k4kratik/vault-deploy.yml

## vault-deploy.yml
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
  name: "vault"
  labels:
    app.kubernetes.io/name: vault
  namespace: vault-operator
spec:
  size: 3
  image: vault:1.13.3

  # Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
  serviceAccount: vault

  # Specify the Service's type where the Vault Service is exposed
  # Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
  # forces you to expose your Service on a NodePort
  serviceType: NodePort

  # Request an Ingress controller with the default configuration
  ingress:
    # Specify Ingress object annotations here, if TLS is enabled (which is by default)
    # the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
    # to support TLS backends
    annotations: {}
    # Override the default Ingress specification here
    # This follows the same format as the standard Kubernetes Ingress
    # See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
    spec: {}

  # Use local disk to store Vault raft data, see config section.
  volumeClaimTemplates:
    - metadata:
        name: vault-raft
      spec:
        accessModes:
          - ReadWriteOnce
        volumeMode: Filesystem
        resources:
          requests:
            storage: 1Gi

  volumeMounts:
    - name: vault-raft
      mountPath: /vault/file

  # Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods:
  # https://velero.io/docs/v1.2.0/hooks/
  veleroEnabled: true

  # Support for distributing the generated CA certificate Secret to other namespaces.
  # Define a list of namespaces or use ["*"] for all namespaces.
  caNamespaces:
    - "vswh"

  # Describe where you would like to store the Vault unseal keys and root token.
  unsealConfig:
    options:
      # The preFlightChecks flag enables unseal and root token storage tests
      # This is true by default
      preFlightChecks: true
      # The storeRootToken flag enables storing of root token in chosen storage
      # This is true by default
      storeRootToken: true
    kubernetes:
      secretNamespace: vault-operator

  # A YAML representation of a final vault config file.
  # See https://www.vaultproject.io/docs/configuration/ for more information.
  config:
    storage:
      raft:
        path: "/vault/file"
    listener:
      tcp:
        address: "0.0.0.0:8200"
        tls_cert_file: /vault/tls/server.crt
        tls_key_file: /vault/tls/server.key
        telemetry:
          unauthenticated_metrics_access: true
    api_addr: https://vault.vault-operator.svc:8200/
    telemetry:
      prometheus_retention_time: 30s
      disable_hostname: true
      # statsd_address: localhost:9125
    cluster_addr: "https://${.Env.POD_NAME}:8201"
    ui: true

  statsdDisabled: false

  serviceRegistrationEnabled: true

  resources:
    # A YAML representation of resource ResourceRequirements for vault container
    # Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container
    vault:
      limits:
        memory: "512Mi"
        cpu: "200m"
      requests:
        memory: "256Mi"
        cpu: "100m"

  # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
  # The repository also contains a lot examples in the deploy/ and operator/deploy directories.
  externalConfig:
    policies:
      - name: ro_access_policy # creating this policy for external secrets, as it only need read access
        rules: path "secret/data/*" {
          capabilities = ["read"]
          }

      - name: rw_access_policy
        rules: path "secret/*" {
          capabilities = ["read", "list", "update"]
          }
      - name: vault_admin # https://developer.hashicorp.com/vault/tutorials/policies/policies#write-a-policy
        rules: |
          # Read system health check
          path "sys/health" {capabilities = ["read", "sudo"]}

          # Create and manage ACL policies broadly across Vault

          # List existing policies
          path "sys/policies/acl" {capabilities = ["list"]}

          # Create and manage ACL policies
          path "sys/policies/acl/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

          # Enable and manage authentication methods broadly across Vault

          # Manage auth methods broadly across Vault
          path "auth/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

          # Create, update, and delete auth methods
          path "sys/auth/*" {capabilities = ["create", "update", "delete", "sudo"]}

          # List auth methods
          path "sys/auth" {capabilities = ["read"]}

          # Enable and manage the key/value secrets engine at `secret/` path
          # List, create, update, and delete key/value secrets
          path "secret/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

