diff --git a/clusters/cl01tl-standby/platform/vault/templates/external-secret.yaml b/clusters/cl01tl-standby/platform/vault/templates/external-secret.yaml deleted file mode 100644 index 465a3d6e0..000000000 --- a/clusters/cl01tl-standby/platform/vault/templates/external-secret.yaml +++ /dev/null @@ -1,390 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-snapshot-agent-token - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-snapshot-agent-token - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: snapshot - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: VAULT_APPROLE_ROLE_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/snapshot - metadataPolicy: None - property: VAULT_APPROLE_ROLE_ID - - secretKey: VAULT_APPROLE_SECRET_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/snapshot - metadataPolicy: None - property: VAULT_APPROLE_SECRET_ID - ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-snapshot-s3 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-snapshot-s3 - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: snapshot - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY - ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-s3cmd-config - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-snapshot-s3 - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: snapshot - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: .s3cfg - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/snapshot - metadataPolicy: None - property: s3cfg - ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-1 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-unseal-key-1 - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: unseal - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ENVIRONMENT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: ENVIRONMENT - - secretKey: CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: CHECK_INTERVAL - - secretKey: MAX_CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: MAX_CHECK_INTERVAL - - secretKey: NODES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: NODES - - secretKey: TLS_SKIP_VERIFY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: TLS_SKIP_VERIFY - - secretKey: TOKENS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: TOKENS - - secretKey: EMAIL_ENABLED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: EMAIL_ENABLED - - secretKey: NOTIFY_MAX_ELAPSED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: NOTIFY_MAX_ELAPSED - - secretKey: NOTIFY_QUEUE_DELAY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-1 - metadataPolicy: None - property: NOTIFY_QUEUE_DELAY - ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-2 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-unseal-key-2 - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: unseal - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ENVIRONMENT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: ENVIRONMENT - - secretKey: CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: CHECK_INTERVAL - - secretKey: MAX_CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: MAX_CHECK_INTERVAL - - secretKey: NODES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: NODES - - secretKey: TLS_SKIP_VERIFY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: TLS_SKIP_VERIFY - - secretKey: TOKENS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: TOKENS - - secretKey: EMAIL_ENABLED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: EMAIL_ENABLED - - secretKey: NOTIFY_MAX_ELAPSED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: NOTIFY_MAX_ELAPSED - - secretKey: NOTIFY_QUEUE_DELAY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-2 - metadataPolicy: None - property: NOTIFY_QUEUE_DELAY - ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-unseal-config-3 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-unseal-config-3 - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: unseal - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ENVIRONMENT - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: ENVIRONMENT - - secretKey: CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: CHECK_INTERVAL - - secretKey: MAX_CHECK_INTERVAL - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: MAX_CHECK_INTERVAL - - secretKey: NODES - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: NODES - - secretKey: TLS_SKIP_VERIFY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: TLS_SKIP_VERIFY - - secretKey: TOKENS - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: TOKENS - - secretKey: EMAIL_ENABLED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: