Last active
October 19, 2023 10:08
-
-
Save k4kratik/8a18b1d0a4b40debe06fc0614efa3508 to your computer and use it in GitHub Desktop.
Vault Deployment for Vault Operator with External Secrets for Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: "vault.banzaicloud.com/v1alpha1" | |
kind: "Vault" | |
metadata: | |
name: "vault" | |
labels: | |
app.kubernetes.io/name: vault | |
namespace: vault-operator | |
spec: | |
size: 3 | |
image: vault:1.13.3 | |
# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running | |
serviceAccount: vault | |
# Specify the Service's type where the Vault Service is exposed | |
# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce | |
# forces you to expose your Service on a NodePort | |
serviceType: NodePort | |
# Request an Ingress controller with the default configuration | |
ingress: | |
# Specify Ingress object annotations here, if TLS is enabled (which is by default) | |
# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations | |
# to support TLS backends | |
annotations: {} | |
# Override the default Ingress specification here | |
# This follows the same format as the standard Kubernetes Ingress | |
# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions | |
spec: {} | |
# Use local disk to store Vault raft data, see config section. | |
volumeClaimTemplates: | |
- metadata: | |
name: vault-raft | |
spec: | |
accessModes: | |
- ReadWriteOnce | |
volumeMode: Filesystem | |
resources: | |
requests: | |
storage: 1Gi | |
volumeMounts: | |
- name: vault-raft | |
mountPath: /vault/file | |
# Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods: | |
# https://velero.io/docs/v1.2.0/hooks/ | |
veleroEnabled: true | |
# Support for distributing the generated CA certificate Secret to other namespaces. | |
# Define a list of namespaces or use ["*"] for all namespaces. | |
caNamespaces: | |
- "vswh" | |
# Describe where you would like to store the Vault unseal keys and root token. | |
unsealConfig: | |
options: | |
# The preFlightChecks flag enables unseal and root token storage tests | |
# This is true by default | |
preFlightChecks: true | |
# The storeRootToken flag enables storing of root token in chosen storage | |
# This is true by default | |
storeRootToken: true | |
kubernetes: | |
secretNamespace: vault-operator | |
# A YAML representation of a final vault config file. | |
# See https://www.vaultproject.io/docs/configuration/ for more information. | |
config: | |
storage: | |
raft: | |
path: "/vault/file" | |
listener: | |
tcp: | |
address: "0.0.0.0:8200" | |
tls_cert_file: /vault/tls/server.crt | |
tls_key_file: /vault/tls/server.key | |
telemetry: | |
unauthenticated_metrics_access: true | |
api_addr: https://vault.vault-operator.svc:8200/ | |
telemetry: | |
prometheus_retention_time: 30s | |
disable_hostname: true | |
# statsd_address: localhost:9125 | |
cluster_addr: "https://${.Env.POD_NAME}:8201" | |
ui: true | |
statsdDisabled: false | |
serviceRegistrationEnabled: true | |
resources: | |
# A YAML representation of resource ResourceRequirements for vault container | |
# Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container | |
vault: | |
limits: | |
memory: "512Mi" | |
cpu: "200m" | |
requests: | |
memory: "256Mi" | |
cpu: "100m" | |
# See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration | |
# The repository also contains a lot examples in the deploy/ and operator/deploy directories. | |
externalConfig: | |
policies: | |
- name: ro_access_policy # creating this policy for external secrets, as it only need read access | |
rules: path "secret/data/*" { | |
capabilities = ["read"] | |
} | |
- name: rw_access_policy | |
rules: path "secret/*" { | |
capabilities = ["read", "list", "update"] | |
} | |
- name: vault_admin # https://developer.hashicorp.com/vault/tutorials/policies/policies#write-a-policy | |
rules: | | |
# Read system health check | |
path "sys/health" {capabilities = ["read", "sudo"]} | |
# Create and manage ACL policies broadly across Vault | |
# List existing policies | |
path "sys/policies/acl" {capabilities = ["list"]} | |
# Create and manage ACL policies | |
path "sys/policies/acl/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]} | |
# Enable and manage authentication methods broadly across Vault | |
# Manage auth methods broadly across Vault | |
path "auth/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]} | |
# Create, update, and delete auth methods | |
path "sys/auth/*" {capabilities = ["create", "update", "delete", "sudo"]} | |
# List auth methods | |
path "sys/auth" {capabilities = ["read"]} | |
# Enable and manage the key/value secrets engine at `secret/` path | |
# List, create, update, and delete key/value secrets | |
path "secret/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]} | |
# Manage secrets engines | |
path "sys/mounts/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]} | |
# List existing secrets engines. | |
path "sys/mounts" {capabilities = ["read"]} | |
auth: | |
- type: kubernetes | |
path: k8s-one # you can use single vault for multiple k8s clusters | |
config: | |
token_reviewer_jwt: TOKEN_REVIEWER_JWT_TOKEN_HERE | |
kubernetes_ca_cert: | | |
-----BEGIN CERTIFICATE----- | |
CERTIFICATE BODY | |
-----END CERTIFICATE----- | |
kubernetes_host: https://kubernetes.default.svc:443 | |
disable_issuer_verification: true | |
roles: | |
# Allow External Secrets pods to fetch secrets to create secret store | |
- name: k8s-one-external-secrets-role | |
bound_service_account_names: ["external-secrets"] | |
bound_service_account_namespaces: ["external-secrets"] | |
token_policies: ro_access_policy | |
token_max_ttl: 1h | |
# https://www.vaultproject.io/api-docs/auth/github | |
- type: github | |
path: github | |
config: | |
organization: GITHUB_ORGANIZATION_NAME_HERE | |
token_ttl: 1h | |
map: | |
teams: | |
# GITHUB_TEAM_NAME_HERE: POLICY_NAME_HERE | |
DEV_RO: ro_access_policy | |
DEV_RW: rw_access_policy | |
users: | |
# GITHUB_USERNAME_NAME_HERE: POLICY_NAME_HERE | |
k4kratik: vault_admin | |
secrets: | |
- path: secret | |
type: kv | |
description: General secrets. | |
options: | |
version: 2 | |
# Allows writing some secrets to Vault (useful for development purposes). | |
# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information. | |
startupSecrets: | |
- type: kv | |
path: secret/data/TEST_PROJECT_ONE/test | |
data: | |
data: | |
Hello: World | |
audit: | |
- type: file | |
path: file | |
description: "File based audit logging device" | |
options: | |
file_path: stdout | |
hmac_accessor: "false" | |
vaultEnvsConfig: | |
- name: VAULT_LOG_LEVEL | |
value: info |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment