From e454f2783b1947e66bf4be9427473d64cc107685 Mon Sep 17 00:00:00 2001 From: marcel-dempers Date: Sun, 23 Feb 2020 23:14:17 +0000 Subject: [PATCH] basic injector --- .../vault/injector/injector-clusterrole.yaml | 8 +-- .../injector/injector-clusterrolebinding.yaml | 15 ++---- .../vault/injector/injector-deployment.yaml | 54 +++++-------------- .../injector/injector-mutating-webhook.yaml | 27 +++++----- .../vault/injector/injector-service.yaml | 12 ++--- .../injector/injector-serviceaccount.yaml | 9 +--- hashicorp/vault/server/server-service.yaml | 4 +- 7 files changed, 42 insertions(+), 87 deletions(-) diff --git a/hashicorp/vault/injector/injector-clusterrole.yaml b/hashicorp/vault/injector/injector-clusterrole.yaml index 4ff25ab..1f58f4f 100644 --- a/hashicorp/vault/injector/injector-clusterrole.yaml +++ b/hashicorp/vault/injector/injector-clusterrole.yaml @@ -1,12 +1,9 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + name: vault-example-agent-injector-clusterrole labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: vault-example-agent-injector rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] @@ -15,4 +12,3 @@ rules: - "list" - "watch" - "patch" -{{ end }} diff --git a/hashicorp/vault/injector/injector-clusterrolebinding.yaml b/hashicorp/vault/injector/injector-clusterrolebinding.yaml index 9826693..4e883f1 100644 --- a/hashicorp/vault/injector/injector-clusterrolebinding.yaml +++ b/hashicorp/vault/injector/injector-clusterrolebinding.yaml @@ -1,19 +1,14 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "vault.fullname" . }}-agent-injector-binding - namespace: {{ .Release.Namespace }} + name: vault-example-agent-injector-binding labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: vault-example-agent-injector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + name: vault-example-agent-injector-clusterrole subjects: - kind: ServiceAccount - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} -{{ end }} + name: vault-example-agent-injector + namespace: vault-example diff --git a/hashicorp/vault/injector/injector-deployment.yaml b/hashicorp/vault/injector/injector-deployment.yaml index 86c54ff..f4c142f 100644 --- a/hashicorp/vault/injector/injector-deployment.yaml +++ b/hashicorp/vault/injector/injector-deployment.yaml @@ -1,59 +1,44 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} -# Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + name: vault-example-agent-injector labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: vault-example-agent-injector component: webhook spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: vault-example-agent-injector component: webhook template: metadata: labels: - app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: vault-example-agent-injector component: webhook spec: - serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + serviceAccountName: vault-example-agent-injector securityContext: runAsNonRoot: true - runAsGroup: {{ .Values.injector.gid | default 1000 }} - runAsUser: {{ .Values.injector.uid | default 100 }} + runAsGroup: 1000 + runAsUser: 100 containers: - name: sidecar-injector - {{ template "injector.resources" . }} - image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" - imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" + image: "hashicorp/vault-k8s:0.1.2" + imagePullPolicy: IfNotPresent env: - name: AGENT_INJECT_LISTEN value: ":8080" - name: AGENT_INJECT_LOG_LEVEL - value: {{ .Values.injector.logLevel | default "info" }} + value: "info" - name: AGENT_INJECT_VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: http://vault-example:8200 - name: AGENT_INJECT_VAULT_IMAGE - value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" - {{- if .Values.injector.certs.secretName }} - - name: AGENT_INJECT_TLS_CERT_FILE - value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" - - name: AGENT_INJECT_TLS_KEY_FILE - value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" - {{- else }} + value: "vault:1.3.1" - name: AGENT_INJECT_TLS_AUTO - value: {{ template "vault.fullname" . }}-agent-injector-cfg + value: vault-example-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc - {{- end }} + value: vault-example-agent-injector-svc,vault-example-agent-injector-svc.vault-example,vault-example-agent-injector-svc.vault-example.svc args: - agent-inject - 2>&1 @@ -77,14 +62,3 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 -{{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true - volumes: - - name: webhook-certs - secret: - secretName: "{{ .Values.injector.certs.secretName }}" -{{- end }} -{{ end }} diff --git a/hashicorp/vault/injector/injector-mutating-webhook.yaml b/hashicorp/vault/injector/injector-mutating-webhook.yaml index 3f0d27e..caf6ba2 100644 --- a/hashicorp/vault/injector/injector-mutating-webhook.yaml +++ b/hashicorp/vault/injector/injector-mutating-webhook.yaml @@ -1,27 +1,28 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ template "vault.fullname" . }}-agent-injector-cfg + name: vault-example-agent-injector-cfg labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: vault-example-agent-injector webhooks: - name: vault.hashicorp.com clientConfig: service: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + name: vault-example-agent-injector-svc + namespace: vault-example path: "/mutate" - caBundle: {{ .Values.injector.certs.caBundle }} + caBundle: "" rules: - operations: ["CREATE", "UPDATE"] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] -{{- if .Values.injector.namespaceSelector }} namespaceSelector: -{{ toYaml .Values.injector.namespaceSelector | indent 6}} -{{ end }} -{{ end }} + matchExpressions: + - key: name + operator: In + values: + - example-app + sideEffects: None + admissionReviewVersions: + - "v1" \ No newline at end of file diff --git a/hashicorp/vault/injector/injector-service.yaml b/hashicorp/vault/injector/injector-service.yaml index 79d818f..2a4430b 100644 --- a/hashicorp/vault/injector/injector-service.yaml +++ b/hashicorp/vault/injector/injector-service.yaml @@ -1,19 +1,13 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} apiVersion: v1 kind: Service metadata: - name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + name: vault-example-agent-injector-svc labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: vault-example-agent-injector spec: ports: - port: 443 targetPort: 8080 selector: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: vault-example-agent-injector component: webhook -{{- end }} diff --git a/hashicorp/vault/injector/injector-serviceaccount.yaml b/hashicorp/vault/injector/injector-serviceaccount.yaml index a28d38f..fdb55b1 100644 --- a/hashicorp/vault/injector/injector-serviceaccount.yaml +++ b/hashicorp/vault/injector/injector-serviceaccount.yaml @@ -1,11 +1,6 @@ -{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + name: vault-example-agent-injector labels: - app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{ end }} + app.kubernetes.io/name: vault-example-agent-injector \ No newline at end of file diff --git a/hashicorp/vault/server/server-service.yaml b/hashicorp/vault/server/server-service.yaml index 1ed6d4f..e329d0f 100644 --- a/hashicorp/vault/server/server-service.yaml +++ b/hashicorp/vault/server/server-service.yaml @@ -15,8 +15,8 @@ spec: publishNotReadyAddresses: true ports: - name: http - port: 80 - targetPort: 80 + port: 8200 + targetPort: 8200 - name: internal port: 8201 targetPort: 8201