EMAIL_ENABLED - - secretKey: NOTIFY_MAX_ELAPSED - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: NOTIFY_MAX_ELAPSED - - secretKey: NOTIFY_QUEUE_DELAY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/unseal/config-3 - metadataPolicy: None - property: NOTIFY_QUEUE_DELAY - ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-token - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-token - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: token - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: token - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: token - - secretKey: unseal_key_1 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_1 - - secretKey: unseal_key_2 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_2 - - secretKey: unseal_key_3 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_3 - - secretKey: unseal_key_4 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_4 - - secretKey: unseal_key_5 - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/vault/token - metadataPolicy: None - property: unseal_key_5 diff --git a/clusters/cl01tl-standby/platform/vault/templates/ingress.yaml b/clusters/cl01tl-standby/platform/vault/templates/ingress.yaml deleted file mode 100644 index 14f0c8c3b..000000000 --- a/clusters/cl01tl-standby/platform/vault/templates/ingress.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: vault-tailscale - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-tailscale - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - app.kubernetes.io/component: web - app.kubernetes.io/part-of: {{ .Release.Name }} - labels: - tailscale.com/proxy-class: no-metrics - annotations: - tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" -spec: - ingressClassName: tailscale - tls: - - hosts: - - vault-cl01tl - secretName: vault-cl01tl - rules: - - host: vault-cl01tl - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: vault-active - port: - number: 8200 diff --git a/clusters/cl01tl-standby/platform/vault/values.yaml b/clusters/cl01tl-standby/platform/vault/values.yaml deleted file mode 100644 index 9850de24f..000000000 --- a/clusters/cl01tl-standby/platform/vault/values.yaml +++ /dev/null @@ -1,313 +0,0 @@ -vault: - global: - enabled: true - tlsDisable: true - psp: - enable: false - serverTelemetry: - prometheusOperator: true - injector: - enabled: false - server: - enabled: true - image: - repository: hashicorp/vault - tag: 1.18.5 - updateStrategyType: "RollingUpdate" - logLevel: debug - logFormat: standard - resources: - requests: - cpu: 50m - memory: 512Mi - ingress: - enabled: true - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" - cert-manager.io/cluster-issuer: letsencrypt-issuer - ingressClassName: traefik - pathType: Prefix - activeService: true - hosts: - - host: vault.alexlebens.net - paths: - - / - tls: - - secretName: vault-tls-secret - hosts: - - vault.alexlebens.net - route: - enabled: false - authDelegator: - enabled: false - readinessProbe: - enabled: true - port: 8200 - livenessProbe: - enabled: false - volumes: - - name: vault-nfs-storage-backup - persistentVolumeClaim: - claimName: vault-nfs-storage-backup - volumeMounts: - - mountPath: /opt/backups/ - name: vault-nfs-storage-backup - readOnly: false - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: {{ template "vault.name" . }} - app.kubernetes.io/instance: "{{ .Release.Name }}" - component: server - topologyKey: kubernetes.io/hostname - networkPolicy: - enabled: false - service: - enabled: true - active: - enabled: true - standby: - enabled: false - type: ClusterIP - port: 8200 - targetPort: 8200 - dataStorage: - enabled: true - size: 1Gi - mountPath: "/vault/data" - accessMode: ReadWriteOnce - auditStorage: - enabled: false - size: 5Gi - mountPath: "/vault/audit" - accessMode: ReadWriteOnce - dev: - enabled: false - standalone: - enabled: false - ha: - enabled: true - replicas: 3 - raft: - enabled: true - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - telemetry { - unauthenticated_metrics_access = "true" - } - } - - storage "raft" { - path = "/vault/data" - retry_join { - leader_api_addr = "http://vault-0.