Last active
October 7, 2020 15:54
-
-
Save sgnn7/fed534b05932dc921f591920d1c4d23f to your computer and use it in GitHub Desktop.
Conjur running using k8s secrets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
set -o pipefail | |
CURRENT_DIR=$(dirname $0) | |
SEED_FILES_DIR="$CURRENT_DIR/tmp" | |
FOLLOWER_SEED_FILE="$SEED_FILES_DIR/follower-seed.tar" | |
TEMP_CERT_DIR="$CURRENT_DIR/tmp" | |
# TODO: Figure out what conjur.pem/key links point to first instead of hardcoding | |
# conjur-follower prefix | |
REQUIRED_SSL_CERTS=( "ca.pem" | |
"conjur-follower.pem" | |
"conjur-follower.key" ) | |
CONJUR_DATA_KEY_FILE="/opt/conjur/etc/possum.key" | |
if [ ! -f "$SEED_FILES_DIR/follower-seed.tar" ]; then | |
echo "ERROR: You haven't pulled the seed file from master into $SEED_FILES_DIR" | |
exit 1 | |
fi | |
echo "Extracting relevant certs..." | |
for cert_file in ${REQUIRED_SSL_CERTS[@]}; do | |
target_file="$TEMP_CERT_DIR/$cert_file" | |
echo "Extracting $FOLLOWER_SEED_FILE:$cert_file into $target_file..." | |
rm -f "$TEMP_CERT_DIR/$cert_file" | |
# The strip-components flag is to avoid extraction into the nested directories | |
# matching the archive | |
tar -xf "$FOLLOWER_SEED_FILE" \ | |
--strip-components=5 \ | |
-C "$SEED_FILES_DIR" \ | |
"/opt/conjur/etc/ssl/$cert_file" | |
done | |
target_file="$TEMP_CERT_DIR/possum.key" | |
echo "Extracting $FOLLOWER_SEED_FILE:$CONJUR_DATA_KEY_FILE into $target_file..." | |
rm -f "$target_file" | |
# The strip-components flag is to avoid extraction into the nested directories | |
# matching the archive | |
tar -xf "$FOLLOWER_SEED_FILE" \ | |
--strip-components=4 \ | |
-C "$SEED_FILES_DIR" \ | |
"$CONJUR_DATA_KEY_FILE" | |
echo "$(cat tmp/possum.key | sed 's/CONJUR_DATA_KEY=//g')" > $SEED_FILES_DIR/conjur_data_key.txt | |
CONTEXT=$(kubectl config current-context) | |
CURRENT_DIR=$(pwd) | |
# We may want to save the config for kubectl apply later | |
KUBECTL_ARGS="--save-config=false" | |
# Append any additional args provided on CLI | |
KUBECTL_ARGS+=" $@" | |
echo "Using context: $CONTEXT" | |
echo "Deleting old secrets (if present)..." | |
./remove_cert_secrets || true | |
echo "Creating CA cert secret..." | |
kubectl create secret generic conjur-ca-cert $KUBECTL_ARGS \ | |
--from-file="$SEED_FILES_DIR/ca.pem" | |
echo "Creating CONJUR_DATA_KEY secret..." | |
kubectl create secret generic conjur-data-key $KUBECTL_ARGS \ | |
--from-file="$SEED_FILES_DIR/conjur_data_key.txt" | |
echo "Creating conjur follower cert/key secret..." | |
kubectl create secret tls conjur-follower-cert $KUBECTL_ARGS \ | |
--cert="$SEED_FILES_DIR/conjur-follower.pem" \ | |
--key="$SEED_FILES_DIR/conjur-follower.key" | |
echo | |
kubectl get secrets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: conjur-follower | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: conjur-follower | |
strategy: | |
type: Recreate | |
template: | |
metadata: | |
labels: | |
app: conjur-follower | |
spec: | |
containers: | |
- name: conjur-pg | |
env: | |
- name: DEBUG_CONTAINER | |
value: "false" | |
image: conjur-pg | |
imagePullPolicy: Never | |
livenessProbe: | |
tcpSocket: | |
port: 5432 | |
initialDelaySeconds: 1 | |
periodSeconds: 1 | |
timeoutSeconds: 5 | |
# 1 seconds * 180 = 3 minutes | |
failureThreshold: 180 | |