          # Manage secrets engines
          path "sys/mounts/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

          # List existing secrets engines.
          path "sys/mounts" {capabilities = ["read"]}

    auth:
      - type: kubernetes
        path: k8s-one # you can use single vault for multiple k8s clusters
        config:
          token_reviewer_jwt: TOKEN_REVIEWER_JWT_TOKEN_HERE
          kubernetes_ca_cert: |
            -----BEGIN CERTIFICATE-----
            CERTIFICATE BODY
            -----END CERTIFICATE-----
          kubernetes_host: https://kubernetes.default.svc:443
          disable_issuer_verification: true
        roles:
          # Allow External Secrets pods to fetch secrets to create secret store
          - name: k8s-one-external-secrets-role
            bound_service_account_names: ["external-secrets"]
            bound_service_account_namespaces: ["external-secrets"]
            token_policies: ro_access_policy
            token_max_ttl: 1h

      # https://www.vaultproject.io/api-docs/auth/github
      - type: github
        path: github
        config:
          organization: GITHUB_ORGANIZATION_NAME_HERE
          token_ttl: 1h
        map:
          teams:
            # GITHUB_TEAM_NAME_HERE: POLICY_NAME_HERE
            DEV_RO: ro_access_policy
            DEV_RW: rw_access_policy
          users:
            # GITHUB_USERNAME_NAME_HERE: POLICY_NAME_HERE
            k4kratik: vault_admin

    secrets:
      - path: secret
        type: kv
        description: General secrets.
        options:
          version: 2

    # Allows writing some secrets to Vault (useful for development purposes).
    # See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
    startupSecrets:
      - type: kv
        path: secret/data/TEST_PROJECT_ONE/test
        data:
          data:
            Hello: World

    audit:
      - type: file
        path: file
        description: "File based audit logging device"
        options:
          file_path: stdout
          hmac_accessor: "false"

  vaultEnvsConfig:
    - name: VAULT_LOG_LEVEL
      value: info
	apiVersion: "vault.banzaicloud.com/v1alpha1"
	kind: "Vault"
	metadata:
	name: "vault"
	labels:
	app.kubernetes.io/name: vault
	namespace: vault-operator
	spec:
	size: 3
	image: vault:1.13.3

	# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
	serviceAccount: vault

	# Specify the Service's type where the Vault Service is exposed
	# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
	# forces you to expose your Service on a NodePort
	serviceType: NodePort

	# Request an Ingress controller with the default configuration
	ingress:
	# Specify Ingress object annotations here, if TLS is enabled (which is by default)
	# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
	# to support TLS backends
	annotations: {}
	# Override the default Ingress specification here
	# This follows the same format as the standard Kubernetes Ingress
	# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
	spec: {}

	# Use local disk to store Vault raft data, see config section.
	volumeClaimTemplates:
	- metadata:
	name: vault-raft
	spec:
	accessModes:
	- ReadWriteOnce
	volumeMode: Filesystem
	resources:
	requests:
	storage: 1Gi

	volumeMounts:
	- name: vault-raft
	mountPath: /vault/file

	# Add Velero fsfreeze sidecar container and supporting hook annotations to Vault Pods:
	# https://velero.io/docs/v1.2.0/hooks/
	veleroEnabled: true

	# Support for distributing the generated CA certificate Secret to other namespaces.
	# Define a list of namespaces or use ["*"] for all namespaces.
	caNamespaces:
	- "vswh"

	# Describe where you would like to store the Vault unseal keys and root token.
	unsealConfig:
	options:
	# The preFlightChecks flag enables unseal and root token storage tests
	# This is true by default
	preFlightChecks: true
	# The storeRootToken flag enables storing of root token in chosen storage
	# This is true by default
	storeRootToken: true
	kubernetes:
	secretNamespace: vault-operator

	# A YAML representation of a final vault config file.
	# See https://www.vaultproject.io/docs/configuration/ for more information.
	config:
	storage:
	raft:
	path: "/vault/file"
	listener:
	tcp:
	address: "0.0.0.0:8200"
	tls_cert_file: /vault/tls/server.crt
	tls_key_file: /vault/tls/server.key
	telemetry:
	unauthenticated_metrics_access: true
	api_addr: https://vault.vault-operator.svc:8200/
	telemetry:
	prometheus_retention_time: 30s
	disable_hostname: true
	# statsd_address: localhost:9125
	cluster_addr: "https://${.Env.POD_NAME}:8201"
	ui: true

	statsdDisabled: false

	serviceRegistrationEnabled: true

	resources:
	# A YAML representation of resource ResourceRequirements for vault container
	# Detail can reference: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container
	vault:
	limits:
	memory: "512Mi"
	cpu: "200m"
	requests:
	memory: "256Mi"
	cpu: "100m"

	# See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
	# The repository also contains a lot examples in the deploy/ and operator/deploy directories.
	externalConfig:
	policies:
	- name: ro_access_policy # creating this policy for external secrets, as it only need read access
	rules: path "secret/data/*" {
	capabilities = ["read"]
	}

	- name: rw_access_policy
	rules: path "secret/*" {
	capabilities = ["read", "list", "update"]
	}
	- name: vault_admin # https://developer.hashicorp.com/vault/tutorials/policies/policies#write-a-policy
	rules: \|
	# Read system health check
	path "sys/health" {capabilities = ["read", "sudo"]}

	# Create and manage ACL policies broadly across Vault

	# List existing policies
	path "sys/policies/acl" {capabilities = ["list"]}

	# Create and manage ACL policies
	path "sys/policies/acl/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

	# Enable and manage authentication methods broadly across Vault

	# Manage auth methods broadly across Vault
	path "auth/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

	# Create, update, and delete auth methods
	path "sys/auth/*" {capabilities = ["create", "update", "delete", "sudo"]}

	# List auth methods
	path "sys/auth" {capabilities = ["read"]}

	# Enable and manage the key/value secrets engine at `secret/` path
	# List, create, update, and delete key/value secrets
	path "secret/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

	# Manage secrets engines
	path "sys/mounts/*" {capabilities = ["create", "read", "update", "delete", "list", "sudo"]}

	# List existing secrets engines.
	path "sys/mounts" {capabilities = ["read"]}

	auth:
	- type: kubernetes
	path: k8s-one # you can use single vault for multiple k8s clusters
	config:
	token_reviewer_jwt: TOKEN_REVIEWER_JWT_TOKEN_HERE
	kubernetes_ca_cert: \|
	-----BEGIN CERTIFICATE-----
	CERTIFICATE BODY
	-----END CERTIFICATE-----
	kubernetes_host: https://kubernetes.default.svc:443
	disable_issuer_verification: true
	roles:
	# Allow External Secrets pods to fetch secrets to create secret store
	- name: k8s-one-external-secrets-role
	bound_service_account_names: ["external-secrets"]
	bound_service_account_namespaces: ["external-secrets"]
	token_policies: ro_access_policy
	token_max_ttl: 1h

	# https://www.vaultproject.io/api-docs/auth/github
	- type: github
	path: github
	config:
	organization: GITHUB_ORGANIZATION_NAME_HERE
	token_ttl: 1h
	map:
	teams:
	# GITHUB_TEAM_NAME_HERE: POLICY_NAME_HERE
	DEV_RO: ro_access_policy
	DEV_RW: rw_access_policy
	users:
	# GITHUB_USERNAME_NAME_HERE: POLICY_NAME_HERE
	k4kratik: vault_admin

	secrets:
	- path: secret
	type: kv
	description: General secrets.
	options:
	version: 2

	# Allows writing some secrets to Vault (useful for development purposes).
	# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
	startupSecrets:
	- type: kv
	path: secret/data/TEST_PROJECT_ONE/test
	data:
	data:
	Hello: World

	audit:
	- type: file
	path: file
	description: "File based audit logging device"
	options:
	file_path: stdout
	hmac_accessor: "false"

	vaultEnvsConfig:
	- name: VAULT_LOG_LEVEL
	value: info