marko/docker-development-youtube-series
1
0
Fork 0
mirror of https://github.com/marcel-dempers/docker-development-youtube-series.git synced 2025-06-06 17:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
marcel-dempers 2022-01-26 12:16:46 +11:00
parent 6f155829b5
commit 055d9e7992
3 changed files with 148 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
hashicorp/vault-2022/manifests/vault.yaml
View File

@ -8,7 +8,7 @@ metadata:
name: vault name: vault
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -38,7 +38,7 @@ metadata:
name: vault name: vault
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -50,7 +50,7 @@ metadata:
name: vault-config name: vault-config
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -95,7 +95,6 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: vault-agent-injector-binding name: vault-agent-injector-binding
namespace: vault
labels: labels:
app.kubernetes.io/name: vault-agent-injector app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
@ -110,13 +109,12 @@ subjects:
namespace: vault namespace: vault
--- ---
# Source: vault/templates/server-clusterrolebinding.yaml # Source: vault/templates/server-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: vault-server-binding name: vault-server-binding
namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -136,7 +134,7 @@ metadata:
namespace: vault namespace: vault
name: vault-discovery-role name: vault-discovery-role
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -146,13 +144,13 @@ rules:
verbs: ["get", "watch", "list", "update", "patch"] verbs: ["get", "watch", "list", "update", "patch"]
--- ---
# Source: vault/templates/server-discovery-rolebinding.yaml # Source: vault/templates/server-discovery-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: vault-discovery-rolebinding name: vault-discovery-rolebinding
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -175,9 +173,11 @@ metadata:
app.kubernetes.io/name: vault-agent-injector app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
ports: ports:
- port: 443 - name: https
port: 443
targetPort: 8080 targetPort: 8080
selector: selector:
app.kubernetes.io/name: vault-agent-injector app.kubernetes.io/name: vault-agent-injector
@ -192,19 +192,19 @@ metadata:
name: vault-active name: vault-active
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
annotations: annotations:
spec: spec:
type: ClusterIP
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: http - name: https
port: 8200 port: 8200
targetPort: 8200 targetPort: 8200
- name: internal - name: https-internal
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
@ -214,26 +214,26 @@ spec:
vault-active: "true" vault-active: "true"
--- ---
# Source: vault/templates/server-ha-standby-service.yaml # Source: vault/templates/server-ha-standby-service.yaml
# Service for active Vault pod # Service for standby Vault pod
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: vault-standby name: vault-standby
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
annotations: annotations:
spec: spec:
type: ClusterIP
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: http - name: https
port: 8200 port: 8200
targetPort: 8200 targetPort: 8200
- name: internal - name: https-internal
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
@ -250,12 +250,12 @@ metadata:
name: vault-internal name: vault-internal
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
annotations: annotations:
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec: spec:
clusterIP: None clusterIP: None
publishNotReadyAddresses: true publishNotReadyAddresses: true
@ -263,7 +263,7 @@ spec:
- name: "https" - name: "https"
port: 8200 port: 8200
targetPort: 8200 targetPort: 8200
- name: internal - name: https-internal
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
@ -279,24 +279,21 @@ metadata:
name: vault name: vault
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
annotations: annotations:
# This must be set in addition to publishNotReadyAddresses due
# to an open issue where it may not work:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec: spec:
# We want the servers to become available even if they're not ready # We want the servers to become available even if they're not ready
# since this DNS is also used for join operations. # since this DNS is also used for join operations.
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: http - name: https
port: 8200 port: 8200
targetPort: 8200 targetPort: 8200
- name: internal - name: https-internal
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201
selector: selector:
@ -305,18 +302,13 @@ spec:
component: server component: server
--- ---
# Source: vault/templates/ui-service.yaml # Source: vault/templates/ui-service.yaml
# Headless service for Vault server DNS entries. This service should only
# point to Vault servers. For access to an agent, one should assume that
# the agent is installed locally on the node and the NODE_IP should be used.
# If the node can't run a Vault agent, then this service can be used to
# communicate directly to a server agent.
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: vault-ui name: vault-ui
namespace: vault namespace: vault
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault-ui app.kubernetes.io/name: vault-ui
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@ -327,7 +319,7 @@ spec:
component: server component: server
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: http - name: https
port: 8200 port: 8200
targetPort: 8200 targetPort: 8200
type: ClusterIP type: ClusterIP
@ -351,6 +343,7 @@ spec:
app.kubernetes.io/name: vault-agent-injector app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
component: webhook component: webhook
template: template:
metadata: metadata:
labels: labels:
@ -359,9 +352,20 @@ spec:
component: webhook component: webhook
spec: spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: "vault"
component: webhook
topologyKey: kubernetes.io/hostname
serviceAccountName: "vault-agent-injector" serviceAccountName: "vault-agent-injector"
hostNetwork: false
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsGroup: 1000 runAsGroup: 1000
@ -378,9 +382,11 @@ spec:
image: "hashicorp/vault-k8s:0.14.1" image: "hashicorp/vault-k8s:0.14.1"
imagePullPolicy: "IfNotPresent" imagePullPolicy: "IfNotPresent"
