Created
July 17, 2020 05:58
-
-
Save away168/88721cdfb06d3c05b991a28fedd69d8a to your computer and use it in GitHub Desktop.
Local K8s Vault Install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Source: vault/templates/injector-serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: spinnaker-vault-agent-injector | |
namespace: vault | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
--- | |
# Source: vault/templates/server-serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: spinnaker-vault | |
namespace: vault | |
labels: | |
helm.sh/chart: vault-0.4.0 | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
--- | |
# Source: vault/templates/server-config-configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: spinnaker-vault-config | |
namespace: vault | |
labels: | |
helm.sh/chart: vault-0.4.0 | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
data: | |
extraconfig-from-values.hcl: |- | |
disable_mlock = true | |
ui = true | |
# original listener | |
#listener "tcp" { | |
# tls_disable = 1 | |
# address = "[::]:8200" | |
# cluster_address = "[::]:8201" | |
#} | |
# listener with TLS enabled | |
listener "tcp" { | |
address = "[::]:8200" | |
cluster_address = "[::]:8201" | |
tls_cert_file = "/vault/certs/tls.crt" | |
tls_key_file = "/vault/certs/tls.key" | |
} | |
storage "file" { | |
path = "/vault/data" | |
} | |
# Example configuration for using auto-unseal, using Google Cloud KMS. The | |
# GKMS keys must already exist, and the cluster must have a service account | |
# that is authorized to access GCP KMS. | |
#seal "gcpckms" { | |
# project = "vault-helm-dev" | |
# region = "global" | |
# key_ring = "vault-helm-unseal-kr" | |
# crypto_key = "vault-helm-unseal-key" | |
#} | |
--- | |
# Source: vault/templates/injector-clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: spinnaker-vault-agent-injector-clusterrole | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
rules: | |
- apiGroups: ["admissionregistration.k8s.io"] | |
resources: ["mutatingwebhookconfigurations"] | |
verbs: | |
- "get" | |
- "list" | |
- "watch" | |
- "patch" | |
--- | |
# Source: vault/templates/injector-clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: spinnaker-vault-agent-injector-binding | |
namespace: vault | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: spinnaker-vault-agent-injector-clusterrole | |
subjects: | |
- kind: ServiceAccount | |
name: spinnaker-vault-agent-injector | |
namespace: vault | |
--- | |
# Source: vault/templates/server-clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: spinnaker-vault-server-binding | |
namespace: vault | |
labels: | |
helm.sh/chart: vault-0.4.0 | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: system:auth-delegator | |
subjects: | |
- kind: ServiceAccount | |
name: spinnaker-vault | |
namespace: vault | |
--- | |
# Source: vault/templates/injector-service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: spinnaker-vault-agent-injector-svc | |
namespace: vault | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
spec: | |
ports: | |
- port: 443 | |
targetPort: 8080 | |
selector: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
component: webhook | |
--- | |
# Source: vault/templates/server-service.yaml | |
# Service for Vault cluster | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: spinnaker-vault | |
namespace: vault | |
labels: | |
helm.sh/chart: vault-0.4.0 | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
annotations: | |
# This must be set in addition to publishNotReadyAddresses due | |
# to an open issue where it may not work: | |
# https://github.com/kubernetes/kubernetes/issues/58662 | |
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" | |
spec: | |
# We want the servers to become available even if they're not ready | |
# since this DNS is also used for join operations. | |
publishNotReadyAddresses: true | |
ports: | |
- name: http | |
port: 8200 | |
targetPort: 8200 | |
- name: internal | |
port: 8201 | |
targetPort: 8201 | |
selector: | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
component: server | |
--- | |
# Source: vault/templates/injector-deployment.yaml | |
# Deployment for the injector | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: spinnaker-vault-agent-injector | |
namespace: vault | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
component: webhook | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
component: webhook | |
template: | |
metadata: | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
component: webhook | |
spec: | |
serviceAccountName: "spinnaker-vault-agent-injector" | |
securityContext: | |
runAsNonRoot: true | |
runAsGroup: 1000 | |
runAsUser: 100 | |
containers: | |
- name: sidecar-injector | |
image: "hashicorp/vault-k8s:0.2.0" | |
imagePullPolicy: "IfNotPresent" | |
env: | |
- name: AGENT_INJECT_LISTEN | |
value: ":8080" | |
- name: AGENT_INJECT_LOG_LEVEL | |
value: info | |
- name: AGENT_INJECT_VAULT_ADDR | |
value: https://spinnaker-vault.vault.svc:8200 | |
- name: AGENT_INJECT_VAULT_IMAGE | |
value: "vault:1.3.2" | |
- name: AGENT_INJECT_TLS_AUTO | |
value: spinnaker-vault-agent-injector-cfg | |
- name: AGENT_INJECT_TLS_AUTO_HOSTS | |
value: spinnaker-vault-agent-injector-svc,spinnaker-vault-agent-injector-svc.vault,spinnaker-vault-agent-injector-svc.vault.svc | |
args: | |
- agent-inject | |
- 2>&1 | |
livenessProbe: | |
httpGet: | |
path: /health/ready | |
port: 8080 | |
scheme: HTTPS | |
failureThreshold: 2 | |
initialDelaySeconds: 1 | |
periodSeconds: 2 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
readinessProbe: | |
httpGet: | |
path: /health/ready | |
port: 8080 | |
scheme: HTTPS | |
failureThreshold: 2 | |
initialDelaySeconds: 2 | |
periodSeconds: 2 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
--- | |
# Source: vault/templates/server-statefulset.yaml | |
# StatefulSet to run the actual vault server cluster. | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: spinnaker-vault | |
namespace: vault | |
labels: | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
spec: | |
serviceName: spinnaker-vault | |
podManagementPolicy: Parallel | |
replicas: 1 | |
updateStrategy: | |
type: OnDelete | |
selector: | |
matchLabels: | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
component: server | |
template: | |
metadata: | |
labels: | |
helm.sh/chart: vault-0.4.0 | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: spinnaker | |
component: server | |
spec: | |
affinity: | |
podAntiAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
- labelSelector: | |
matchLabels: | |
app.kubernetes.io/name: vault | |
app.kubernetes.io/instance: "spinnaker" | |
component: server | |
topologyKey: kubernetes.io/hostname | |
terminationGracePeriodSeconds: 10 | |
serviceAccountName: spinnaker-vault | |
securityContext: | |
runAsNonRoot: true | |
runAsGroup: 1000 | |
runAsUser: 100 | |
fsGroup: 1000 | |
volumes: | |
- name: config | |
configMap: | |
name: spinnaker-vault-config | |
# for vault cert / tls | |
- name: certs | |
secret: | |
secretName: vault-tls | |
containers: | |
- name: vault | |
securityContext: | |
capabilities: | |
add: ["IPC_LOCK"] | |
image: vault:1.3.2 | |
imagePullPolicy: IfNotPresent | |
command: | |
- "/bin/sh" | |
- "-ec" | |
args: | |
- | | |
sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl; | |
sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl; | |
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl | |
env: | |
- name: HOST_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.hostIP | |
- name: POD_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.podIP | |
- name: VAULT_ADDR | |
value: "https://spinnaker-vault.vault.svc.cluster.local:8200" | |
- name: VAULT_API_ADDR | |
value: "https://$(POD_IP):8200" | |
- name: SKIP_CHOWN | |
value: "true" | |
- name: SKIP_SETCAP | |
value: "true" | |
- name: VAULT_CACERT | |
value: "/vault/certs/tls.crt" | |
volumeMounts: | |
- name: data | |
mountPath: /vault/data | |
- name: config | |
mountPath: /vault/config | |
- name: certs | |
mountPath: /vault/certs | |
ports: | |
- containerPort: 8200 | |
name: http | |
- containerPort: 8201 | |
name: internal | |
- containerPort: 8202 | |
name: replication | |
readinessProbe: | |
# Check status; unsealed vault servers return 0 | |
# The exit code reflects the seal status: | |
# 0 - unsealed | |
# 1 - error | |
# 2 - sealed | |
exec: | |
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] | |
failureThreshold: 2 | |
initialDelaySeconds: 5 | |
periodSeconds: 3 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
lifecycle: | |
# Vault container doesn't receive SIGTERM from Kubernetes | |
# and after the grace period ends, Kube sends SIGKILL. This | |
# causes issues with graceful shutdowns such as deregistering itself | |
# from Consul (zombie services). | |
preStop: | |
exec: | |
command: [ | |
"/bin/sh", "-c", | |
# Adding a sleep here to give the pod eviction a | |
# chance to propagate, so requests will not be made | |
# to this pod while it's terminating | |
"sleep 5 && kill -SIGTERM $(pidof vault)", | |
] | |
volumeClaimTemplates: | |
- metadata: | |
name: data | |
spec: | |
accessModes: | |
- ReadWriteOnce | |
resources: | |
requests: | |
storage: 100Mi | |
--- | |
# Source: vault/templates/injector-mutating-webhook.yaml | |
apiVersion: admissionregistration.k8s.io/v1beta1 | |
kind: MutatingWebhookConfiguration | |
metadata: | |
name: spinnaker-vault-agent-injector-cfg | |
labels: | |
app.kubernetes.io/name: vault-agent-injector | |
app.kubernetes.io/instance: spinnaker | |
app.kubernetes.io/managed-by: Helm | |
webhooks: | |
- name: vault.hashicorp.com | |
clientConfig: | |
service: | |
name: spinnaker-vault-agent-injector-svc | |
namespace: vault | |
path: "/mutate" | |
caBundle: | |
rules: | |
- operations: ["CREATE", "UPDATE"] | |
apiGroups: [""] | |
apiVersions: ["v1"] | |
resources: ["pods"] | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment