alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

add vault

Browse Source
This commit is contained in:
Alex Lebens
2025-02-17 13:09:28 -06:00
parent 0df95e32fa
commit ebb507d0ff
7 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
clusters/cl01tl/platform/external-secrets/Chart.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v2
name: external-secrets
version: 1.0.0
description: External Secrets
keywords:
- external-secrets
- secrets
- vault
home: https://wiki.alexlebens.dev/doc/external-secrets-E68EWwvR0a
sources:
- https://github.com/external-secrets/external-secrets
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 0.14.1
repository: https://charts.external-secrets.io
icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
appVersion: 0.14.1

21
clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
provider:
vault:
server: http://vault-internal.vault:8200
path: secret
auth:
tokenSecretRef:
namespace: vault
name: vault-token
key: token

28
clusters/cl01tl/platform/vault/Chart.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v2
name: vault
version: 1.0.0
description: Vault
keywords:
- vault
- secrets
home: https://wiki.alexlebens.dev/doc/vault-TJ1ocQp9WB
sources:
- https://github.com/hashicorp/vault
- https://hub.docker.com/r/hashicorp/vault
- https://github.com/hashicorp/vault-helm
maintainers:
- name: alexlebens
dependencies:
- name: vault
version: 0.29.1
repository: https://helm.releases.hashicorp.com
# - name: app-template
# alias: snapshot
# repository: https://bjw-s.github.io/helm-charts/
# version: 3.6.1
# - name: app-template
# alias: unseal
# repository: https://bjw-s.github.io/helm-charts/
# version: 3.6.1
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png
appVersion: 1.18.4

379
clusters/cl01tl/platform/vault/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,379 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-agent-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-agent-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: VAULT_APPROLE_ROLE_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot/approle
# metadataPolicy: None
# property: role-id
# - secretKey: VAULT_APPROLE_SECRET_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot/approle
# metadataPolicy: None
# property: secret-id
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-s3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_ACCESS_KEY_ID
# - secretKey: AWS_DEFAULT_REGION
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_DEFAULT_REGION
# - secretKey: AWS_ENDPOINT_URL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_ENDPOINT_URL
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_SECRET_ACCESS_KEY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-1
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-1
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-2
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-2
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-config-3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: token
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: token
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: token
# - secretKey: unseal_key_1
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_1
# - secretKey: unseal_key_2
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_2
# - secretKey: unseal_key_3
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_3
# - secretKey: unseal_key_4
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_4
# - secretKey: unseal_key_5
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_5

32
clusters/cl01tl/platform/vault/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vault-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
spec:
ingressClassName: traefik
tls:
- hosts:
- vault.alexlebens.net
secretName: vault-tls-secret
rules:
- host: vault.alexlebens.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vault-active
port:
number: 8200

19
clusters/cl01tl/platform/vault/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

300
clusters/cl01tl/platform/vault/values.yaml Normal file
View File

@@ -0,0 +1,300 @@
vault:
global:
enabled: true
tlsDisable: true
psp:
enable: false
serverTelemetry:
prometheusOperator: true
injector:
enabled: false
server:
enabled: true
image:
repository: hashicorp/vault
tag: 1.18.4
updateStrategyType: "RollingUpdate"
logLevel: debug
logFormat: standard
resources:
requests:
cpu: 50m
memory: 512Mi
ingress:
enabled: true
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
ingressClassName: tailscale
pathType: Prefix
activeService: true
hosts:
- host: vault-cl01tl
paths:
- /
tls:
- secretName: vault-cl01tl
hosts:
- vault-cl01tl
route:
enabled: false
authDelegator:
enabled: false
readinessProbe:
enabled: true
port: 8200
livenessProbe:
enabled: false
volumes:
- name: vault-nfs-storage-backup
persistentVolumeClaim:
claimName: vault-nfs-storage-backup
volumeMounts:
- mountPath: /opt/backups/
name: vault-nfs-storage-backup
readOnly: false
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
networkPolicy:
enabled: false
service:
enabled: true
active:
enabled: true
standby:
enabled: false
type: ClusterIP
port: 8200
targetPort: 8200
dataStorage:
enabled: true
size: 1Gi
mountPath: "/vault/data"
accessMode: ReadWriteOnce
auditStorage:
enabled: false
size: 5Gi
mountPath: "/vault/audit"
accessMode: ReadWriteOnce
dev:
enabled: false
standalone:
enabled: false
ha:
enabled: true
replicas: 3
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "http://vault-0.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-1.vault-internal:8200"
}
retry_join {
leader_api_addr = "http://vault-2.vault-internal:8200"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
disruptionBudget:
enabled: true
maxUnavailable: null
serviceAccount:
create: true
serviceDiscovery:
enabled: true
hostNetwork: false
ui:
enabled: true
publishNotReadyAddresses: true
activeVaultPodOnly: false
serviceType: "ClusterIP"
serviceNodePort: null
externalPort: 8200
targetPort: 8200
csi:
enabled: false
serverTelemetry:
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
prometheusRules:
enabled: true
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical
snapshot:
global:
fullnameOverride: vault-snapshot
controllers:
snapshot:
type: cronjob
cronjob:
suspend: false
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: 0 4 * * *
startingDeadlineSeconds: 90
successfulJobsHistory: 3
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
containers:
snapshot:
image:
repository: hashicorp/vault
tag: 1.18.4
pullPolicy: IfNotPresent
command:
- /bin/ash
args:
- -ec
- |
apk add --no-cache jq;
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-agent-token
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
resources:
requests:
cpu: 10m
memory: 64Mi
backup:
image:
repository: amazon/aws-cli
tag: 2.24.0
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done;
aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-s3
resources:
requests:
cpu: 10m
memory: 64Mi
serviceAccount:
create: true
persistence:
config:
existingClaim: vault-nfs-storage-backup
advancedMounts:
snapshot:
snapshot:
- path: /opt/backup
readOnly: false
backup:
- path: /opt/backup
readOnly: false
unseal:
global:
fullnameOverride: vault-unseal
controllers:
unseal-1:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-1
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-2:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-2
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-3:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-3
resources:
requests:
cpu: 10m
memory: 24Mi
serviceAccount:
create: true