pub/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-07-27 22:37:33 +07:00
parent dcee510197
commit c3ba7baa48
11 changed files with 259 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.env.example Normal file
View File

@@ -0,0 +1 @@
VAULT_HOST=vault.domain.com

1
.gitignore vendored
View File

@@ -1,4 +1,5 @@
data/file/* data/file/*
data/logs/* data/logs/*
.env
!.gitkeep !.gitkeep

62
README.md Normal file
View File

@@ -0,0 +1,62 @@
# Vault test
Настраиваем получение логопаса в под из внешнего vault-сервера
## Общий порядок действий
1. поднять vault сервер
2. поднять heml-чарт
3. настроить подключение из куба в vault
4. добавить в vault тестовые секреты, запустить тестовый деплоймент и проверить что секреты получены
### 1. запуск vault в докере
1. docker compose up -d
### 2. запуск heml-чарта
1. прописываем в переменных адрес vault-сервера
2. запускаем чарт `helm upgrade --install --create-namespace -n vault vault helm/vault`
### 3. подключение из куба в vault
1. `vault auth enable kubernetes`
2. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
3. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
4. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
5. прописываем конфиг соединения
```bash
vault write auth/kubernetes/config \
token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
kubernetes_host="$KUBE_HOST" \
kubernetes_ca_cert="$KUBE_CA_CERT" \
issuer="https://kubernetes.default.svc.cluster.local"
```
6. добавляем полиси доступа
```bash
vault policy write vault-test - <<EOF
path "secret/data/vault-test/config" {
capabilities = ["read"]
}
EOF
```
7. формируем роль доступа с куба в вольт
```bash
vault write auth/kubernetes/role/vault-test \
bound_service_account_names=sa-vault \
bound_service_account_namespaces=vault-test \
policies=vault-test \
ttl=24h
```
### 4. Запуск тестового деплоя
1. `vault login root`
2. `vault kv put secret/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
3. `vault kv get -format=json secret/vault-test/config | jq ".data.data"`
4. `k apply -f vault-test.yaml`

56
data/helpers/admin-policy.hcl Normal file
View File

@@ -0,0 +1,56 @@
path "sys/health"
{
capabilities = ["read", "sudo"]
}
path "sys/policies/acl"
{
capabilities = ["list"]
}
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
path "sys/auth"
{
capabilities = ["read"]
}
path "kv/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts"
{
capabilities = ["read"]
}

29
data/helpers/init.sh Normal file
View File

@@ -0,0 +1,29 @@
apk add jq curl
export VAULT_ADDR=http://localhost:8200
root_token=$(cat /helpers/keys.json | jq -r '.root_token')
unseal_vault() {
export VAULT_TOKEN=$root_token
vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
vault login token=$VAULT_TOKEN
}
if [[ -n "$root_token" ]]
then
echo "Vault already initialized"
unseal_vault
else
echo "Vault not initialized"
curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init > /helpers/keys.json
root_token=$(cat /helpers/keys.json | jq -r '.root_token')
unseal_vault
vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"
vault read -format=json auth/approle/role/dev-role/role-id \
| jq -r '.data.role_id' > /helpers/role_id
vault write -format=json -f auth/approle/role/dev-role/secret-id \
| jq -r '.data.secret_id' > /helpers/secret_id
fi
printf "\n\nVAULT_TOKEN=%s\n\n" $VAULT_TOKEN

33
data/helpers/vault-agent.hcl Normal file
View File

@@ -0,0 +1,33 @@
pid_file = "./pidfile"
vault {
address = "http://vault:8200"
retry {
num_retries = 5
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/helpers/role_id"
secret_id_file_path = "/helpers/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "/helpers/sink_file"
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}

30
deploument.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: orgchart
namespace: vault
labels:
app: orgchart
spec:
selector:
matchLabels:
app: orgchart
replicas: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-status: 'update'
vault.hashicorp.com/role: 'internal-app'
vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
vault.hashicorp.com/agent-inject-template-database-config.txt: |
{{- with secret "internal/data/database/config" -}}
postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
{{- end -}}
labels:
app: orgchart
spec:
serviceAccountName: internal-app
containers:
- name: orgchart
image: jweissig/app:0.0.1

32
docker-compose.yaml
View File

@@ -1,33 +1,55 @@
version: '3.8' version: '3.8'
services: services:
myvault: myvault:
image: vault image: hashicorp/vault
container_name: vault container_name: vault
restart: always restart: always
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.vault.entrypoints=https" - "traefik.http.routers.vault.entrypoints=https"
- "traefik.http.routers.vault.rule=Host(`vault.bildme.ru`)" - "traefik.http.routers.vault.rule=Host(`$VAULT_HOST`)"
- "traefik.http.routers.vault.tls=true" - "traefik.http.routers.vault.tls=true"
- "traefik.http.routers.vault.tls.certresolver=letsEncrypt" - "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
- "traefik.http.services.vault-service.loadbalancer.server.port=8200" - "traefik.http.services.vault-service.loadbalancer.server.port=8200"
- "traefik.docker.network=webproxy" - "traefik.docker.network=webproxy"
expose: entrypoint: vault server -config=/vault/config/vault.hcl
- 8200
environment: environment:
VAULT_API_ADDR: "http://0.0.0.0:8200" VAULT_API_ADDR: "http://0.0.0.0:8200"
volumes: volumes:
- ./data/file:/vault/file - ./data/file:/vault/file
- ./data/helpers:/helpers
- ./data/config/:/vault/config/ - ./data/config/:/vault/config/
- ./data/logs/:/vault/logs/ - ./data/logs/:/vault/logs/
- ./data/plugins/:/vault/plugins/ - ./data/plugins/:/vault/plugins/
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
entrypoint: vault server -config=/vault/config/vault.hcl healthcheck:
test: wget --no-verbose --tries=1 --spider http://localhost:8200 || exit 1
interval: 10s
retries: 12
start_period: 10s
timeout: 10s
expose:
- 8200
networks: networks:
- vault_net - vault_net
- webproxy - webproxy
vault-agent:
container_name: vault-agent
image: hashicorp/vault
restart: always
environment:
VAULT_ADDR: "http://vault:8200"
entrypoint: "vault agent -log-level debug -config=/helpers/vault-agent.hcl"
depends_on:
vault:
condition: service_healthy
volumes:
- ./data/helpers:/helpers
networks:
- vault_net
networks: networks:
vault_net: vault_net:
name: vault_net name: vault_net

16
helm/vault/values.yaml
View File

@@ -40,16 +40,16 @@ injector:
# If true, will enable a node exporter metrics endpoint at /metrics. # If true, will enable a node exporter metrics endpoint at /metrics.
metrics: metrics:
enabled: false enabled: true
# External vault server address for the injector to use. Setting this will # External vault server address for the injector to use. Setting this will
# disable deployment of a vault server along with the injector. # disable deployment of a vault server along with the injector.
externalVaultAddr: "" externalVaultAddr: "https://vault.bildme.ru"
# image sets the repo and tag of the vault-k8s image to use for the injector. # image sets the repo and tag of the vault-k8s image to use for the injector.
image: image:
repository: "hashicorp/vault-k8s" repository: "hashicorp/vault-k8s"
tag: "0.14.2" tag: "0.16.1"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# agentImage sets the repo and tag of the Vault image to use for the Vault Agent # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -57,7 +57,7 @@ injector:
# required. # required.
agentImage: agentImage:
repository: "hashicorp/vault" repository: "hashicorp/vault"
tag: "1.9.2" tag: "1.10.5"
# The default values for the injected Vault Agent containers. # The default values for the injected Vault Agent containers.
agentDefaults: agentDefaults:
@@ -216,7 +216,7 @@ injector:
server: server:
# If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
enabled: true enabled: false
# [Enterprise Only] This value refers to a Kubernetes secret that you have # [Enterprise Only] This value refers to a Kubernetes secret that you have
# created that contains your enterprise license. If you are not using an # created that contains your enterprise license. If you are not using an
@@ -236,7 +236,7 @@ server:
image: image:
repository: "hashicorp/vault" repository: "hashicorp/vault"
tag: "1.9.2" tag: "1.10.5"
# Overrides the default Image Pull Policy # Overrides the default Image Pull Policy
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@@ -724,7 +724,7 @@ ui:
# serviceType can be used to control the type of service created. For # serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load # example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI. # balancer (for supported K8S installations) to access the UI.
enabled: true enabled: false
publishNotReadyAddresses: true publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod # The service should only contain selectors for active Vault pod
activeVaultPodOnly: false activeVaultPodOnly: false
@@ -764,7 +764,7 @@ csi:
image: image:
repository: "hashicorp/vault-csi-provider" repository: "hashicorp/vault-csi-provider"
tag: "0.4.0" tag: "1.1.0"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# volumes is a list of volumes made available to all containers. These are rendered # volumes is a list of volumes made available to all containers. These are rendered

7
patch-inject-secrets.yaml
View File

@@ -1,7 +0,0 @@
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'internal-app'
vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'

42
vault-test.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: v1
kind: Namespace
metadata:
name: vault-test
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-vault
namespace: vault-test
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-test-deployment
namespace: vault-test
labels:
app: vault-test
spec:
replicas: 1
selector:
matchLabels:
app: vault-test
template:
metadata:
labels:
app: vault-test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'devweb-app'
vault.hashicorp.com/agent-inject-secret-credentials.txt: 'secret/data/vault-test/config'
vault.hashicorp.com/agent-inject-template-credentials.txt: |
{{- with secret "secret/data/vault-test/config" -}}
postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }}
{{- end -}}
spec:
serviceAccountName: sa-vault
containers:
- name: app
image: nginx