readinessProbe: | |
tcpSocket: | |
port: 5432 | |
initialDelaySeconds: 1 | |
periodSeconds: 1 | |
timeoutSeconds: 5 | |
# 1 seconds * 180 = 3 minutes | |
failureThreshold: 180 | |
volumeMounts: | |
- name: conjur-ca-cert-volume | |
mountPath: /opt/conjur/etc/ssl/ca | |
readOnly: true | |
- name: conjur-follower-cert-volume | |
mountPath: /opt/conjur/etc/ssl/follower | |
readOnly: true | |
- name: conjur-pg-main-db | |
mountPath: /var/lib/postgresql/9.4 | |
- name: conjur-nginx | |
image: conjur-nginx | |
imagePullPolicy: Never | |
livenessProbe: | |
httpGet: | |
path: /status | |
port: 9443 | |
scheme: HTTPS | |
initialDelaySeconds: 1 | |
periodSeconds: 1 | |
timeoutSeconds: 2 | |
# 1 seconds * 180 = 3 minutes | |
failureThreshold: 180 | |
ports: | |
- containerPort: 9000 | |
- containerPort: 9443 | |
readinessProbe: | |
httpGet: | |
path: / | |
port: 9443 | |
scheme: HTTPS | |
initialDelaySeconds: 5 | |
periodSeconds: 5 | |
timeoutSeconds: 20 | |
# 5 seconds * 36 = 3 minutes | |
failureThreshold: 36 | |
volumeMounts: | |
- name: conjur-ca-cert-volume | |
mountPath: /opt/conjur/etc/ssl/ca | |
readOnly: true | |
- name: conjur-follower-cert-volume | |
mountPath: /opt/conjur/etc/ssl/follower | |
readOnly: true | |
- name: conjur-possum | |
env: | |
- name: DEBUG_CONTAINER | |
value: "false" | |
- name: DATABASE_URL | |
value: "postgresql://conjur@localhost:5432" | |
image: conjur-possum | |
imagePullPolicy: Never | |
livenessProbe: | |
httpGet: | |
path: / | |
port: 3000 | |
scheme: HTTP | |
initialDelaySeconds: 10 | |
periodSeconds: 5 | |
timeoutSeconds: 20 | |
# 5 seconds * 36 = 3 minutes | |
failureThreshold: 36 | |
readinessProbe: | |
httpGet: | |
path: / | |
port: 3000 | |
scheme: HTTP | |
initialDelaySeconds: 5 | |
periodSeconds: 5 | |
timeoutSeconds: 20 | |
# 5 seconds * 36 = 3 minutes | |
failureThreshold: 36 | |
volumeMounts: | |
- name: conjur-data-key-volume | |
mountPath: /opt/conjur/etc/conjur_data_key | |
readOnly: true | |
volumes: | |
- name: conjur-ca-cert-volume | |
secret: | |
secretName: conjur-ca-cert | |
# Permission == 0400. JSON spec doesn’t support octal notation. | |
defaultMode: 256 | |
- name: conjur-data-key-volume | |
secret: | |
secretName: conjur-data-key | |
# Permission == 0400. JSON spec doesn’t support octal notation. | |
defaultMode: 256 | |
- name: conjur-follower-cert-volume | |
secret: | |
secretName: conjur-follower-cert | |
# Permission == 0400. JSON spec doesn’t support octal notation. | |
defaultMode: 256 | |
- name: conjur-pg-main-db | |
emptyDir: {} | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: conjur-follower | |
spec: | |
ports: | |
- name: "https" | |
port: 443 | |
targetPort: 9443 | |
selector: | |
app: conjur-follower | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: conjur-follower-external | |
spec: | |
type: NodePort | |
ports: | |
- name: nginx-https | |
nodePort: 31001 | |
port: 443 | |
protocol: TCP | |
targetPort: 9443 | |
# - name: nginx-http | |
# nodePort: 31002 | |
# port: 80 | |
# protocol: TCP | |
# targetPort: 9000 | |
# - name: possum-http | |
# nodePort: 31003 | |
# port: 8080 | |
# protocol: TCP | |
# targetPort: 3000 | |
selector: | |
app: conjur-follower |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment