init

.gitignore

@@ -1,5 +1,6 @@
 data/file/*
 data/logs/*
 .env
+keys.json
 
 !.gitkeep

README.md

@@ -11,7 +11,9 @@
 
 ### 1. запуск vault в докере
 
-1. docker compose up -d
+1. `./start.sh`
+2. `export VAULT_ADDR=https://vault.domain.com`
+3. `vault login`
 
 ### 2. запуск heml-чарта
 
@@ -21,10 +23,11 @@
 ### 3. подключение из куба в vault
 
 1. `vault auth enable kubernetes`
-2. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
+2. подсмотреть имя у VAULT_HELM_SECRET_NAME=vault-token-xxxxx
-3. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
+3. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
-4. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
+4. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
-5. прописываем конфиг соединения
+5. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
+6. прописываем конфиг соединения
 
 ```bash
 vault write auth/kubernetes/config \
@@ -34,17 +37,17 @@ vault write auth/kubernetes/config \
      issuer="https://kubernetes.default.svc.cluster.local"
 ```
 
-6. добавляем полиси доступа
+7. добавляем полиси доступа
 
 ```bash
 vault policy write vault-test - <<EOF
-path "secret/data/vault-test/config" {
+path "kv/secret/data/vault-test/config" {
   capabilities = ["read"]
 }
 EOF
 ```
 
-7. формируем роль доступа с куба в вольт
+8. формируем роль доступа с куба в вольт
 
 ```bash
 vault write auth/kubernetes/role/vault-test \
@@ -56,7 +59,6 @@ vault write auth/kubernetes/role/vault-test \
 
 ### 4. Запуск тестового деплоя
 
-1. `vault login root`
+1. `vault kv put kv/secret/data/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
-2. `vault kv put secret/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
+2. `vault kv get -format=json kv/secret/data/vault-test/config | jq ".data.data"`
-3. `vault kv get -format=json secret/vault-test/config | jq ".data.data"`
+3. `k apply -f vault-test.yaml`
-4. `k apply -f vault-test.yaml`

data/helpers/admin-policy.hcl

@@ -1,56 +0,0 @@
-path "sys/health"
-{
-	capabilities = ["read", "sudo"]
-}
-path "sys/policies/acl"
-{
-	capabilities = ["list"]
-}
-path "sys/policies/acl/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "auth/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "sys/auth/*"
-{
-	capabilities = ["create", "update", "delete", "sudo"]
-}
-path "sys/auth"
-{
-	capabilities = ["read"]
-}
-path "kv/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "secret/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity-alias"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity-alias/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "identity/entity/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "sys/mounts/*"
-{
-	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-path "sys/mounts"
-{
-	capabilities = ["read"]
-}

data/helpers/init.sh

@@ -1,29 +1,28 @@
 apk add jq curl
+
 export VAULT_ADDR=http://localhost:8200
+
 root_token=$(cat /helpers/keys.json | jq -r '.root_token')
+
 unseal_vault() {
-export VAULT_TOKEN=$root_token
+	export VAULT_TOKEN=$root_token
-vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
+	vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
-vault login token=$VAULT_TOKEN
+	vault login token=$VAULT_TOKEN
 }
+
 if [[ -n "$root_token" ]]
 then
   echo "Vault already initialized"
   unseal_vault
 else
   echo "Vault not initialized"
-  curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init > /helpers/keys.json
+  curl -s --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://${VAULT_ADDR}/v1/sys/init > /helpers/keys.json
   root_token=$(cat /helpers/keys.json | jq -r '.root_token')
 
   unseal_vault
 
   vault secrets enable -version=2 kv
-  vault auth enable approle
+	vault auth enable kubernetes
-  vault policy write admin-policy /helpers/admin-policy.hcl
-  vault write auth/approle/role/dev-role token_policies="admin-policy"
-  vault read -format=json auth/approle/role/dev-role/role-id \
-    | jq -r '.data.role_id' > /helpers/role_id
-  vault write -format=json -f auth/approle/role/dev-role/secret-id \
-    | jq -r '.data.secret_id' > /helpers/secret_id
 fi
+
 printf "\n\nVAULT_TOKEN=%s\n\n" $VAULT_TOKEN

data/helpers/vault-agent.hcl

@@ -1,33 +0,0 @@
-pid_file = "./pidfile"
-
-vault {
-	address = "http://vault:8200"
-	retry {
-		num_retries = 5
-	}
-}
-
-auto_auth {
-	method {
-		type = "approle"
-		config = {
-			role_id_file_path = "/helpers/role_id"
-			secret_id_file_path = "/helpers/secret_id"
-			remove_secret_id_file_after_reading = false
-		}
-	}
-	sink "file" {
-		config = {
-			path = "/helpers/sink_file"
-		}
-	}
-}
-
-cache {
-	use_auto_auth_token = true
-}
-
-listener "tcp" {
-	address = "0.0.0.0:8200"
-	tls_disable = true
-}

docker-compose.yaml

@@ -1,6 +1,6 @@
 version: '3.8'
 services:
-  myvault:
+  vault:
     image: hashicorp/vault
     container_name: vault
     restart: always
@@ -29,29 +29,16 @@ services:
       retries: 12
       start_period: 10s
       timeout: 10s
-    expose:
+    # expose:
-      - 8200
+    #   - 8200
-    networks:
+    ports:
-      - vault_net
+      - "8200:8200"
-      - webproxy
-
-  vault-agent:
-    container_name: vault-agent
-    image: hashicorp/vault
-    restart: always
-    environment:
-      VAULT_ADDR: "http://vault:8200"
-    entrypoint: "vault agent -log-level debug -config=/helpers/vault-agent.hcl"
-    depends_on:
-      vault:
-        condition: service_healthy
-    volumes:
-      - ./data/helpers:/helpers
     networks:
       - vault_net
+      # - webproxy
 
 networks:
   vault_net:
     name: vault_net
-  webproxy:
+  # webproxy:
-    name: webproxy
+  #   name: webproxy

k8s/vault-test.yaml

@@ -29,10 +29,10 @@ spec:
         app: vault-test
       annotations:
         vault.hashicorp.com/agent-inject: 'true'
-        vault.hashicorp.com/role: 'devweb-app'
+        vault.hashicorp.com/role: 'vault-test'
-        vault.hashicorp.com/agent-inject-secret-credentials.txt: 'secret/data/vault-test/config'
+        vault.hashicorp.com/agent-inject-secret-credentials.txt: 'kv/secret/data/vault-test/config'
         vault.hashicorp.com/agent-inject-template-credentials.txt: |
-          {{- with secret "secret/data/vault-test/config" -}}
+          {{- with secret "kv/secret/data/vault-test/config" -}}
           postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }}
           {{- end -}}
     spec:

start.sh

@@ -0,0 +1,9 @@
+#!bin/bash
+
+docker compose up -d
+
+while [[ ! $(docker inspect -f {{.State.Health.Status}} vault) == "healthy" ]]; do
+		sleep 0.5;
+done
+
+docker exec vault /bin/sh -c "source /helpers/init.sh"