up ver vault, add bank-vavult examples

bank-vaults/README.md

@@ -0,0 +1,72 @@
+# Bank-vault (от banzai-cloud)
+
+[почитать тут](https://bank-vaults.dev/docs/mutating-webhook/)
+
+1. helm upgrade --install --create-namespace -n vault vault helm/vault
+
+**Vaults webhooks**
+
+```bash
+helm upgrade --install --create-namespace --namespace vswh --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set configMapMutation=true
+kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f -
+```
+
+2. после запуска идем в первый vault-0 и инитим его (и открываем сразу)
+
+```bash
+vault operator init -key-shares=1 -key-threshold=1
+vault operator unseal <key1>
+vault login <key1>
+```
+
+3. настроим k8s для работы с вольтом
+
+```bash
+vault auth enable kubernetes
+vault write auth/kubernetes/config \
+  token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+  kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
+  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+```
+
+4. создаем политику доступа
+
+```bash
+vault policy write vault-test - <<EOF
+path "kv/data/myenvs" {
+  capabilities = ["read"]
+}
+EOF
+```
+
+5. создаем роль
+
+```bash
+vault write auth/kubernetes/role/vault-test \
+        bound_service_account_names=vault \
+        bound_service_account_namespaces=vault-test,vswh  \
+        policies=vault-test \
+        ttl=2h
+```
+
+```bash
+vault write auth/kubernetes/role/default \
+        bound_service_account_names=* \
+        bound_service_account_namespaces=*  \
+        policies=vault-test \
+        ttl=2h
+```
+
+6. импортируем секрет и запускаем деплой
+
+создаем kv
+
+```bash
+vault secrets enable -path=kv -version=2 kv
+```
+
+создаем секрет `myenvs`, содержимое можно взять из примера keys.json
+
+```bash
+kubectl bank-vaults/vault-test.yaml
+```

bank-vaults/vault-test.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-test
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  namespace: vault-test
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-key-secret
+  namespace: vault-test
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
+    vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+stringData:
+  APPLE: vault:kv/data/myenvs#APPLE
+type: Opaque
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-key-configmap
+  namespace: vault-test
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
+    vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+data:
+  BANANA: vault:kv/data/myenvs#BANANA
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test
+  namespace: vault-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vault
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "http://vault.vault.svc:8200"
+        vault.security.banzaicloud.io/vault-role: "vault-test"
+        vault.security.banzaicloud.io/vault-skip-verify: "true"
+        vault.security.banzaicloud.io/vault-path: "kubernetes"
+        vault.security.banzaicloud.io/vault-env-from-path: "kv/data/myenvs"
+    spec:
+      serviceAccountName: vault
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "echo $BLUEBERRY && echo going to sleep... && sleep 10000"]
+        env:
+        - name: BLUEBERRY
+          value: vault:kv/data/myenvs#BLUEBERRY
+        - name: CARROT
+          value: vault:kv/data/myenvs#CARROT
+        - name: CUCUMBER
+          value: vault:kv/data/myenvs#CUCUMBER