From c3ba7baa48c03c86cb07916bc2bfb822adc8ef49 Mon Sep 17 00:00:00 2001
From: Vassiliy Yegorov <vasyakrg@gmail.com>
Date: Wed, 27 Jul 2022 22:37:33 +0700
Subject: [PATCH] init

---
 .env.example                  |  1 +
 .gitignore                    |  1 +
 README.md                     | 62 +++++++++++++++++++++++++++++++++++
 data/helpers/admin-policy.hcl | 56 +++++++++++++++++++++++++++++++
 data/helpers/init.sh          | 29 ++++++++++++++++
 data/helpers/vault-agent.hcl  | 33 +++++++++++++++++++
 deploument.yaml               | 30 -----------------
 docker-compose.yaml           | 32 +++++++++++++++---
 helm/vault/values.yaml        | 16 ++++-----
 patch-inject-secrets.yaml     |  7 ----
 vault-test.yaml               | 42 ++++++++++++++++++++++++
 11 files changed, 259 insertions(+), 50 deletions(-)
 create mode 100644 .env.example
 create mode 100644 README.md
 create mode 100644 data/helpers/admin-policy.hcl
 create mode 100644 data/helpers/init.sh
 create mode 100644 data/helpers/vault-agent.hcl
 delete mode 100644 deploument.yaml
 delete mode 100644 patch-inject-secrets.yaml
 create mode 100644 vault-test.yaml

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..f8dcb61
--- /dev/null
+++ b/.env.example
@@ -0,0 +1 @@
+VAULT_HOST=vault.domain.com
diff --git a/.gitignore b/.gitignore
index 49a02ca..a64c032 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 data/file/*
 data/logs/*
+.env
 
