From 93ff675562b7c94bfe1ce1012cb3e8b9e40cc957 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Thu, 20 Feb 2020 16:03:28 +1100 Subject: [PATCH] get a vault server up --- .../server/server-clusterrolebinding.yaml | 14 ++ .../vault/server/server-config-configmap.yaml | 18 +++ .../vault/server/server-disruptionbudget.yaml | 22 +++ hashicorp/vault/server/server-ingress.yaml | 44 ++++++ hashicorp/vault/server/server-pv.yaml | 14 ++ hashicorp/vault/server/server-pvc.yaml | 11 ++ hashicorp/vault/server/server-service.yaml | 25 ++++ .../vault/server/server-serviceaccount.yaml | 6 + .../vault/server/server-statefulset.yaml | 133 ++++++++++++++++++ .../vault/server/server-storageclass.yaml | 6 + hashicorp/vault/server/ui-service.yaml | 20 +++ 11 files changed, 313 insertions(+) create mode 100644 hashicorp/vault/server/server-clusterrolebinding.yaml create mode 100644 hashicorp/vault/server/server-config-configmap.yaml create mode 100644 hashicorp/vault/server/server-disruptionbudget.yaml create mode 100644 hashicorp/vault/server/server-ingress.yaml create mode 100644 hashicorp/vault/server/server-pv.yaml create mode 100644 hashicorp/vault/server/server-pvc.yaml create mode 100644 hashicorp/vault/server/server-service.yaml create mode 100644 hashicorp/vault/server/server-serviceaccount.yaml create mode 100644 hashicorp/vault/server/server-statefulset.yaml create mode 100644 hashicorp/vault/server/server-storageclass.yaml create mode 100644 hashicorp/vault/server/ui-service.yaml diff --git a/hashicorp/vault/server/server-clusterrolebinding.yaml b/hashicorp/vault/server/server-clusterrolebinding.yaml new file mode 100644 index 0000000..66434a4 --- /dev/null +++ b/hashicorp/vault/server/server-clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: vault-example-server-binding + labels: + app.kubernetes.io/name: vault-example +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: vault-example + namespace: vault-example diff --git a/hashicorp/vault/server/server-config-configmap.yaml b/hashicorp/vault/server/server-config-configmap.yaml new file mode 100644 index 0000000..9abe1c3 --- /dev/null +++ b/hashicorp/vault/server/server-config-configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-example-config + labels: + app.kubernetes.io/name: vault-example +data: + extraconfig-from-values.hcl: |- + disable_mlock = true + ui = true + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "file" { + path = "/vault/data" + } diff --git a/hashicorp/vault/server/server-disruptionbudget.yaml b/hashicorp/vault/server/server-disruptionbudget.yaml new file mode 100644 index 0000000..7cd2067 --- /dev/null +++ b/hashicorp/vault/server/server-disruptionbudget.yaml @@ -0,0 +1,22 @@ +# {{ template "vault.mode" . }} +# {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +# # PodDisruptionBudget to prevent degrading the server cluster through +# # voluntary cluster changes. +# apiVersion: policy/v1beta1 +# kind: PodDisruptionBudget +# metadata: +# name: {{ template "vault.fullname" . }} +# namespace: {{ .Release.Namespace }} +# labels: +# helm.sh/chart: {{ include "vault.chart" . }} +# app.kubernetes.io/name: {{ include "vault.name" . }} +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/managed-by: {{ .Release.Service }} +# spec: +# maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} +# selector: +# matchLabels: +# app.kubernetes.io/name: {{ include "vault.name" . }} +# app.kubernetes.io/instance: {{ .Release.Name }} +# component: server +# {{- end -}} diff --git a/hashicorp/vault/server/server-ingress.yaml b/hashicorp/vault/server/server-ingress.yaml new file mode 100644 index 0000000..5b8d7f8 --- /dev/null +++ b/hashicorp/vault/server/server-ingress.yaml @@ -0,0 +1,44 @@ +# {{- if .Values.server.ingress.enabled -}} +# {{- $serviceName := include "vault.fullname" . -}} +# {{- $servicePort := .Values.server.service.port -}} +# apiVersion: extensions/v1beta1 +# kind: Ingress +# metadata: +# name: {{ template "vault.fullname" . }} +# namespace: {{ .Release.Namespace }} +# labels: +# helm.sh/chart: {{ include "vault.chart" . }} +# app.kubernetes.io/name: {{ include "vault.name" . }} +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/managed-by: {{ .Release.Service }} +# {{- with .Values.server.ingress.labels }} +# {{- toYaml . | nindent 4 }} +# {{- end }} +# {{- with .Values.server.ingress.annotations }} +# annotations: +# {{- toYaml . | nindent 4 }} +# {{- end }} +# spec: +# {{- if .Values.server.ingress.tls }} +# tls: +# {{- range .Values.server.ingress.tls }} +# - hosts: +# {{- range .hosts }} +# - {{ . | quote }} +# {{- end }} +# secretName: {{ .secretName }} +# {{- end }} +# {{- end }} +# rules: +# {{- range .Values.server.ingress.hosts }} +# - host: {{ .host | quote }} +# http: +# paths: +# {{- range .paths }} +# - path: {{ . }} +# backend: +# serviceName: {{ $serviceName }} +# servicePort: {{ $servicePort }} +# {{- end }} +# {{- end }} +# {{- end }} diff --git a/hashicorp/vault/server/server-pv.yaml b/hashicorp/vault/server/server-pv.yaml new file mode 100644 index 0000000..b93235e --- /dev/null +++ b/hashicorp/vault/server/server-pv.