From aebfab763c467490fab26db95f4a8db9da435ecd Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Fri, 28 Feb 2020 21:37:02 +1100 Subject: [PATCH] updates to pvc and steps list --- hashicorp/vault/_helpers.tpl | 313 ------------------ hashicorp/vault/server/server-pvc.yaml | 2 +- .../ssl_generate_self_signed.txt | 3 + 3 files changed, 4 insertions(+), 314 deletions(-) delete mode 100644 hashicorp/vault/_helpers.tpl rename hashicorp/vault/{server => tls}/ssl_generate_self_signed.txt (90%) diff --git a/hashicorp/vault/_helpers.tpl b/hashicorp/vault/_helpers.tpl deleted file mode 100644 index 0098ab1..0000000 --- a/hashicorp/vault/_helpers.tpl +++ /dev/null @@ -1,313 +0,0 @@ -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to -this (by the DNS naming spec). If release name contains chart name it will -be used as a full name. -*/}} -{{- define "vault.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "vault.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "vault.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Compute the maximum number of unavailable replicas for the PodDisruptionBudget. -This defaults to (n/2)-1 where n is the number of members of the server cluster. -Add a special case for replicas=1, where it should default to 0 as well. -*/}} -{{- define "vault.pdb.maxUnavailable" -}} -{{- if eq (int .Values.server.ha.replicas) 1 -}} -{{ 0 }} -{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} -{{ .Values.server.ha.disruptionBudget.maxUnavailable -}} -{{- else -}} -{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Set the variable 'mode' to the server mode requested by the user to simplify -template logic. -*/}} -{{- define "vault.mode" -}} - {{- if eq (.Values.server.dev.enabled | toString) "true" -}} - {{- $_ := set . "mode" "dev" -}} - {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} - {{- $_ := set . "mode" "ha" -}} - {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}} - {{- $_ := set . "mode" "standalone" -}} - {{- else -}} - {{- $_ := set . "mode" "" -}} - {{- end -}} -{{- end -}} - -{{/* -Set's the replica count based on the different modes configured by user -*/}} -{{- define "vault.replicas" -}} - {{ if eq .mode "standalone" }} - {{- default 1 -}} - {{ else if eq .mode "ha" }} - {{- .Values.server.ha.replicas | default 3 -}} - {{ else }} - {{- default 1 -}} - {{ end }} -{{- end -}} - -{{/* -Set's up configmap mounts if this isn't a dev deployment and the user -defined a custom configuration. Additionally iterates over any -extra volumes the user may have specified (such as a secret with TLS). -*/}} -{{- define "vault.volumes" -}} - {{- if and (ne .mode "dev") (or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "")) }} - - name: config - configMap: - name: {{ template "vault.fullname" . }}-config - {{ end }} - {{- range .Values.server.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Set's a command to override the entrypoint defined in the image -so we can make the user experience nicer. This works in with -"vault.args" to specify what commands /bin/sh should run. -*/}} -{{- define "vault.command" -}} - {{ if or (eq .mode "standalone") (eq .mode "ha") }} - - "/bin/sh" - - "-ec" - {{ end }} -{{- end -}} - -{{/* -Set's the args for custom command to render the Vault configuration -file with IP addresses to make the out of box experience easier -for users looking to use this chart with Consul Helm. -*/}} -{{- define "vault.args" -}} - {{ if or (eq .mode "standalone") (eq .mode "ha") }} - - | - sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl; - sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} - {{ end }} -{{- end -}} - -{{/* -Set's additional environment variables based on the mode. -*/}} -{{- define "vault.envs" -}} - {{ if eq .mode "dev" }} - - name: VAULT_DEV_ROOT_TOKEN_ID - value: "root" - {{ end }} -{{- end -}} - -{{/* -Set's which additional volumes should be mounted to the container -based on the mode configured. -*/}} -{{- define "vault.mounts" -}} - {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} - - name: audit - mountPath: /vault/audit - {{ end }} - {{ if eq .mode "standalone" }} - {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }} - - name: data - mountPath: /vault/data - {{ end }} - {{ end }} - {{ if and (ne .mode "dev") (or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "")) }} - - name: config - mountPath: /vault/config - {{ end }} - {{- range .Values.server.extraVolumes }} - - name: userconfig-{{ .name }} - readOnly: true - mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} - {{- end }} -{{- end -}} - -{{/* -Set's up the volumeClaimTemplates when data or audit storage is required. HA -might not use data storage since Consul is likely it's backend, however, audit -storage might be desired by the user. -*/}} -{{- define "vault.volumeclaims" -}} - {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} - volumeClaimTemplates: - {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (eq .mode "standalone") }} - - metadata: - name: data - spec: - accessModes: - - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.server.dataStorage.size }} - {{- if .Values.server.dataStorage.storageClass }} - storageClassName: {{ .Values.server.dataStorage.storageClass }} - {{- end }} - {{ end }} - {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} - - metadata: - name: audit - spec: - accessModes: - - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} - resources: - requests: - storage: {{ .Values.server.auditStorage.size }} - {{- if .Values.server.auditStorage.storageClass }} - storageClassName: {{ .Values.server.auditStorage.storageClass }} - {{- end }} - {{ end }} - {{ end }} -{{- end -}} - -{{/* -Set's the affinity for pod placement when running in standalone and HA modes. -*/}} -{{- define "vault.affinity" -}} - {{- if and (ne .mode "dev") .Values.server.affinity }} - affinity: - {{ tpl .Values.server.affinity . | nindent 8 | trim }} - {{ end }} -{{- end -}} - -{{/* -Set's the toleration for pod placement when running in standalone and HA modes. -*/}} -{{- define "vault.tolerations" -}} - {{- if and (ne .mode "dev") .Values.server.tolerations }} - tolerations: - {{ tpl .Values.server.tolerations . | nindent 8 | trim }} - {{- end }} -{{- end -}} - -{{/* -Set's the node selector for pod placement when running in standalone and HA modes. -*/}} -{{- define "vault.nodeselector" -}} - {{- if and (ne .mode "dev") .Values.server.nodeSelector }} - nodeSelector: - {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} - {{- end }} -{{- end -}} - -{{/* -Sets extra pod annotations -*/}} -{{- define "vault.annotations" -}} - {{- if and (ne .mode "dev") .Values.server.annotations }} - annotations: - {{- tpl .Values.server.annotations . | nindent 8 }} - {{- end }} -{{- end -}} - -{{/* -Sets extra ui service annotations -*/}} -{{- define "vault.ui.annotations" -}} - {{- if .Values.ui.annotations }} - annotations: - {{- toYaml .Values.ui.annotations | nindent 4 }} - {{- end }} -{{- end -}} - -{{/* -Sets extra service account annotations -*/}} -{{- define "vault.serviceAccount.annotations" -}} - {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} - {{- end }} -{{- end -}} - -{{/* -Set's the container resources if the user has set any. -*/}} -{{- define "vault.resources" -}} - {{- if .Values.server.resources -}} - resources: -{{ toYaml .Values.server.resources | indent 12}} - {{ end }} -{{- end -}} - -{{/* -Sets the container resources if the user has set any. -*/}} -{{- define "injector.resources" -}} - {{- if .Values.injector.resources -}} - resources: -{{ toYaml .Values.injector.resources | indent 12}} - {{ end }} -{{- end -}} - -{{/* -Inject extra environment vars in the format key:value, if populated -*/}} -{{- define "vault.extraEnvironmentVars" -}} -{{- if .extraEnvironmentVars -}} -{{- range $key, $value := .extraEnvironmentVars }} -- name: {{ $key }} - value: {{ $value | quote }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Inject extra environment populated by secrets, if populated -*/}} -{{- define "vault.extraSecretEnvironmentVars" -}} -{{- if .extraSecretEnvironmentVars -}} -{{- range .extraSecretEnvironmentVars }} -- name: {{ .envName }} - valueFrom: - secretKeyRef: - name: {{ .secretName }} - key: {{ .secretKey }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* Scheme for health check and local endpoint */}} -{{- define "vault.scheme" -}} -{{- if .Values.global.tlsDisable -}} -{{ "http" }} -{{- else -}} -{{ "https" }} -{{- end -}} -{{- end -}} diff --git a/hashicorp/vault/server/server-pvc.yaml b/hashicorp/vault/server/server-pvc.yaml index 14dae2c..258976a 100644 --- a/hashicorp/vault/server/server-pvc.yaml +++ b/hashicorp/vault/server/server-pvc.yaml @@ -3,7 +3,7 @@ kind: PersistentVolumeClaim metadata: name: vault-claim spec: - storageClassName: manual + storageClassName: hostpath accessModes: - ReadWriteOnce resources: diff --git a/hashicorp/vault/server/ssl_generate_self_signed.txt b/hashicorp/vault/tls/ssl_generate_self_signed.txt similarity index 90% rename from hashicorp/vault/server/ssl_generate_self_signed.txt rename to hashicorp/vault/tls/ssl_generate_self_signed.txt index 3689f61..0e125e5 100644 --- a/hashicorp/vault/server/ssl_generate_self_signed.txt +++ b/hashicorp/vault/tls/ssl_generate_self_signed.txt @@ -25,5 +25,8 @@ cat vault-example.pem | base64 | tr -d '\n' cat vault-example-key.pem | base64 | tr -d '\n' #TEST +vault operator init #grab keys +vault operator unseal #unseal 3 times + vault login vault kv put cubbyhole/hello foo=world \ No newline at end of file