alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

create helm charts for snapshot and unseal jobs

Browse Source
This commit is contained in:
Alex Lebens
2024-07-01 19:31:00 -05:00
parent 534ee414ff
commit 835005d221
4 changed files with 403 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
clusters/cl01tl/platform/vault/templates/cron-job.yaml
View File

@@ -1,64 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: vault-snapshot-cronjob
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-cronjob
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
schedule: "@every 24h"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: snapshot
image: hashicorp/vault:1.16.2
imagePullPolicy: IfNotPresent
command:
- /bin/ash
args:
- -ec
- |
apk add --no-cache jq;
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-agent-token
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
volumeMounts:
- mountPath: /opt/backup
name: backup
- name: upload
image: amazon/aws-cli:2.15.42
imagePullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done;
aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-s3
volumeMounts:
- mountPath: /opt/backup
name: backup
volumes:
- name: backup
persistentVolumeClaim:
claimName: vault-nfs-storage-backup

243
clusters/cl01tl/platform/vault/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,243 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-agent-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-agent-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: VAULT_APPROLE_ROLE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot/approle
metadataPolicy: None
property: role-id
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot/approle
metadataPolicy: None
property: secret-id
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-s3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/approle/job
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/approle/job
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ENDPOINT_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/approle/job
metadataPolicy: None
property: AWS_ENDPOINT_URL
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/approle/job
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-agent-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-agent-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: VAULT_APPROLE_ROLE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/approle
metadataPolicy: None
property: role-id
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/approle
metadataPolicy: None
property: secret-id
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-1
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-1
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: vault-unseal.yaml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config
metadataPolicy: None
property: vault-unseal.yaml-1
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-2
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-2
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: vault-unseal.yaml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config
metadataPolicy: None
property: vault-unseal.yaml-2
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-config-3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: vault-unseal.yaml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config
metadataPolicy: None
property: vault-unseal.yaml-3
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: token
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: token
- secretKey: unseal_key_1
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_1
- secretKey: unseal_key_2
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_2
- secretKey: unseal_key_3
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_3
- secretKey: unseal_key_4
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_4
- secretKey: unseal_key_5
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_5