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: vault + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/mnt/data" \ No newline at end of file diff --git a/hashicorp/vault/server/server-pvc.yaml b/hashicorp/vault/server/server-pvc.yaml new file mode 100644 index 0000000..14dae2c --- /dev/null +++ b/hashicorp/vault/server/server-pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-claim +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/hashicorp/vault/server/server-service.yaml b/hashicorp/vault/server/server-service.yaml new file mode 100644 index 0000000..1ed6d4f --- /dev/null +++ b/hashicorp/vault/server/server-service.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: vault-example + labels: + app.kubernetes.io/name: vault-example + annotations: + # This must be set in addition to publishNotReadyAddresses due + # to an open issue where it may not work: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + - name: http + port: 80 + targetPort: 80 + - name: internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: vault-example + component: server diff --git a/hashicorp/vault/server/server-serviceaccount.yaml b/hashicorp/vault/server/server-serviceaccount.yaml new file mode 100644 index 0000000..efdfb01 --- /dev/null +++ b/hashicorp/vault/server/server-serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-example + labels: + app.kubernetes.io/name: vault-example \ No newline at end of file diff --git a/hashicorp/vault/server/server-statefulset.yaml b/hashicorp/vault/server/server-statefulset.yaml new file mode 100644 index 0000000..81fc2ea --- /dev/null +++ b/hashicorp/vault/server/server-statefulset.yaml @@ -0,0 +1,133 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vault-example + labels: + app.kubernetes.io/name: vault-example +spec: + serviceName: vault-example + podManagementPolicy: Parallel + replicas: 1 + updateStrategy: + type: "OnDelete" + selector: + matchLabels: + app.kubernetes.io/name: vault-example + component: server + template: + metadata: + labels: + app.kubernetes.io/name: vault-example + component: server + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: vault-example + component: server + topologyKey: kubernetes.io/hostname + terminationGracePeriodSeconds: 10 + serviceAccountName: vault-example + shareProcessNamespace: true + securityContext: + fsGroup: 1000 + volumes: + - name: config + configMap: + name: vault-example-config + - name: data + persistentVolumeClaim: + claimName: vault-claim + initContainers: + - name: setupperms + image: alpine:latest + command: ['sh', '-c', 'echo The app is running! && chown 100 /vault/data && ls -l /vault/'] + volumeMounts: + - name: data + mountPath: /vault/data + containers: + - name: vault + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + capabilities: + add: ["IPC_LOCK"] + image: vault:1.3.1 + imagePullPolicy: IfNotPresent + command: + - "/bin/sh" + - "-ec" + args: + - | + sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl; + sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl; + /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_ADDR + value: "http://127.0.0.1:8200" + - name: VAULT_API_ADDR + value: "http://$(POD_IP):8200" + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + volumeMounts: + - name: config + mountPath: /vault/config + - name: data + mountPath: /vault/data + ports: + - containerPort: 8200 + name: http + - containerPort: 8201 + name: internal + - containerPort: 8202 + name: replication + readinessProbe: + # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed + exec: + command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: "/v1/sys/health?standbyok=true" + port: 8200 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + lifecycle: + # Vault container doesn't receive SIGTERM from Kubernetes + # and after the grace period ends, Kube sends SIGKILL. This + # causes issues with graceful shutdowns such as deregistering itself + # from Consul (zombie services). + preStop: + exec: + command: [ + "/bin/sh", "-c", + # Adding a sleep here to give the pod eviction a + # chance to propagate, so requests will not be made + # to this pod while it's terminating + "sleep 5 && kill -SIGTERM $(pidof vault)", + ] + \ No newline at end of file diff --git a/hashicorp/vault/server/server-storageclass.yaml b/hashicorp/vault/server/server-storageclass.yaml new file mode 100644 index 0000000..fb12735 --- /dev/null +++ b/hashicorp/vault/server/server-storageclass.yaml @@ -0,0 +1,6 @@ +# kind: StorageClass +# apiVersion: storage.k8s.io/v1 +# metadata: +# name: local-storage +# provisioner: kubernetes.io/no-provisioner +# volumeBindingMode: WaitForFirstConsumer \ No newline at end of file diff --git a/hashicorp/vault/server/ui-service.yaml b/hashicorp/vault/server/ui-service.yaml new file mode 100644 index 0000000..4d28847 --- /dev/null +++ b/hashicorp/vault/server/ui-service.yaml @@ -0,0 +1,20 @@ +# Headless service for Vault server DNS entries. This service should only +# point to Vault servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Vault agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: vault-example-ui + labels: + app.kubernetes.io/name: vault-example-ui +spec: + selector: + app.kubernetes.io/name: vault-example + component: server + publishNotReadyAddresses: true + ports: + - name: http + port: 8080 + targetPort: 8200 \ No newline at end of file