init

2022-07-27 22:37:33 +07:00
parent dcee510197
commit c3ba7baa48
11 changed files with 259 additions and 50 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1 @@
+VAULT_HOST=vault.domain.com
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 data/file/*
 data/logs/*
+.env

 !.gitkeep
--- a/README.md
+++ b/README.md
@@ -0,0 +1,62 @@
+# Vault test
+
+Настраиваем получение логопаса в под из внешнего vault-сервера
+
+## Общий порядок действий
+
+1. поднять vault сервер
+2. поднять heml-чарт
+3. настроить подключение из куба в vault
+4. добавить в vault тестовые секреты, запустить тестовый деплоймент и проверить что секреты получены
+
+### 1. запуск vault в докере
+
+1. docker compose up -d
+
+### 2. запуск heml-чарта
+
+1. прописываем в переменных адрес vault-сервера
+2. запускаем чарт `helm upgrade --install --create-namespace -n vault vault helm/vault`
+
+### 3. подключение из куба в vault
+
+1. `vault auth enable kubernetes`
+2. `TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)`
+3. `KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)`
+4. `KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')`
+5. прописываем конфиг соединения
+
+```bash
+vault write auth/kubernetes/config \
+     token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
+     kubernetes_host="$KUBE_HOST" \
+     kubernetes_ca_cert="$KUBE_CA_CERT" \
+     issuer="https://kubernetes.default.svc.cluster.local"
+```
+
+6. добавляем полиси доступа
+
+```bash
+vault policy write vault-test - <<EOF
+path "secret/data/vault-test/config" {
+  capabilities = ["read"]
+}
+EOF
+```
+
+7. формируем роль доступа с куба в вольт
+
+```bash
+vault write auth/kubernetes/role/vault-test \
+     bound_service_account_names=sa-vault \
+     bound_service_account_namespaces=vault-test \
+     policies=vault-test \
+     ttl=24h
+```
+
+### 4. Запуск тестового деплоя
+
+1. `vault login root`
+2. `vault kv put secret/vault-test/config username='vassiliy' password='password' database='testdb' psqlhost='psql-service'`
+3. `vault kv get -format=json secret/vault-test/config | jq ".data.data"`
+4. `k apply -f vault-test.yaml`
--- a/data/helpers/admin-policy.hcl
+++ b/data/helpers/admin-policy.hcl
@@ -0,0 +1,56 @@
+path "sys/health"
+{
+	capabilities = ["read", "sudo"]
+}
+path "sys/policies/acl"
+{
+	capabilities = ["list"]
+}
+path "sys/policies/acl/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "auth/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "sys/auth/*"
+{
+	capabilities = ["create", "update", "delete", "sudo"]
+}
+path "sys/auth"
+{
+	capabilities = ["read"]
+}
+path "kv/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "secret/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity-alias"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity-alias/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "identity/entity/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "sys/mounts/*"
+{
+	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+path "sys/mounts"
+{
+	capabilities = ["read"]
+}
--- a/data/helpers/init.sh
+++ b/data/helpers/init.sh
@@ -0,0 +1,29 @@
+apk add jq curl
+export VAULT_ADDR=http://localhost:8200
+root_token=$(cat /helpers/keys.json | jq -r '.root_token')
+unseal_vault() {
+export VAULT_TOKEN=$root_token
+vault operator unseal -address=${VAULT_ADDR} $(cat /helpers/keys.json | jq -r '.keys[0]')
+vault login token=$VAULT_TOKEN
+}
+if [[ -n "$root_token" ]]
+then
+  echo "Vault already initialized"
+  unseal_vault
+else
+  echo "Vault not initialized"
+  curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init > /helpers/keys.json
+  root_token=$(cat /helpers/keys.json | jq -r '.root_token')
+
+  unseal_vault
+
+  vault secrets enable -version=2 kv
+  vault auth enable approle
+  vault policy write admin-policy /helpers/admin-policy.hcl
+  vault write auth/approle/role/dev-role token_policies="admin-policy"
+  vault read -format=json auth/approle/role/dev-role/role-id \
+    | jq -r '.data.role_id' > /helpers/role_id
+  vault write -format=json -f auth/approle/role/dev-role/secret-id \
+    | jq -r '.data.secret_id' > /helpers/secret_id
+fi
+printf "\n\nVAULT_TOKEN=%s\n\n" $VAULT_TOKEN
--- a/data/helpers/vault-agent.hcl
+++ b/data/helpers/vault-agent.hcl
@@ -0,0 +1,33 @@
+pid_file = "./pidfile"
+
+vault {
+	address = "http://vault:8200"
+	retry {
+		num_retries = 5
+	}
+}
+
+auto_auth {
+	method {
+		type = "approle"
+		config = {
+			role_id_file_path = "/helpers/role_id"
+			secret_id_file_path = "/helpers/secret_id"
+			remove_secret_id_file_after_reading = false
+		}
+	}
+	sink "file" {
+		config = {
+			path = "/helpers/sink_file"
+		}
+	}
+}
+
+cache {
+	use_auto_auth_token = true
+}
+
+listener "tcp" {
+	address = "0.0.0.0:8200"
+	tls_disable = true
+}
--- a/deploument.yaml
+++ b/deploument.yaml
@@ -1,30 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: orgchart
-  namespace: vault
-  labels:
-    app: orgchart
-spec:
-  selector:
-    matchLabels:
-      app: orgchart
-  replicas: 1
-  template:
-    metadata:
-      annotations:
-        vault.hashicorp.com/agent-inject: 'true'
-        vault.hashicorp.com/agent-inject-status: 'update'
-        vault.hashicorp.com/role: 'internal-app'
-        vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
-        vault.hashicorp.com/agent-inject-template-database-config.txt: |
-          {{- with secret "internal/data/database/config" -}}
-          postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
-          {{- end -}}
-      labels:
-        app: orgchart
-    spec:
-      serviceAccountName: internal-app
-      containers:
-        - name: orgchart
-          image: jweissig/app:0.0.1
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,33 +1,55 @@
 version: '3.8'
 services:
  myvault:
-    image: vault
+    image: hashicorp/vault
    container_name: vault
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vault.entrypoints=https"
-      - "traefik.http.routers.vault.rule=Host(`vault.bildme.ru`)"
+      - "traefik.http.routers.vault.rule=Host(`$VAULT_HOST`)"
      - "traefik.http.routers.vault.tls=true"
      - "traefik.http.routers.vault.tls.certresolver=letsEncrypt"
      - "traefik.http.services.vault-service.loadbalancer.server.port=8200"
      - "traefik.docker.network=webproxy"
-    expose:
-      - 8200
+    entrypoint: vault server -config=/vault/config/vault.hcl
    environment:
      VAULT_API_ADDR: "http://0.0.0.0:8200"
    volumes:
      - ./data/file:/vault/file
+      - ./data/helpers:/helpers
      - ./data/config/:/vault/config/
      - ./data/logs/:/vault/logs/
      - ./data/plugins/:/vault/plugins/
    cap_add:
      - IPC_LOCK
-    entrypoint: vault server -config=/vault/config/vault.hcl
+    healthcheck:
+      test: wget --no-verbose --tries=1 --spider http://localhost:8200 || exit 1
+      interval: 10s
+      retries: 12
+      start_period: 10s
+      timeout: 10s
+    expose:
+      - 8200
    networks:
      - vault_net
      - webproxy