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-1.vault-internal:8200" - } - retry_join { - leader_api_addr = "http://vault-2.vault-internal:8200" - } - } - - service_registration "kubernetes" {} - - telemetry { - prometheus_retention_time = "30s" - disable_hostname = true - } - - disruptionBudget: - enabled: true - maxUnavailable: null - serviceAccount: - create: true - serviceDiscovery: - enabled: true - hostNetwork: false - ui: - enabled: true - publishNotReadyAddresses: true - activeVaultPodOnly: false - serviceType: "ClusterIP" - serviceNodePort: null - externalPort: 8200 - targetPort: 8200 - csi: - enabled: false - serverTelemetry: - serviceMonitor: - enabled: true - interval: 30s - scrapeTimeout: 10s - prometheusRules: - enabled: true - rules: - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 500ms on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - for: 5m - labels: - severity: warning - - alert: vault-HighResponseTime - annotations: - message: The response time of Vault is over 1s on average over the last 5 minutes. - expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - for: 5m - labels: - severity: critical -snapshot: - global: - fullnameOverride: vault-snapshot - controllers: - snapshot: - type: cronjob - cronjob: - suspend: false - concurrencyPolicy: Forbid - timeZone: US/Central - schedule: 0 4 * * * - startingDeadlineSeconds: 90 - successfulJobsHistory: 3 - failedJobsHistory: 3 - backoffLimit: 3 - parallelism: 1 - initContainers: - snapshot: - image: - repository: hashicorp/vault - tag: 1.18.5 - pullPolicy: IfNotPresent - command: - - /bin/ash - args: - - -ec - - | - apk add --no-cache jq; - export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); - vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; - cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; - cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; - envFrom: - - secretRef: - name: vault-snapshot-agent-token - env: - - name: VAULT_ADDR - value: http://vault-active.vault.svc.cluster.local:8200 - resources: - requests: - cpu: 10m - memory: 64Mi - containers: - backup: - image: - repository: d3fk/s3cmd - tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 - pullPolicy: IfNotPresent - command: - - /bin/sh - args: - - -ec - - | - s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; - rm -f /opt/backup/vault-snapshot-s3.snap; - envFrom: - - secretRef: - name: vault-snapshot-s3 - resources: - requests: - cpu: 10m - memory: 64Mi - serviceAccount: - create: true - persistence: - config: - existingClaim: vault-nfs-storage-backup - advancedMounts: - snapshot: - snapshot: - - path: /opt/backup - readOnly: false - backup: - - path: /opt/backup - readOnly: false - s3cmd-config: - enabled: true - type: secret - name: vault-s3cmd-config - advancedMounts: - snapshot: - backup: - - path: /root/.s3cfg - readOnly: true - mountPropagation: None - subPath: .s3cfg -unseal: - global: - fullnameOverride: vault-unseal - controllers: - unseal-1: - type: deployment - replicas: 1 - strategy: Recreate - revisionHistoryLimit: 3 - containers: - main: - image: - repository: ghcr.io/lrstanley/vault-unseal - tag: 0.7.0 - pullPolicy: IfNotPresent - envFrom: - - secretRef: - name: vault-unseal-config-1 - resources: - requests: - cpu: 10m - memory: 24Mi - unseal-2: - type: deployment - replicas: 1 - strategy: Recreate - revisionHistoryLimit: 3 - containers: - main: - image: - repository: ghcr.io/lrstanley/vault-unseal - tag: 0.7.0 - pullPolicy: IfNotPresent - envFrom: - - secretRef: - name: vault-unseal-config-2 - resources: - requests: - cpu: 10m - memory: 24Mi - unseal-3: - type: deployment - replicas: 1 - strategy: Recreate - revisionHistoryLimit: 3 - containers: - main: - image: - repository: ghcr.io/lrstanley/vault-unseal - tag: 0.7.0 - pullPolicy: IfNotPresent - envFrom: - - secretRef: - name: vault-unseal-config-3 - resources: - requests: - cpu: 10m - memory: 24Mi - serviceAccount: - create: true diff --git a/clusters/cl01tl-standby/platform/external-secrets/Chart.yaml b/clusters/cl01tl/platform/external-secrets/Chart.yaml similarity index 100% rename from clusters/cl01tl-standby/platform/external-secrets/Chart.yaml rename to clusters/cl01tl/platform/external-secrets/Chart.yaml diff --git a/clusters/cl01tl-standby/platform/external-secrets/templates/cluster-secret-store.yaml b/clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml similarity index 100% rename from clusters/cl01tl-standby/platform/external-secrets/templates/cluster-secret-store.yaml rename to clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml diff --git a/clusters/cl01tl-standby/platform/vault/Chart.yaml b/clusters/cl01tl/platform/vault/Chart.yaml similarity index 100% rename from clusters/cl01tl-standby/platform/vault/Chart.yaml rename to clusters/cl01tl/platform/vault/Chart.yaml diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml new file mode 100644 index 000000000..6a407174f --- /dev/null +++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml @@ -0,0 +1,390 @@ +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-snapshot-agent-token +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-snapshot-agent-token +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: snapshot +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: VAULT_APPROLE_ROLE_ID +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/snapshot +# metadataPolicy: None +# property: VAULT_APPROLE_ROLE_ID +# - secretKey: VAULT_APPROLE_SECRET_ID +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/snapshot +# metadataPolicy: None +# property: VAULT_APPROLE_SECRET_ID + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-snapshot-s3 +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-snapshot-s3 +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: snapshot +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: AWS_ACCESS_KEY_ID +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/vault-backup +# metadataPolicy: None +# property: AWS_ACCESS_KEY_ID +# - secretKey: AWS_SECRET_ACCESS_KEY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/vault-backup +# metadataPolicy: None +# property: AWS_SECRET_ACCESS_KEY + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-s3cmd-config +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-snapshot-s3 +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: snapshot +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: .s3cfg +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/snapshot +# metadataPolicy: None +# property: s3cfg + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-unseal-config-1 +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-unseal-key-1 +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: unseal +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: ENVIRONMENT +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: ENVIRONMENT +# - secretKey: CHECK_INTERVAL +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: CHECK_INTERVAL +# - secretKey: MAX_CHECK_INTERVAL +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: MAX_CHECK_INTERVAL +# - secretKey: NODES +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: NODES +# - secretKey: TLS_SKIP_VERIFY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: TLS_SKIP_VERIFY +# - secretKey: TOKENS +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: TOKENS +# - secretKey: EMAIL_ENABLED +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: EMAIL_ENABLED +# - secretKey: NOTIFY_MAX_ELAPSED +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: NOTIFY_MAX_ELAPSED +# - secretKey: NOTIFY_QUEUE_DELAY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-1 +# metadataPolicy: None +# property: NOTIFY_QUEUE_DELAY + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-unseal-config-2 +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-unseal-key-2 +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: unseal +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: ENVIRONMENT +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: ENVIRONMENT +# - secretKey: CHECK_INTERVAL +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: CHECK_INTERVAL +# - secretKey: MAX_CHECK_INTERVAL +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: MAX_CHECK_INTERVAL +# - secretKey: NODES +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: NODES +# - secretKey: TLS_SKIP_VERIFY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: TLS_SKIP_VERIFY +# - secretKey: TOKENS +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: TOKENS +# - secretKey: EMAIL_ENABLED +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: EMAIL_ENABLED +# - secretKey: NOTIFY_MAX_ELAPSED +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: NOTIFY_MAX_ELAPSED +# - secretKey: NOTIFY_QUEUE_DELAY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-2 +# metadataPolicy: None +# property: NOTIFY_QUEUE_DELAY + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-unseal-config-3 +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-unseal-config-3 +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: unseal +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: ENVIRONMENT +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: ENVIRONMENT +# - secretKey: CHECK_INTERVAL +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: CHECK_INTERVAL +# - secretKey: MAX_CHECK_INTERVAL +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: MAX_CHECK_INTERVAL +# - secretKey: NODES +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: NODES +# - secretKey: TLS_SKIP_VERIFY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: TLS_SKIP_VERIFY +# - secretKey: TOKENS +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: TOKENS +# - secretKey: EMAIL_ENABLED +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: EMAIL_ENABLED +# - secretKey: NOTIFY_MAX_ELAPSED +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: NOTIFY_MAX_ELAPSED +# - secretKey: NOTIFY_QUEUE_DELAY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/unseal/config-3 +# metadataPolicy: None +# property: NOTIFY_QUEUE_DELAY + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: vault-token +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-token +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: token +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# data: +# - secretKey: token +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/token +# metadataPolicy: None +# property: token +# - secretKey: unseal_key_1 +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/token +# metadataPolicy: None +# property: unseal_key_1 +# - secretKey: unseal_key_2 +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/token +# metadataPolicy: None +# property: unseal_key_2 +# - secretKey: unseal_key_3 +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/token +# metadataPolicy: None +# property: unseal_key_3 +# - secretKey: unseal_key_4 +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/token +# metadataPolicy: None +# property: unseal_key_4 +# - secretKey: unseal_key_5 +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/vault/token +# metadataPolicy: None +# property: unseal_key_5 diff --git a/clusters/cl01tl/platform/vault/templates/http-route.yaml b/clusters/cl01tl/platform/vault/templates/http-route.yaml new file mode 100644 index 000000000..d9eeeec42 --- /dev/null +++ b/clusters/cl01tl/platform/vault/templates/http-route.yaml @@ -0,0 +1,30 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-route-vault + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: http-route-vault + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - vault.alexlebens.net + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - group: '' + kind: Service + name: vault-active + port: 8200 + weight: 100 diff --git a/clusters/cl01tl/platform/vault/templates/ingress.yaml b/clusters/cl01tl/platform/vault/templates/ingress.yaml new file mode 100644 index 000000000..a579cb5ac --- /dev/null +++ b/clusters/cl01tl/platform/vault/templates/ingress.yaml @@ -0,0 +1,32 @@ +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: vault-tailscale +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: vault-tailscale +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: web +# app.kubernetes.io/part-of: {{ .Release.Name }} +# labels: +# tailscale.com/proxy-class: no-metrics +# annotations: +# tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" +# spec: +# ingressClassName: tailscale +# tls: +# - hosts: +# - vault-cl01tl +# secretName: vault-cl01tl +# rules: +# - host: vault-cl01tl +# http: +# paths: +# - path: / +# pathType: Prefix +# backend: +# service: +# name: vault-active +# port: +# number: 8200 diff --git a/clusters/cl01tl-standby/platform/vault/templates/persistent-volume-claim.yaml b/clusters/cl01tl/platform/vault/templates/persistent-volume-claim.yaml similarity index 100% rename from clusters/cl01tl-standby/platform/vault/templates/persistent-volume-claim.yaml rename to clusters/cl01tl/platform/vault/templates/persistent-volume-claim.yaml diff --git a/clusters/cl01tl/platform/vault/values.yaml b/clusters/cl01tl/platform/vault/values.yaml new file mode 100644 index 000000000..2ef1fd801 --- /dev/null +++ b/clusters/cl01tl/platform/vault/values.yaml @@ -0,0 +1,298 @@ +vault: + global: + enabled: true + tlsDisable: true + psp: + enable: false + serverTelemetry: + prometheusOperator: true + injector: + enabled: false + server: + enabled: true + image: + repository: hashicorp/vault + tag: 1.18.5 + updateStrategyType: "RollingUpdate" + logLevel: debug + logFormat: standard + resources: + requests: + cpu: 50m + memory: 512Mi + ingress: + enabled: false + route: + enabled: false + authDelegator: + enabled: false + readinessProbe: + enabled: true + port: 8200 + livenessProbe: + enabled: false + volumes: + - name: vault-nfs-storage-backup + persistentVolumeClaim: + claimName: vault-nfs-storage-backup + volumeMounts: + - mountPath: /opt/backups/ + name: vault-nfs-storage-backup + readOnly: false + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + networkPolicy: + enabled: false + service: + enabled: true + active: + enabled: true + standby: + enabled: false + type: ClusterIP + port: 