diff --git a/examples/k8s/vault/README.md b/examples/k8s/vault/README.md new file mode 100644 index 0000000..a67c6e3 --- /dev/null +++ b/examples/k8s/vault/README.md @@ -0,0 +1,29 @@ +# HashiCorp Vault in kubernetes + +HashiCorp recomend installing vault via helm. Your author prefers +plain old kubernetes configs. + +So we generated the yaml via helm's template command. + + helm template incubator/vault \ + --name-template=vault \ + --replicaCount=1 \ + --set vault.dev=false \ + --set vault.config.storage.file.path=/macos/.wiki-k8s/vault \ + | egrep -v 'heritage: "?Helm"?' \ + > vault.html + + kubectl apply -k . + kubectl port-forward svc/vault 8200:8200 &> /dev/null & + + export VAULT_ADDR=http://127.0.0.1:8200 + vault status + vault operator init + vault operator unseal + # paste key-fragment 1 + vault operator unseal + # paste key-fragment 2 + vault operator unseal + # paste key-fragment 3 + vault login + # paste root token diff --git a/examples/k8s/vault/deployment-volumes.yaml b/examples/k8s/vault/deployment-volumes.yaml new file mode 100644 index 0000000..08dc134 --- /dev/null +++ b/examples/k8s/vault/deployment-volumes.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vault +spec: + template: + spec: + containers: + - name: vault + volumeMounts: + - name: vault-data + mountPath: /macos/.wiki-k8s/vault + volumes: + - name: vault-data + hostPath: + path: /macos/.wiki-k8s/vault diff --git a/examples/k8s/vault/kustomization.yaml b/examples/k8s/vault/kustomization.yaml new file mode 100644 index 0000000..b7146a0 --- /dev/null +++ b/examples/k8s/vault/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: vault + newName: vault + newTag: 1.3.1 +resources: +- vault.yaml +patchesStrategicMerge: +- deployment-volumes.yaml diff --git a/examples/k8s/vault/vault.yaml b/examples/k8s/vault/vault.yaml new file mode 100644 index 0000000..231d40e --- /dev/null +++ b/examples/k8s/vault/vault.yaml @@ -0,0 +1,181 @@ +--- +# Source: vault/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: vault + labels: + app: vault + release: "vault" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: vault + namespace: default +--- +# Source: vault/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: "vault-config" + labels: + app: "vault" + release: "vault" +data: + config.json: | + {"listener":{"tcp":{"address":"[::]:8200","cluster_address":"[::]:8201","tls_disable":true}},"storage":{"file":{"path":"/macos/.wiki-k8s/vault"}}} +--- +# Source: vault/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vault + labels: + app: vault + release: vault + annotations: + {} +spec: + selector: + matchLabels: + app: vault + release: vault + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app: vault + release: vault + annotations: + checksum/config: 6868eb00aa48ca9485c365c3523ae431e7031233a1c046817a32c61e24ea817d + spec: + containers: + - name: vault + image: "vault:1.2.3" + imagePullPolicy: IfNotPresent + command: ["vault", "server", "-config", "/vault/config/config.json"] + ports: + - containerPort: 8200 + name: api + - containerPort: 8201 + name: cluster-address + livenessProbe: + # Alive if Vault is successfully responding to requests + httpGet: + path: /v1/sys/health?standbyok=true&uninitcode=204&sealedcode=204& + port: 8200 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + # Ready depends on preference + httpGet: + path: /v1/sys/health?standbycode=204&uninitcode=204& + port: 8200 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + securityContext: + readOnlyRootFilesystem: true + capabilities: + add: + - IPC_LOCK + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_API_ADDR + value: "http://$(POD_IP):8200" + - name: VAULT_CLUSTER_ADDR + value: "https://$(POD_IP):8201" + - name: VAULT_LOG_LEVEL + value: "info" + resources: + {} + volumeMounts: + - name: vault-config + mountPath: /vault/config/ + - name: vault-root + mountPath: /root/ + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: 'vault' + release: 'vault' + topologyKey: kubernetes.io/hostname + weight: 100 + serviceAccountName: vault + volumes: + - name: vault-config + configMap: + name: "vault-config" + - name: vault-root + emptyDir: {} +--- +# Source: vault/templates/pdb.yaml +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: vault +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: vault + release: vault +--- +# Source: vault/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: vault + labels: + app: vault + release: vault +spec: + type: ClusterIP + ports: + - port: 8200 + protocol: TCP + targetPort: 8200 + name: api + selector: + app: vault + release: vault +--- +# Source: vault/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + labels: + app: vault + release: "vault" +--- +# Source: vault/templates/tests/test-vault-status.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "vault-vault-status-test" + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: vault-vault-status-test + image: "vault:1.2.3" + env: + - name: VAULT_ADDR + value: http://vault.default:8200 + command: ["sh", "-c", "vault status"] + restartPolicy: Never