securityContext:
allowPrivilegeEscalation: false
env: env:
- name: AGENT_INJECT_LISTEN - name: AGENT_INJECT_LISTEN
value: ":8080" value: :8080
- name: AGENT_INJECT_LOG_LEVEL - name: AGENT_INJECT_LOG_LEVEL
value: info value: info
- name: AGENT_INJECT_VAULT_ADDR - name: AGENT_INJECT_VAULT_ADDR
@ -388,7 +394,7 @@ spec:
- name: AGENT_INJECT_VAULT_AUTH_PATH - name: AGENT_INJECT_VAULT_AUTH_PATH
value: auth/kubernetes value: auth/kubernetes
- name: AGENT_INJECT_VAULT_IMAGE - name: AGENT_INJECT_VAULT_IMAGE
value: "vault:1.4.0" value: "hashicorp/vault:1.9.2"
- name: AGENT_INJECT_TLS_AUTO - name: AGENT_INJECT_TLS_AUTO
value: vault-agent-injector-cfg value: vault-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS - name: AGENT_INJECT_TLS_AUTO_HOSTS
@ -397,7 +403,23 @@ spec:
value: standard value: standard
- name: AGENT_INJECT_REVOKE_ON_SHUTDOWN - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
value: "false" value: "false"
- name: AGENT_INJECT_CPU_REQUEST
value: "250m"
- name: AGENT_INJECT_CPU_LIMIT
value: "500m"
- name: AGENT_INJECT_MEM_REQUEST
value: "64Mi"
- name: AGENT_INJECT_MEM_LIMIT
value: "128Mi"
- name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "map"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
value: "true"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args: args:
- agent-inject - agent-inject
- 2>&1 - 2>&1
@ -407,7 +429,7 @@ spec:
port: 8080 port: 8080
scheme: HTTPS scheme: HTTPS
failureThreshold: 2 failureThreshold: 2
initialDelaySeconds: 1 initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
timeoutSeconds: 5 timeoutSeconds: 5
@ -417,7 +439,7 @@ spec:
port: 8080 port: 8080
scheme: HTTPS scheme: HTTPS
failureThreshold: 2 failureThreshold: 2
initialDelaySeconds: 2 initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
timeoutSeconds: 5 timeoutSeconds: 5
@ -447,7 +469,7 @@ spec:
template: template:
metadata: metadata:
labels: labels:
helm.sh/chart: vault-0.5.0 helm.sh/chart: vault-0.19.0
app.kubernetes.io/name: vault app.kubernetes.io/name: vault
app.kubernetes.io/instance: vault app.kubernetes.io/instance: vault
component: server component: server
@ -482,9 +504,13 @@ spec:
- name: userconfig-tls-server - name: userconfig-tls-server
secret: secret:
secretName: tls-server secretName: tls-server
defaultMode: 420
- name: userconfig-tls-ca - name: userconfig-tls-ca
secret: secret:
secretName: tls-ca secretName: tls-ca
defaultMode: 420
- name: home
emptyDir: {}
containers: containers:
- name: vault - name: vault
resources: resources:
@ -495,21 +521,24 @@ spec:
cpu: 500m cpu: 500m
memory: 50Mi memory: 50Mi
securityContext: image: hashicorp/vault:1.9.2
capabilities:
add: ["IPC_LOCK"]
image: hashicorp/vault:1.9.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- "/bin/sh" - "/bin/sh"
- "-ec" - "-ec"
args: args:
- | - |
sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl; cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl; [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
securityContext:
allowPrivilegeEscalation: false
env: env:
- name: HOST_IP - name: HOST_IP
valueFrom: valueFrom:
@ -541,6 +570,8 @@ spec:
fieldPath: metadata.name fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR - name: VAULT_CLUSTER_ADDR
value: "https://$(HOSTNAME).vault-internal:8201" value: "https://$(HOSTNAME).vault-internal:8201"
- name: HOME
value: "/home/vault"
- name: "VAULT_CACERT" - name: "VAULT_CACERT"
@ -559,13 +590,15 @@ spec:
- name: userconfig-tls-ca - name: userconfig-tls-ca
readOnly: true readOnly: true
mountPath: /vault/userconfig/tls-ca mountPath: /vault/userconfig/tls-ca
- name: home
mountPath: /home/vault
ports: ports:
- containerPort: 8200 - containerPort: 8200
name: http name: https
- containerPort: 8201 - containerPort: 8201
name: internal name: https-internal
- containerPort: 8202 - containerPort: 8202
name: replication name: https-rep
readinessProbe: readinessProbe:
httpGet: httpGet:
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
@ -573,18 +606,19 @@ spec:
scheme: HTTPS scheme: HTTPS
failureThreshold: 2 failureThreshold: 2
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 3 periodSeconds: 5
successThreshold: 1 successThreshold: 1
timeoutSeconds: 5 timeoutSeconds: 3
livenessProbe: livenessProbe:
httpGet: httpGet:
path: "/v1/sys/health?standbyok=true" path: "/v1/sys/health?standbyok=true"
port: 8200 port: 8200
scheme: HTTPS scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 3 periodSeconds: 5
successThreshold: 1 successThreshold: 1
timeoutSeconds: 5 timeoutSeconds: 3
lifecycle: lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes # Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This # and after the grace period ends, Kube sends SIGKILL. This
@ -599,11 +633,12 @@ spec:
# to this pod while it's terminating # to this pod while it's terminating
"sleep 5 && kill -SIGTERM $(pidof vault)", "sleep 5 && kill -SIGTERM $(pidof vault)",
] ]
volumeClaimTemplates: volumeClaimTemplates:
--- ---
# Source: vault/templates/injector-mutating-webhook.yaml # Source: vault/templates/injector-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: vault-agent-injector-cfg name: vault-agent-injector-cfg
@ -613,14 +648,63 @@ metadata:
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
webhooks: webhooks:
- name: vault.hashicorp.com - name: vault.hashicorp.com
sideEffects: None
admissionReviewVersions:
- "v1beta1"
- "v1"
clientConfig: clientConfig:
service: service:
name: vault-agent-injector-svc name: vault-agent-injector-svc
namespace: vault namespace: vault
path: "/mutate" path: "/mutate"
caBundle: caBundle: ""
rules: rules:
- operations: ["CREATE", "UPDATE"] - operations: ["CREATE", "UPDATE"]
apiGroups: [""] apiGroups: [""]
apiVersions: ["v1"] apiVersions: ["v1"]
resources: ["pods"] resources: ["pods"]
failurePolicy: Ignore
---
# Source: vault/templates/tests/server-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: "vault-server-test"
namespace: vault
annotations:
"helm.sh/hook": test
spec:
containers:
- name: vault-server-test
image: hashicorp/vault:1.9.2
imagePullPolicy: IfNotPresent
env:
- name: VAULT_ADDR
value: https://vault.vault.svc:8200
- name: "VAULT_CACERT"
value: "/vault/userconfig/tls-ca/tls.crt"
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi
exit 0
volumeMounts:
volumes:
restartPolicy: Never

6
hashicorp/vault-2022/readme.md
View File

@ -115,7 +115,7 @@ Let's find what versions of vault are available:
helm search repo hashicorp/vault --versions helm search repo hashicorp/vault --versions
``` ```
In this demo I will use the `0.18.0` chart </br> In this demo I will use the `0.19.0` chart </br>
Let's firstly create a `values` file to customize vault. Let's firstly create a `values` file to customize vault.
Let's grab the manifests: Let's grab the manifests:
@ -123,7 +123,7 @@ Let's grab the manifests:
``` ```
helm template vault hashicorp/vault \ helm template vault hashicorp/vault \
--namespace vault \ --namespace vault \
--version 0.5.0 \ --version 0.19.0 \
-f vault-values.yaml \ -f vault-values.yaml \
> ./manifests/vault.yaml > ./manifests/vault.yaml
``` ```
@ -160,7 +160,7 @@ kubectl -n vault port-forward svc/vault-ui 443:8200
``` ```
Now we can access the web UI [here]("https://localhost/") Now we can access the web UI [here]("https://localhost/")
## Enable Kubernetes Autnetication ## Enable Kubernetes Authentication
For the injector to be authorised to access vault, we need to enable K8s auth For the injector to be authorised to access vault, we need to enable K8s auth

2
hashicorp/vault-2022/vault-values.yaml
View File

@ -21,7 +21,7 @@ injector:
server: server:
image: image:
repository: "hashicorp/vault" repository: "hashicorp/vault"
tag: "1.9.0" tag: "1.9.2"
# These Resource Limits are in line with node requirements in the # These Resource Limits are in line with node requirements in the
# Vault Reference Architecture for a Small Cluster # Vault Reference Architecture for a Small Cluster