8200 + targetPort: 8200 + dataStorage: + enabled: true + size: 1Gi + mountPath: "/vault/data" + accessMode: ReadWriteOnce + auditStorage: + enabled: false + size: 5Gi + mountPath: "/vault/audit" + accessMode: ReadWriteOnce + dev: + enabled: false + standalone: + enabled: false + ha: + enabled: true + replicas: 3 + raft: + enabled: true + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + telemetry { + unauthenticated_metrics_access = "true" + } + } + + storage "raft" { + path = "/vault/data" + retry_join { + leader_api_addr = "http://vault-0.vault-internal:8200" + } + retry_join { + leader_api_addr = "http://vault-1.vault-internal:8200" + } + retry_join { + leader_api_addr = "http://vault-2.vault-internal:8200" + } + } + + service_registration "kubernetes" {} + + telemetry { + prometheus_retention_time = "30s" + disable_hostname = true + } + + disruptionBudget: + enabled: true + maxUnavailable: null + serviceAccount: + create: true + serviceDiscovery: + enabled: true + hostNetwork: false + ui: + enabled: true + publishNotReadyAddresses: true + activeVaultPodOnly: false + serviceType: "ClusterIP" + serviceNodePort: null + externalPort: 8200 + targetPort: 8200 + csi: + enabled: false + serverTelemetry: + serviceMonitor: + enabled: true + interval: 30s + scrapeTimeout: 10s + prometheusRules: + enabled: true + rules: + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 500ms on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + for: 5m + labels: + severity: warning + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 1s on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + for: 5m + labels: + severity: critical +# snapshot: +# global: +# fullnameOverride: vault-snapshot +# controllers: +# snapshot: +# type: cronjob +# cronjob: +# suspend: false +# concurrencyPolicy: Forbid +# timeZone: US/Central +# schedule: 0 4 * * * +# startingDeadlineSeconds: 90 +# successfulJobsHistory: 3 +# failedJobsHistory: 3 +# backoffLimit: 3 +# parallelism: 1 +# initContainers: +# snapshot: +# image: +# repository: hashicorp/vault +# tag: 1.18.5 +# pullPolicy: IfNotPresent +# command: +# - /bin/ash +# args: +# - -ec +# - | +# apk add --no-cache jq; +# export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); +# vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; +# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; +# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; +# envFrom: +# - secretRef: +# name: vault-snapshot-agent-token +# env: +# - name: VAULT_ADDR +# value: http://vault-active.vault.svc.cluster.local:8200 +# resources: +# requests: +# cpu: 10m +# memory: 64Mi +# containers: +# backup: +# image: +# repository: d3fk/s3cmd +# tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 +# pullPolicy: IfNotPresent +# command: +# - /bin/sh +# args: +# - -ec +# - | +# s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; +# rm -f /opt/backup/vault-snapshot-s3.snap; +# envFrom: +# - secretRef: +# name: vault-snapshot-s3 +# resources: +# requests: +# cpu: 10m +# memory: 64Mi +# serviceAccount: +# create: true +# persistence: +# config: +# existingClaim: vault-nfs-storage-backup +# advancedMounts: +# snapshot: +# snapshot: +# - path: /opt/backup +# readOnly: false +# backup: +# - path: /opt/backup +# readOnly: false +# s3cmd-config: +# enabled: true +# type: secret +# name: vault-s3cmd-config +# advancedMounts: +# snapshot: +# backup: +# - path: /root/.s3cfg +# readOnly: true +# mountPropagation: None +# subPath: .s3cfg +# unseal: +# global: +# fullnameOverride: vault-unseal +# controllers: +# unseal-1: +# type: deployment +# replicas: 1 +# strategy: Recreate +# revisionHistoryLimit: 3 +# containers: +# main: +# image: +# repository: ghcr.io/lrstanley/vault-unseal +# tag: 0.7.0 +# pullPolicy: IfNotPresent +# envFrom: +# - secretRef: +# name: vault-unseal-config-1 +# resources: +# requests: +# cpu: 10m +# memory: 24Mi +# unseal-2: +# type: deployment +# replicas: 1 +# strategy: Recreate +# revisionHistoryLimit: 3 +# containers: +# main: +# image: +# repository: ghcr.io/lrstanley/vault-unseal +# tag: 0.7.0 +# pullPolicy: IfNotPresent +# envFrom: +# - secretRef: +# name: vault-unseal-config-2 +# resources: +# requests: +# cpu: 10m +# memory: 24Mi +# unseal-3: +# type: deployment +# replicas: 1 +# strategy: Recreate +# revisionHistoryLimit: 3 +# containers: +# main: +# image: +# repository: ghcr.io/lrstanley/vault-unseal +# tag: 0.7.0 +# pullPolicy: IfNotPresent +# envFrom: +# - secretRef: +# name: vault-unseal-config-3 +# resources: +# requests: +# cpu: 10m +# memory: 24Mi +# serviceAccount: +# create: true