @@ kubectl apply -f "$(dirname "$0")"/02-ingress-routes.yaml kubectl apply -f "$(dirname "$0")"/vault-sa.yaml helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-dev-values.yaml -helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-dev-values.yaml +helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault --values $(dirname $0)/vault-operator-dev-values.yaml diff --git a/services/vault/deploy-vault-prod.sh b/services/vault/deploy-vault-prod.sh index b047301..7fdf42a 100755 --- a/services/vault/deploy-vault-prod.sh +++ b/services/vault/deploy-vault-prod.sh @@ -10,4 +10,4 @@ kubectl apply -f "$(dirname "$0")"/03-bundle.yaml kubectl apply -f "$(dirname "$0")"/vault-sa.yaml helm upgrade --install vault hashicorp/vault --namespace vault --values $(dirname $0)/vault-prod-values.yaml -helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault-operator --values $(dirname $0)/vault-operator-prod-values.yaml +helm upgrade --install vault-secrets-operator hashicorp/vault-secrets-operator --namespace vault --values $(dirname $0)/vault-operator-prod-values.yaml diff --git a/services/vault/vault-operator-prod-values.yaml b/services/vault/vault-operator-prod-values.yaml index 2d82a51..3d9a03f 100644 --- a/services/vault/vault-operator-prod-values.yaml +++ b/services/vault/vault-operator-prod-values.yaml @@ -1,7 +1,9 @@ +# https://github.com/hashicorp/vault-secrets-operator/blob/main/chart/values.yaml defaultVaultConnection: enabled: true address: "https://vault.vault.svc.cluster.local:8200" skipTLSVerify: false + caCertSecret: "vault-cluster-ca-secret" controller: manager: clientCache: diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index a0b2d62..380dddb 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -8,6 +8,10 @@ server: dev: enabled: false logLevel: debug + extraEnvironmentVars: + VAULT_CACERT: /opt/vault/tls/ca.crt + VAULT_TLSCERT: /opt/vault/tls/tls.crt + VAULT_TLSKEY: /opt/vault/tls/tls.key volumes: - name: tls secret: From 64c932dd93324a68e8c81a9b9548c1d9fb716f0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Thu, 29 Aug 2024 16:07:08 +0100 Subject: [PATCH 6/7] feat: retry join for vault ha raft nodes --- services/vault/01-certificates.yaml | 3 ++ .../vault/vault-operator-prod-values.yaml | 2 +- services/vault/vault-prod-values.yaml | 29 +++++++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml index a38af8d..d9ea46d 100644 --- a/services/vault/01-certificates.yaml +++ b/services/vault/01-certificates.yaml @@ -25,6 +25,9 @@ spec: - 127.0.0.1 dnsNames: - vault.vault.svc.cluster.local + - vault-0.vault-internal + - vault-1.vault-internal + - vault-2.vault-internal secretName: vault-cluster-ca-secret privateKey: algorithm: ECDSA diff --git a/services/vault/vault-operator-prod-values.yaml b/services/vault/vault-operator-prod-values.yaml index 3d9a03f..4c55636 100644 --- a/services/vault/vault-operator-prod-values.yaml +++ b/services/vault/vault-operator-prod-values.yaml @@ -12,7 +12,7 @@ controller: enabled: true mount: demo-auth-mount keyName: vso-client-cache - namespace: vault-operator + namespace: vault transitMount: demo-transit kubernetes: role: auth-role-operator diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index 380dddb..1b1a15a 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -47,6 +47,35 @@ server: storage "raft" { path = "/opt/vault/raft" + + retry_join { + leader_api_addr = "https://vault-0.vault-internal:8200" + leader_ca_cert_file = "/opt/vault/tls/ca.crt" + leader_client_cert_file = "/opt/vault/tls/tls.crt" + leader_client_key_file = "/opt/vault/tls/tls.key" + } + + retry_join { + leader_api_addr = "https://vault-1.vault-internal:8200" + leader_ca_cert_file = "/opt/vault/tls/ca.crt" + leader_client_cert_file = "/opt/vault/tls/tls.crt" + leader_client_key_file = "/opt/vault/tls/tls.key" + } + + retry_join { + leader_api_addr = "https://vault-2.vault-internal:8200" + leader_ca_cert_file = "/opt/vault/tls/ca.crt" + leader_client_cert_file = "/opt/vault/tls/tls.crt" + leader_client_key_file = "/opt/vault/tls/tls.key" + } + + autopilot { + cleanup_dead_servers = "true" + last_contact_threshold = "10s" + max_trailing_logs = 250000 + min_quorum = 2 + server_stabilization_time = "10s" + } } ui: From efa507d5373c6be9d51589a02a1226a23bc48233 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Palma?= Date: Thu, 5 Sep 2024 16:25:23 +0100 Subject: [PATCH 7/7] chore: remove affinity restrictions from vault pod --- services/vault/01-certificates.yaml | 2 +- services/vault/vault-prod-values.yaml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/services/vault/01-certificates.yaml b/services/vault/01-certificates.yaml index d9ea46d..c8fdbdf 100644 --- a/services/vault/01-certificates.yaml +++ b/services/vault/01-certificates.yaml @@ -19,7 +19,7 @@ metadata: name: vault-cluster-ca namespace: vault spec: - isCA: true + isCA: false commonName: "*" ipAddresses: - 127.0.0.1 diff --git a/services/vault/vault-prod-values.yaml b/services/vault/vault-prod-values.yaml index 1b1a15a..6490884 100644 --- a/services/vault/vault-prod-values.yaml +++ b/services/vault/vault-prod-values.yaml @@ -7,6 +7,7 @@ global: server: dev: enabled: false + affinity: null logLevel: debug extraEnvironmentVars: VAULT_CACERT: /opt/vault/tls/ca.crt @@ -83,8 +84,6 @@ ui: serviceType: "LoadBalancer" targetPort: 8200 externalPort: 8200 - - injector: enabled: "false"