+  vault-agent:
+    container_name: vault-agent
+    image: hashicorp/vault
+    restart: always
+    environment:
+      VAULT_ADDR: "http://vault:8200"
+    entrypoint: "vault agent -log-level debug -config=/helpers/vault-agent.hcl"
+    depends_on:
+      vault:
+        condition: service_healthy
+    volumes:
+      - ./data/helpers:/helpers
+    networks:
+      - vault_net
+
 networks:
  vault_net:
    name: vault_net
--- a/helm/vault/values.yaml
+++ b/helm/vault/values.yaml
@@ -40,16 +40,16 @@ injector:

  # If true, will enable a node exporter metrics endpoint at /metrics.
  metrics:
-    enabled: false
+    enabled: true

  # External vault server address for the injector to use. Setting this will
  # disable deployment of a vault server along with the injector.
-  externalVaultAddr: ""
+  externalVaultAddr: "https://vault.bildme.ru"

  # image sets the repo and tag of the vault-k8s image to use for the injector.
  image:
    repository: "hashicorp/vault-k8s"
-    tag: "0.14.2"
+    tag: "0.16.1"
    pullPolicy: IfNotPresent

  # agentImage sets the repo and tag of the Vault image to use for the Vault Agent
@@ -57,7 +57,7 @@ injector:
  # required.
  agentImage:
    repository: "hashicorp/vault"
-    tag: "1.9.2"
+    tag: "1.10.5"

  # The default values for the injected Vault Agent containers.
  agentDefaults:
@@ -216,7 +216,7 @@ injector:

 server:
  # If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
-  enabled: true
+  enabled: false

  # [Enterprise Only] This value refers to a Kubernetes secret that you have
  # created that contains your enterprise license. If you are not using an
@@ -236,7 +236,7 @@ server:

  image:
    repository: "hashicorp/vault"
-    tag: "1.9.2"
+    tag: "1.10.5"
    # Overrides the default Image Pull Policy
    pullPolicy: IfNotPresent

@@ -724,7 +724,7 @@ ui:
  # serviceType can be used to control the type of service created. For
  # example, setting this to "LoadBalancer" will create an external load
  # balancer (for supported K8S installations) to access the UI.
-  enabled: true
+  enabled: false
  publishNotReadyAddresses: true
  # The service should only contain selectors for active Vault pod
  activeVaultPodOnly: false
@@ -764,7 +764,7 @@ csi:

  image:
    repository: "hashicorp/vault-csi-provider"
-    tag: "0.4.0"
+    tag: "1.1.0"
    pullPolicy: IfNotPresent

  # volumes is a list of volumes made available to all containers. These are rendered
--- a/patch-inject-secrets.yaml
+++ b/patch-inject-secrets.yaml
@@ -1,7 +0,0 @@
-spec:
-  template:
-    metadata:
-      annotations:
-        vault.hashicorp.com/agent-inject: 'true'
-        vault.hashicorp.com/role: 'internal-app'
-        vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
--- a/vault-test.yaml
+++ b/vault-test.yaml
@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-test
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-vault
+  namespace: vault-test
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test-deployment
+  namespace: vault-test
+  labels:
+    app: vault-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vault-test
+  template:
+    metadata:
+      labels:
+        app: vault-test
+      annotations:
+        vault.hashicorp.com/agent-inject: 'true'
+        vault.hashicorp.com/role: 'devweb-app'
+        vault.hashicorp.com/agent-inject-secret-credentials.txt: 'secret/data/vault-test/config'
+        vault.hashicorp.com/agent-inject-template-credentials.txt: |
+          {{- with secret "secret/data/vault-test/config" -}}
+          postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.psqlhost }}:5432/{{ .Data.data.database }}
+          {{- end -}}
+    spec:
+      serviceAccountName: sa-vault
+      containers:
+        - name: app
+          image: nginx