 !.gitkeep
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f7f0600
--- /dev/null
+++ b/README.md
@@ -0,0 +1,62 @@
+# Vault test
+
+Настраиваем получение логопаса в под из внешнего vault-сервера
+
+## Общий порядок действий
+
+1. поднять vault сервер
+2. поднять heml-чарт
+3. настроить подключение из куба в vault
+4. добавить в vault тестовые секреты, запустить тестовый деплоймент и проверить что секреты получены
+
+### 1. запуск vault в докере
+
+1. docker compose up -d
+
+### 2. запуск heml-чарта
+
+1. прописываем в переменных адрес vault-сервера
+2. запускаем чарт `helm upgrade --install --create-namespace -n vault vault helm/vault`
+
+### 3. подключение из куба в vault
+
+1. `vault auth enable kubernetes`
+2. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
+3. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
+4. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
+5. прописываем конфиг соединения
+
+```bash
+vault write auth/kubernetes/config \
+     token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
+     kubernetes_host="$KUBE_HOST" \
+     kubernetes_ca_cert="$KUBE_CA_CERT" \
+     issuer="https://kubernetes.default.svc.cluster.local"
+```
+
+6. добавляем полиси доступа
+
+```bash
+vault policy write vault-test - <<EOF
+path "secret/data/vault-test/config" {
+  capabilities = ["read"]
+}
+EOF
+```
+
+7. формируем роль доступа с куба в вольт
+
+```bash
+vault write auth/kubernetes/role/vault-test \
+     bound_service_account_names=sa-vault \
+     bound_service_account_namespaces=vault-test \
+     policies=vault-test \
+     ttl=24h
+```
+
+### 4. Запуск тестового деплоя
+
+1. `vault login root`
+2. `vault kv put secret/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
+3. `vault kv get -format=json secret/vault-test/config | jq ".data.data"`
+4. `k apply -f vault-test.yaml`
diff --git a/data/helpers/admin-policy.hcl b/data/helpers/admin-policy.hcl
new file mode 100644
index 0000000..1f34aec
--- /dev/null
+++ b/data/helpers/admin-policy.hcl
@@ -0,0 +1,56 @@
+path "sys/health"
+{
+	capabilities = ["read", "sudo"]
+}
+path "sys/policies/acl"
+{
+	capabilities = ["list"]
+}
+path "sys/policies/acl/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "auth/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "sys/auth/*"
+{
+	capabilities = ["create", "update", "delete", "sudo"]
+}
+path "sys/auth"
+{
+	capabilities = ["read"]
+}
+path "kv/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "secret/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity-alias"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity-alias/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "sys/mounts/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "sys/mounts"
+{
+	capabilities = ["read"]
+}
diff --git a/data/helpers/init.sh b/data/helpers/init.sh
new file mode 100644
index 0000000..fc41be2
--- /dev/null
+++ b/data/helpers/init.sh
@@ -0,0 +1,29 @@
+apk add jq curl
+export VAULT_ADDR=http://localhost:8200
+root_token=$(cat /helpers/keys.json | jq -r '.root_token')
+unseal_vault() {
+export VAULT_TOKEN=$root_token
+vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
+vault login token=$VAULT_TOKEN
+}
+if [[ -n "$root_token" ]]
+then
+  echo "Vault already initialized"
+  unseal_vault
+else
+  echo "Vault not initialized"
+  curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init > /helpers/keys.json
+  root_token=$(cat /helpers/keys.json | jq -r '.root_token')
+
+  unseal_vault
+
+  vault secrets enable -version=2 kv
+  vault auth enable approle
+  vault policy write admin-policy /helpers/admin-policy.hcl
+  vault write auth/approle/role/dev-role token_policies="admin-policy"
+  vault read -format=json auth/approle/role/dev-role/role-id \
+    | jq -r '.data.role_id' > /helpers/role_id
+  vault write -format=json -f auth/approle/role/dev-role/secret-id \
+    | jq -r '.data.secret_id' > /helpers/secret_id
+fi
+printf "\n\nVAULT_TOKEN=%s\n\n" $VAULT_TOKEN
diff --git a/data/helpers/vault-agent.hcl b/data/helpers/vault-agent.hcl
new file mode 100644
index 0000000..b4a515a
--- /dev/null
+++ b/data/helpers/vault-agent.hcl
@@ -0,0 +1,33 @@
+pid_file = "./pidfile"
+
+vault {
+	address = "http://vault:8200"
+	retry {
+		num_retries = 5
+	}
+}
+
+auto_auth {
+	method {
+		type = "approle"
+		config = {
+			role_id_file_path = "/helpers/role_id"
+			secret_id_file_path = "/helpers/secret_id"
+			remove_secret_id_file_after_reading = false
+		}
+	}
+	sink "file" {
+		config = {
+			path = "/helpers/sink_file"
+		}
+	}
+}
+
+cache {
+	use_auto_auth_token = true
+}
+
+listener "tcp" {
+	address = "0.0.0.0:8200"
+	tls_disable = true
+}
diff --git a/deploument.yaml b/deploument.yaml
deleted file mode 100644
index 008a32a..0000000
--- a/deploument.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: orgchart
-  namespace: vault
-  labels:
-    app: orgchart
-spec:
-  selector:
-    matchLabels:
-      app: orgchart
-  replicas: 1
-  template:
-    metadata:
-      annotations:
-        vault.hashicorp.com/agent-inject: 'true'
-        vault.hashicorp.com/agent-inject-status: 'update'
-        vault.hashicorp.com/role: 'internal-app'
-        vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
-        vault.hashicorp.com/agent-inject-template-database-config.txt: |
-          {{- with secret "internal/data/database/config" -}}
-          postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
-          {{- end -}}
-      labels:
-        app: orgchart
-    spec:
-      serviceAccountName: internal-app
-      containers:
-        - name: orgchart
-          image: jweissig/app:0.0.1
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 4413055..6385a52 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,33 +1,55 @@
 version: '3.8'
 services:
   myvault:
-    image: vault
+    image: hashicorp/vault
     container_name: vault
     restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.vault.entrypoints=https"
-      - "traefik.http.routers.vault.rule=Host(`vault.bildme.ru`)"
+      - "traefik.http.routers.vault.rule=Host(`$VAULT_HOST`)"
       - "traefik.http.routers.vault.tls=true"
       - "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
       - "traefik.http.services.vault-service.loadbalancer.server.port=8200"
       - "traefik.docker.network=webproxy"
-    expose:
-      - 8200
+    entrypoint: vault server -config=/vault/config/vault.hcl
     environment:
       VAULT_API_ADDR: "http://0.0.0.0:8200"
     volumes:
       - ./data/file:/vault/file
+      - ./data/helpers:/helpers
       - ./data/config/:/vault/config/
       - ./data/logs/:/vault/logs/
       - ./data/plugins/:/vault/plugins/
     cap_add:
       - IPC_LOCK
-    entrypoint: vault server -config=/vault/config/vault.hcl
+    healthcheck:
+      test: wget --no-verbose --tries=1 --spider http://localhost:8200 || exit 1
+      interval: 10s
+      retries: 12
+      start_period: 10s
+      timeout: 10s
+    expose:
+      - 8200
     networks:
       - vault_net
       - webproxy
 
