diff --git a/init/app_sample.yaml b/init/app_sample.yaml new file mode 100644 index 0000000..f7be87b --- /dev/null +++ b/init/app_sample.yaml @@ -0,0 +1,53 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: demo +spec: + template: + metadata: + labels: + app: demo-app + spec: + #serviceAccountName: default + initContainers: + - name: vault-init + image: chrislevi/kube-vault-auth-init + imagePullPolicy: Always + #image: wealthwizardsengineering/kube-vault-auth-init + env: + - name: KUBERNETES_AUTH_PATH + value: "kubernetes" + - name: VAULT_ADDR + value: "https://dev-vault:8200" + - name: VAULT_SKIP_VERIFY + value: "true" + - name: VAULT_LOGIN_ROLE + value: "demo-role" + - name: SECRET_FOO + value: "secret/demo?foo" + volumeMounts: + - name: shared-data + mountPath: /env + containers: + - name: vault-renewer + imagePullPolicy: Always + image: chrislevi/kube-vault-auth-renewer + #image: wealthwizardsengineering/kube-vault-auth-renewer + env: + - name: RENEW_INTERVAL + value: "21600" + - name: VAULT_ADDR + value: "https://dev-vault:8200" + volumeMounts: + - name: shared-data + mountPath: /env + - name: my-app + image: alpine + command: ["/bin/sh", "-c", "source /env/variables; cat /env/variables"] + volumeMounts: + - name: shared-data + mountPath: /env + volumes: + - name: shared-data + emptyDir: {} + diff --git a/init/bind.yml b/init/bind.yml new file mode 100644 index 0000000..4fe7dcf --- /dev/null +++ b/init/bind.yml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: fabric8-rbac +subjects: + - kind: ServiceAccount + # Reference to upper's `metadata.name` + name: default + # Reference to upper's `metadata.namespace` + namespace: default +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/init/ca.crt b/init/ca.crt new file mode 100644 index 0000000..fee2cb5 --- /dev/null +++ b/init/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIMFT+6TEZgXghgaYhaMA0GCSqGSIb3DQEBCwUAMBUxEzAR +BgNVBAMTCmt1YmVybmV0ZXMwHhcNMTgwNzA3MTQ0MDM1WhcNMjgwNzA2MTQ0MDM1 +WjAVMRMwEQYDVQQDEwprdWJlcm5ldGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAnsRDq96vCApwnF+C1vATVTpG//0djlpF3g/Nx+GGK4QuUi8TI1wT +nTw5VBuJ7Qyvg87hIacgDmJf77IX11J1Ey/RdXLOJM7SLNV2Qvk8R/cDEQwG3lHd +gPBVX/7o0Ueedc/L7YbNSULbe0g9vsIbVZEuNIA4DTMFv1NjjVe0eTGNkPo26SAy ++gQOfd8SrYFcZWw414rgS5A/MAwgD8jPNLUB4i0bvoHX7kzrU6fisQnDlCwDGO9d +0cOxlLJdmbEE86zjhwcGTMhTIOjBdhBqy5JfRKshJI95whAtIZAUCayHlZLQUrHX +YMWvxLXlMXEEoQr+fhQ1pUvJLInbvDZG7QIDAQABoyMwITAOBgNVHQ8BAf8EBAMC +AQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAiZ+f9F4BffV+ +Eo3E0y9cZo38cs5gnhoxHKeXPXlGI7/el3IknXRTL5YxN6pnlr0tWAGfRGJkvq4L +2TwmQu2AiMo+aIxDCenxiC0TAvKjQ4XlNd0Bqufuoc7h9rsnv/iMwNynk3EBb45B +pR6vfhNCS3MdaeCNVVuQY+HfGzSt+PS4mqRoIBkJEEYwi4n7LDsRiRFJClapB7nU +puzgRg1C5aglc0cMI92d1xu7AJDbdBe9O0Z1zsMsWBaVr3ENuGoE5wAYoy3WDBh9 +93tUeJ14hY+0miMQgutQfWkqJvmVLqRZTTUiTR+oun/o26F3yytXvP6aHc9PBW1e +Sx3VUnVQGQ== +-----END CERTIFICATE----- diff --git a/init/curl_sample.yml b/init/curl_sample.yml new file mode 100644 index 0000000..d3b2a67 --- /dev/null +++ b/init/curl_sample.yml @@ -0,0 +1,55 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: demo +spec: + template: + metadata: + labels: + app: demo-app + spec: + #serviceAccountName: default + initContainers: + - name: vault-init + image: chrislevi/kube-vault-auth-init + imagePullPolicy: Always + #image: wealthwizardsengineering/kube-vault-auth-init + env: + - name: KUBERNETES_AUTH_PATH + value: "kubernetes" + - name: VAULT_ADDR + value: "https://dev-vault:8200" + - name: VAULT_SKIP_VERIFY + value: "true" + - name: VAULT_LOGIN_ROLE + value: "demo-role" + - name: SECRET_FOO + value: "secret/demo?foo" + - name: SECRET_REDIS_SERVICE_PASSWORD + value: "secret/demo?REDIS_SERVICE_PASSWORD" + volumeMounts: + - name: shared-data + mountPath: /env + containers: + - name: vault-renewer + imagePullPolicy: Always + image: chrislevi/kube-vault-auth-renewer + #image: wealthwizardsengineering/kube-vault-auth-renewer + env: + - name: RENEW_INTERVAL + value: "21600" + - name: VAULT_ADDR + value: "https://dev-vault:8200" + volumeMounts: + - name: shared-data + mountPath: /env + - name: my-app + image: alpine + command: ["/bin/sh", "-c", "source /env/variables; ls /env/"] + volumeMounts: + - name: shared-data + mountPath: /env + volumes: + - name: shared-data + emptyDir: {} + diff --git a/init/deploy.sh b/init/deploy.sh new file mode 100755 index 0000000..8086fb1 --- /dev/null +++ b/init/deploy.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +#set -x +REL=${1-"dev"} +NAMESPACE=${2-"default"} +DEPLOY_DIR=$(pwd) + +echo "----------------------------- Purging ----------------------------" +helm del --purge ${REL} || /usr/bin/true +kubectl delete configmap,job ${REL}-vault-consul-preinstall ${REL}-vault-vault-preinstall || /usr/bin/true + +echo "----------------------------- Installing -------------------------" +helm install --name ${REL} --namespace ${NAMESPACE} ../helm_charts/vault +RC=$? +helm list | grep ${REL} + +if [ $RC -eq 0 ] +then + echo -n " " + i=1 + sp="/-\|" + echo -n ' ' + RUNNING=0 + while [ ${RUNNING} -lt 3 ]; + do + sleep 1 + printf "\b${sp:i++%${#sp}:1}" + done +else + exit +fi + +# TODO FIXME smarter way to wait_for vault +echo "----------------------------- Initializing -----------------------" +sleep 10 +exec ${DEPLOY_DIR}/vault-init.sh ${REL} ${NAMESPACE} + +#echo "----------------------------- Unsealing --------------------------" +sleep 5 +exec ${DEPLOY_DIR}/vault-unseal.sh ${REL} ${NAMESPACE} diff --git a/init/env b/init/env new file mode 100644 index 0000000..29bcb5a --- /dev/null +++ b/init/env @@ -0,0 +1 @@ +export FOO=bar diff --git a/init/kubeAuth.sh b/init/kubeAuth.sh new file mode 100755 index 0000000..ad933c2 --- /dev/null +++ b/init/kubeAuth.sh @@ -0,0 +1,53 @@ +#!/bin/sh +set -x + +export VAULT_ADDR=https://127.0.0.1:8200 +export VAULT_SKIP_VERIFY=true +export VAULT_TOKEN=0371f985-9c07-260a-f044-10f9113abbde +export SERVICE_ACC="vault-tokenreview" + +kubectl create serviceaccount ${SERVICE_ACC} +export SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACC} -o jsonpath='{.secrets[0].name}') +export TR_ACCOUNT_TOKEN=$(kubectl get secret ${SECRET_NAME} -o jsonpath='{.data.token}' | base64 --decode) + +#export KUBE_API=$(kubectl cluster-info | head -1 | awk -F" " '{print $6}') +#export KUBE_API="https://api.ac.fuze.tikal.io" +export KUBE_API="https://192.168.99.105:8443" +kubectl apply -f vault-token-sa2.yaml + +vault status +vault auth enable approle +vault auth enable kubernetes + +vault write auth/kubernetes/config \ + token_reviewer_jwt="${TR_ACCOUNT_TOKEN}" \ + kubernetes_host=${KUBE_API} \ + kubernetes_ca_cert=@minikube.ca.crt + +vault write sys/policy/demo-policy policy=@policy.hcl +vault write auth/kubernetes/role/demo-role \ + bound_service_account_names=default \ + bound_service_account_namespaces=default \ + policies=demo-policy \ + ttl=8h + +vault write auth/approle/role/demo-role \ + secret_id_ttl=1h \ + secret_id_num_uses=10 \ + period=24h \ + bind_secret_id="true" \ + policies="demo-policy" + token_num_uses=10 + token_ttl=1h + +#vault write auth/approle/role/demo \ +# secret_id_ttl=1h \ +# token_num_uses=4 \ +# token_ttl=1h \ +# token_max_ttl=1h \ +# secret_id_num_uses=40 + +export ROLE_ID=$(vault read -format=json auth/approle/role/demo-role/role-id | jq -r '.data.role_id') +export SECRET_ID=$(vault write -format=json -f auth/approle/role/demo-role/secret-id | jq -r '.data.secret_id') + + diff --git a/init/minikube.ca.crt b/init/minikube.ca.crt new file mode 100644 index 0000000..af8dc46 --- /dev/null +++ b/init/minikube.ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p +a3ViZUNBMB4XDTE4MDMyODEzNDQwNVoXDTI4MDMyNTEzNDQwNVowFTETMBEGA1UE +AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB4 +nM3CuTpY5rB/TDBhpfUWC5lna28oU1OlyyLWNefxPq6cnSPZq9z098XCS/CiM9M+ +P5scuLiILsqFEtnCjEAF11zizhKpnS5XB0BCzFnyrh87mX8qpqYCVcNTfNMrzxdZ +NxI/xus1rrZRvFguTQEMTVzANfGnODTAHvO3LObpUqKhrrpbFli3aUmJL5z5X1T/ +pzFgxCNcrymXYSU+pApq+CI8mymWfaFWVvhGr8HYL0n0z/n8hO2KrYBDwzZZBc0T +dqp1b+q0VkXUpzGrvAZmflgohv+kGO0UreQCtbubNgkdQkBdSGyrNiH7gk0bJu5T +cnmWpGp+3zZCP10soAsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW +MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQB8joEjn87TrS1cs6+BYGpchcJIeBH+bcdCz8w1+eE1j0EIK/px +ZCiJuV0aNKZclSEeiekpQSYXFa15FezfXtaiuFrMshX7NdRVONM6Pv87NQzkZ5YE +r0dJtd2CcnQt1kE+mZ8lmKwWwKQY/6mEmMQs4f0yTKpRwFeV8OfKILVD0fD3XhNp +mThcfsF0JZtNjignFDuw9sND737AgBoKhTx2+c3bOK0GExIORh2D89do1kMpsTWA +RSc3VUgr7T3ZuGvChDDO9SF8DX2+Mial2IgyXQ0FwxThfgIMXXtOVJ9oaY3+JXwN +90K4cWbLjGsq1Ak8VqeIG7GhgE63/tAsF29z +-----END CERTIFICATE----- diff --git a/init/policy-approle.hcl b/init/policy-approle.hcl new file mode 100644 index 0000000..af2edc9 --- /dev/null +++ b/init/policy-approle.hcl @@ -0,0 +1,7 @@ +path "auth/approle/role/my-app-role/role-id" { + capabilities = ["read"] +} + +path "auth/approle/role/my-app-role/secret-id" { + capabilities = ["update"] +} diff --git a/init/policy-kube.hcl b/init/policy-kube.hcl new file mode 100644 index 0000000..2c91865 --- /dev/null +++ b/init/policy-kube.hcl @@ -0,0 +1,3 @@ +path "secret/demo" { + capabilities = ["create", "read", "update", "delete", "list"] +} diff --git a/init/policy.hcl b/init/policy.hcl new file mode 100644 index 0000000..797765c --- /dev/null +++ b/init/policy.hcl @@ -0,0 +1,11 @@ +path "secret/demo" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "auth/approle/role/demo-role/role-id" { + capabilities = ["read"] +} + +path "auth/approle/role/demo-role/secret-id" { + capabilities = ["update"] +} diff --git a/init/redeploy.sh b/init/redeploy.sh new file mode 100755 index 0000000..9fc289e --- /dev/null +++ b/init/redeploy.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -x +export REL=${1-"secret"} +export NAMESPACE=${2-"vault"} + +helm del --purge ${REL} || /usr/bin/true +kubectl delete configmap,job ${REL}-vault-consul-preinstall ${REL}-vault-vault-preinstall || /usr/bin/true +helm install --name ${REL} --namespace ${NAMESPACE} helm_charts/vault +helm list | grep ${REL} diff --git a/init/vault-init.sh b/init/vault-init.sh index 0d419eb..a1834b9 100755 --- a/init/vault-init.sh +++ b/init/vault-init.sh @@ -1,4 +1,5 @@ #!/bin/bash +#set -x if [ $# -lt 2 ] then @@ -11,16 +12,16 @@ RELEASE=$1 NAMESPACE=$2 CHART_NAME="vault" COMPONENT="${RELEASE}-vault" -ADD_SECRET=${3-"false"} +ADD_SECRET=${3-"true"} SECRET_NAME="$RELEASE-vault-keys" LABELS=$(kubectl get secret -l release=$RELEASE -n $NAMESPACE --show-labels | sed -n 2p | awk '{print $5}' | sed 's/\,/ /g') FIRST_VAULT_POD=$(kubectl get po -l component=$COMPONENT,release=$RELEASE -n $NAMESPACE | awk '{if(NR==2)print $1}') -INIT_MESSAGE=$(kubectl exec -n $NAMESPACE -c $RELEASE $FIRST_VAULT_POD -- sh -c "vault operator init --tls-skip-verify" 2>&1) +INIT_MESSAGE=$(kubectl exec -n $NAMESPACE -c $COMPONENT $FIRST_VAULT_POD -- sh -c "vault operator init --tls-skip-verify" 2>&1) echo "$INIT_MESSAGE" -if [[ ${INIT_MESSAGE} != *"Error initializing Vault"* && "${ADD_SECRET}" == "true" ]]; then +if [[ ${INIT_MESSAGE} != *"Error initializing"* && "${ADD_SECRET}" == "true" ]]; then echo echo echo "Deleting existing Vault key secret" diff --git a/init/vault-token-sa.yaml b/init/vault-token-sa.yaml new file mode 100644 index 0000000..99b865d --- /dev/null +++ b/init/vault-token-sa.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-token-sa +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: vault-token-sa-binding + namespace: secret +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: vault-token-sa + namespace: secret diff --git a/init/vault-token-sa2.yaml b/init/vault-token-sa2.yaml new file mode 100644 index 0000000..b655500 --- /dev/null +++ b/init/vault-token-sa2.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: vault-tokenreview-binding + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: vault-tokenreview + namespace: default diff --git a/init/vault-unseal.sh b/init/vault-unseal.sh index d518aa7..5c578b8 100755 --- a/init/vault-unseal.sh +++ b/init/vault-unseal.sh @@ -1,3 +1,6 @@ +#!/bin/bash +#set -x + if [ $# -lt 2 ] then echo "Invalid arguments provided" @@ -20,5 +23,5 @@ do KEY=$(echo "$UNSEAL_KEYS" | sed "${i}q;d" | base64 --decode) kubectl get po -l component=$COMPONENT,release=$RELEASE -n $NAMESPACE \ | awk '{if(NR>1)print $1}' \ - | xargs -I % kubectl exec -n $NAMESPACE -c $RELEASE % -- sh -c "vault operator unseal --tls-skip-verify $KEY"; + | xargs -I % kubectl exec -n $NAMESPACE -c $COMPONENT % -- sh -c "vault operator unseal --tls-skip-verify $KEY"; done