Fix/init scripts

init/app_sample.yaml

@@ -0,0 +1,53 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: demo
+spec:
+  template:
+    metadata:
+      labels:
+        app: demo-app
+    spec:
+        #serviceAccountName: default
+      initContainers:
+      - name: vault-init
+        image: chrislevi/kube-vault-auth-init
+        imagePullPolicy: Always
+        #image: wealthwizardsengineering/kube-vault-auth-init
+        env:
+        - name: KUBERNETES_AUTH_PATH
+          value: "kubernetes"
+        - name: VAULT_ADDR
+          value: "https://dev-vault:8200"
+        - name: VAULT_SKIP_VERIFY
+          value: "true"
+        - name: VAULT_LOGIN_ROLE
+          value: "demo-role"
+        - name: SECRET_FOO
+          value: "secret/demo?foo"
+        volumeMounts:
+        - name: shared-data
+          mountPath: /env
+      containers:
+      - name: vault-renewer
+        imagePullPolicy: Always
+        image: chrislevi/kube-vault-auth-renewer
+        #image: wealthwizardsengineering/kube-vault-auth-renewer
+        env:
+        - name: RENEW_INTERVAL
+          value: "21600"
+        - name: VAULT_ADDR
+          value: "https://dev-vault:8200"
+        volumeMounts:
+        - name: shared-data
+          mountPath: /env
+      - name: my-app
+        image: alpine
+        command: ["/bin/sh", "-c", "source /env/variables; cat /env/variables"]
+        volumeMounts:
+        - name: shared-data
+          mountPath: /env
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+

init/bind.yml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: fabric8-rbac
+subjects:
+  - kind: ServiceAccount
+    # Reference to upper's `metadata.name`
+    name: default
+    # Reference to upper's `metadata.namespace`
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

init/ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIMFT+6TEZgXghgaYhaMA0GCSqGSIb3DQEBCwUAMBUxEzAR
+BgNVBAMTCmt1YmVybmV0ZXMwHhcNMTgwNzA3MTQ0MDM1WhcNMjgwNzA2MTQ0MDM1
+WjAVMRMwEQYDVQQDEwprdWJlcm5ldGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAnsRDq96vCApwnF+C1vATVTpG//0djlpF3g/Nx+GGK4QuUi8TI1wT
+nTw5VBuJ7Qyvg87hIacgDmJf77IX11J1Ey/RdXLOJM7SLNV2Qvk8R/cDEQwG3lHd
+gPBVX/7o0Ueedc/L7YbNSULbe0g9vsIbVZEuNIA4DTMFv1NjjVe0eTGNkPo26SAy
++gQOfd8SrYFcZWw414rgS5A/MAwgD8jPNLUB4i0bvoHX7kzrU6fisQnDlCwDGO9d
+0cOxlLJdmbEE86zjhwcGTMhTIOjBdhBqy5JfRKshJI95whAtIZAUCayHlZLQUrHX
+YMWvxLXlMXEEoQr+fhQ1pUvJLInbvDZG7QIDAQABoyMwITAOBgNVHQ8BAf8EBAMC
+AQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAiZ+f9F4BffV+
+Eo3E0y9cZo38cs5gnhoxHKeXPXlGI7/el3IknXRTL5YxN6pnlr0tWAGfRGJkvq4L
+2TwmQu2AiMo+aIxDCenxiC0TAvKjQ4XlNd0Bqufuoc7h9rsnv/iMwNynk3EBb45B
+pR6vfhNCS3MdaeCNVVuQY+HfGzSt+PS4mqRoIBkJEEYwi4n7LDsRiRFJClapB7nU
+puzgRg1C5aglc0cMI92d1xu7AJDbdBe9O0Z1zsMsWBaVr3ENuGoE5wAYoy3WDBh9
+93tUeJ14hY+0miMQgutQfWkqJvmVLqRZTTUiTR+oun/o26F3yytXvP6aHc9PBW1e
+Sx3VUnVQGQ==
+-----END CERTIFICATE-----

init/curl_sample.yml

@@ -0,0 +1,55 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: demo
+spec:
+  template:
+    metadata:
+      labels:
+        app: demo-app
+    spec:
+        #serviceAccountName: default
+      initContainers:
+      - name: vault-init
+        image: chrislevi/kube-vault-auth-init
+        imagePullPolicy: Always
+        #image: wealthwizardsengineering/kube-vault-auth-init
+        env:
+        - name: KUBERNETES_AUTH_PATH
+          value: "kubernetes"
+        - name: VAULT_ADDR
+          value: "https://dev-vault:8200"
+        - name: VAULT_SKIP_VERIFY
+          value: "true"
+        - name: VAULT_LOGIN_ROLE
+          value: "demo-role"
+        - name: SECRET_FOO
+          value: "secret/demo?foo"
+        - name: SECRET_REDIS_SERVICE_PASSWORD
+          value: "secret/demo?REDIS_SERVICE_PASSWORD"
+        volumeMounts:
+        - name: shared-data
+          mountPath: /env
+      containers:
+      - name: vault-renewer
+        imagePullPolicy: Always
+        image: chrislevi/kube-vault-auth-renewer
+        #image: wealthwizardsengineering/kube-vault-auth-renewer
+        env:
+        - name: RENEW_INTERVAL
+          value: "21600"
+        - name: VAULT_ADDR
+          value: "https://dev-vault:8200"
+        volumeMounts:
+        - name: shared-data
+          mountPath: /env
+      - name: my-app
+        image: alpine
+        command: ["/bin/sh", "-c", "source /env/variables; ls /env/"]
+        volumeMounts:
+        - name: shared-data
+          mountPath: /env
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+

init/deploy.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+#set -x
+REL=${1-"dev"}
+NAMESPACE=${2-"default"}
+DEPLOY_DIR=$(pwd)
+
+echo "----------------------------- Purging ----------------------------"
+helm del --purge ${REL} || /usr/bin/true
+kubectl delete configmap,job ${REL}-vault-consul-preinstall ${REL}-vault-vault-preinstall || /usr/bin/true
+
+echo "----------------------------- Installing -------------------------"
+helm install --name ${REL} --namespace ${NAMESPACE} ../helm_charts/vault
+RC=$?
+helm list | grep ${REL}
+
+if [ $RC -eq 0 ]
+then
+  echo -n " "
+  i=1
+  sp="/-\|"
+  echo -n ' '
+  RUNNING=0
+  while [ ${RUNNING} -lt 3 ];
+  do
+      sleep 1
+      printf "\b${sp:i++%${#sp}:1}"
+  done
+else
+    exit
+fi
+
+# TODO FIXME smarter way to wait_for vault
+echo "----------------------------- Initializing -----------------------"
+sleep 10
+exec ${DEPLOY_DIR}/vault-init.sh ${REL} ${NAMESPACE}
+
+#echo "----------------------------- Unsealing --------------------------"
+sleep 5
+exec ${DEPLOY_DIR}/vault-unseal.sh ${REL} ${NAMESPACE}

init/env

@@ -0,0 +1 @@
+export FOO=bar

init/kubeAuth.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+set -x
+
+export VAULT_ADDR=https://127.0.0.1:8200
+export VAULT_SKIP_VERIFY=true
+export VAULT_TOKEN=0371f985-9c07-260a-f044-10f9113abbde
+export SERVICE_ACC="vault-tokenreview"
+
+kubectl create serviceaccount ${SERVICE_ACC} 
+export SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACC} -o jsonpath='{.secrets[0].name}')
+export TR_ACCOUNT_TOKEN=$(kubectl get secret ${SECRET_NAME} -o jsonpath='{.data.token}' | base64 --decode)
+
+#export KUBE_API=$(kubectl cluster-info | head -1 | awk -F" " '{print $6}')
+#export KUBE_API="https://api.ac.fuze.tikal.io"
+export KUBE_API="https://192.168.99.105:8443"
+kubectl apply -f vault-token-sa2.yaml
+
+vault status
+vault auth enable approle
+vault auth enable kubernetes
+
+vault write auth/kubernetes/config \
+    token_reviewer_jwt="${TR_ACCOUNT_TOKEN}" \
+    kubernetes_host=${KUBE_API} \
+    [email protected]
+
+vault write sys/policy/demo-policy [email protected]
+vault write auth/kubernetes/role/demo-role \
+    bound_service_account_names=default \
+    bound_service_account_namespaces=default \
+    policies=demo-policy \
+    ttl=8h
+
+vault write auth/approle/role/demo-role \
+    secret_id_ttl=1h \
+    secret_id_num_uses=10 \
+    period=24h \
+    bind_secret_id="true" \
+    policies="demo-policy"
+    token_num_uses=10
+    token_ttl=1h
+
+#vault write auth/approle/role/demo \
+#    secret_id_ttl=1h \
+#    token_num_uses=4 \
+#    token_ttl=1h \
+#    token_max_ttl=1h \
+#    secret_id_num_uses=40
+
+export ROLE_ID=$(vault read -format=json auth/approle/role/demo-role/role-id | jq -r '.data.role_id')
+export SECRET_ID=$(vault write -format=json -f auth/approle/role/demo-role/secret-id | jq -r '.data.secret_id')
+
+

init/minikube.ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
+a3ViZUNBMB4XDTE4MDMyODEzNDQwNVoXDTI4MDMyNTEzNDQwNVowFTETMBEGA1UE
+AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB4
+nM3CuTpY5rB/TDBhpfUWC5lna28oU1OlyyLWNefxPq6cnSPZq9z098XCS/CiM9M+
+P5scuLiILsqFEtnCjEAF11zizhKpnS5XB0BCzFnyrh87mX8qpqYCVcNTfNMrzxdZ
+NxI/xus1rrZRvFguTQEMTVzANfGnODTAHvO3LObpUqKhrrpbFli3aUmJL5z5X1T/
+pzFgxCNcrymXYSU+pApq+CI8mymWfaFWVvhGr8HYL0n0z/n8hO2KrYBDwzZZBc0T
+dqp1b+q0VkXUpzGrvAZmflgohv+kGO0UreQCtbubNgkdQkBdSGyrNiH7gk0bJu5T
+cnmWpGp+3zZCP10soAsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
+MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQB8joEjn87TrS1cs6+BYGpchcJIeBH+bcdCz8w1+eE1j0EIK/px
+ZCiJuV0aNKZclSEeiekpQSYXFa15FezfXtaiuFrMshX7NdRVONM6Pv87NQzkZ5YE
+r0dJtd2CcnQt1kE+mZ8lmKwWwKQY/6mEmMQs4f0yTKpRwFeV8OfKILVD0fD3XhNp
+mThcfsF0JZtNjignFDuw9sND737AgBoKhTx2+c3bOK0GExIORh2D89do1kMpsTWA
+RSc3VUgr7T3ZuGvChDDO9SF8DX2+Mial2IgyXQ0FwxThfgIMXXtOVJ9oaY3+JXwN
+90K4cWbLjGsq1Ak8VqeIG7GhgE63/tAsF29z
+-----END CERTIFICATE-----

init/policy-approle.hcl

@@ -0,0 +1,7 @@
+path "auth/approle/role/my-app-role/role-id" {
+  capabilities = ["read"]
+}
+
+path "auth/approle/role/my-app-role/secret-id" {
+  capabilities = ["update"]
+}

init/policy-kube.hcl

@@ -0,0 +1,3 @@
+path "secret/demo" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}

init/policy.hcl

@@ -0,0 +1,11 @@
+path "secret/demo" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "auth/approle/role/demo-role/role-id" {
+  capabilities = ["read"]
+}
+
+path "auth/approle/role/demo-role/secret-id" {
+  capabilities = ["update"]
+}

init/redeploy.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -x
+export REL=${1-"secret"}
+export NAMESPACE=${2-"vault"}
+
+helm del --purge ${REL} || /usr/bin/true
+kubectl delete configmap,job ${REL}-vault-consul-preinstall ${REL}-vault-vault-preinstall || /usr/bin/true
+helm install --name ${REL} --namespace ${NAMESPACE} helm_charts/vault
+helm list | grep ${REL}

init/vault-init.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+#set -x
 
 if [ $# -lt 2 ]
   then
@@ -11,16 +12,16 @@ RELEASE=$1
 NAMESPACE=$2
 CHART_NAME="vault"
 COMPONENT="${RELEASE}-vault"
-ADD_SECRET=${3-"false"}
+ADD_SECRET=${3-"true"}
 
 SECRET_NAME="$RELEASE-vault-keys"
 
 LABELS=$(kubectl get secret -l release=$RELEASE -n $NAMESPACE --show-labels | sed -n 2p | awk '{print $5}' | sed 's/\,/ /g')
 FIRST_VAULT_POD=$(kubectl get po -l component=$COMPONENT,release=$RELEASE -n $NAMESPACE | awk '{if(NR==2)print $1}')
-INIT_MESSAGE=$(kubectl exec -n $NAMESPACE -c $RELEASE $FIRST_VAULT_POD -- sh -c "vault operator init --tls-skip-verify" 2>&1)
+INIT_MESSAGE=$(kubectl exec -n $NAMESPACE -c $COMPONENT $FIRST_VAULT_POD -- sh -c "vault operator init --tls-skip-verify" 2>&1)
 
 echo "$INIT_MESSAGE"
-if [[ ${INIT_MESSAGE} != *"Error initializing Vault"* && "${ADD_SECRET}" == "true"  ]]; then
+if [[ ${INIT_MESSAGE} != *"Error initializing"* && "${ADD_SECRET}" == "true"  ]]; then
   echo
   echo
   echo "Deleting existing Vault key secret"

init/vault-token-sa.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-token-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-token-sa-binding
+  namespace: secret
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault-token-sa
+  namespace: secret

init/vault-token-sa2.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-tokenreview-binding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault-tokenreview
+  namespace: default

init/vault-unseal.sh

@@ -1,3 +1,6 @@
+#!/bin/bash
+#set -x
+
 if [ $# -lt 2 ]
   then
     echo "Invalid arguments provided"
@@ -20,5 +23,5 @@ do
   KEY=$(echo "$UNSEAL_KEYS"  | sed "${i}q;d" | base64 --decode)
   kubectl get po -l component=$COMPONENT,release=$RELEASE -n $NAMESPACE \
       | awk '{if(NR>1)print $1}' \
-      | xargs -I % kubectl exec -n $NAMESPACE -c $RELEASE % -- sh -c "vault operator unseal --tls-skip-verify $KEY";
+      | xargs -I % kubectl exec -n $NAMESPACE -c $COMPONENT % -- sh -c "vault operator unseal --tls-skip-verify $KEY";
 done