+  vault-agent:
+    container_name: vault-agent
+    image: hashicorp/vault
+    restart: always
+    environment:
+      VAULT_ADDR: "http://vault:8200"
+    entrypoint: "vault agent -log-level debug -config=/helpers/vault-agent.hcl"
+    depends_on:
+      vault:
+        condition: service_healthy
+    volumes:
+      - ./data/helpers:/helpers
+    networks:
+      - vault_net
+
 networks:
   vault_net:
     name: vault_net
diff --git a/helm/vault/values.yaml b/helm/vault/values.yaml
index 859cfd1..6bc8efc 100644
--- a/helm/vault/values.yaml
+++ b/helm/vault/values.yaml
@@ -40,16 +40,16 @@ injector:
 
   # If true, will enable a node exporter metrics endpoint at /metrics.
   metrics:
-    enabled: false
+    enabled: true
 
   # External vault server address for the injector to use. Setting this will
   # disable deployment of a vault server along with the injector.
-  externalVaultAddr: ""
+  externalVaultAddr: "https://vault.bildme.ru"
 
   # image sets the repo and tag of the vault-k8s image to use for the injector.
   image:
     repository: "hashicorp/vault-k8s"
-    tag: "0.14.2"
+    tag: "0.16.1"
     pullPolicy: IfNotPresent
 
   # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -57,7 +57,7 @@ injector:
   # required.
   agentImage:
     repository: "hashicorp/vault"
-    tag: "1.9.2"
+    tag: "1.10.5"
 
   # The default values for the injected Vault Agent containers.
   agentDefaults:
@@ -216,7 +216,7 @@ injector:
 
 server:
   # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
-  enabled: true
+  enabled: false
 
   # [Enterprise Only] This value refers to a Kubernetes secret that you have
   # created that contains your enterprise license. If you are not using an
@@ -236,7 +236,7 @@ server:
 
   image:
     repository: "hashicorp/vault"
-    tag: "1.9.2"
+    tag: "1.10.5"
     # Overrides the default Image Pull Policy
     pullPolicy: IfNotPresent
 
@@ -724,7 +724,7 @@ ui:
   # serviceType can be used to control the type of service created. For
   # example, setting this to "LoadBalancer" will create an external load
   # balancer (for supported K8S installations) to access the UI.
-  enabled: true
+  enabled: false
   publishNotReadyAddresses: true
   # The service should only contain selectors for active Vault pod
   activeVaultPodOnly: false
@@ -764,7 +764,7 @@ csi:
 
   image:
     repository: "hashicorp/vault-csi-provider"
-    tag: "0.4.0"
+    tag: "1.1.0"
     pullPolicy: IfNotPresent
 
   # volumes is a list of volumes made available to all containers. These are rendered
diff --git a/patch-inject-secrets.yaml b/patch-inject-secrets.yaml
deleted file mode 100644
index 5fafcc8..0000000
--- a/patch-inject-secrets.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-spec:
-  template:
-    metadata:
-      annotations:
-        vault.hashicorp.com/agent-inject: 'true'
-        vault.hashicorp.com/role: 'internal-app'
-        vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
diff --git a/vault-test.yaml b/vault-test.yaml
new file mode 100644
index 0000000..74c06e9
--- /dev/null
+++ b/vault-test.yaml
@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-test
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-vault
+  namespace: vault-test
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test-deployment
+  namespace: vault-test
+  labels:
+    app: vault-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vault-test
+  template:
+    metadata:
+      labels:
+        app: vault-test
+      annotations:
+        vault.hashicorp.com/agent-inject: 'true'
+        vault.hashicorp.com/role: 'devweb-app'
+        vault.hashicorp.com/agent-inject-secret-credentials.txt: 'secret/data/vault-test/config'
+        vault.hashicorp.com/agent-inject-template-credentials.txt: |
+          {{- with secret "secret/data/vault-test/config" -}}
+          postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }}
+          {{- end -}}
+    spec:
+      serviceAccountName: sa-vault
+      containers:
+        - name: app
+          image: nginx