khuedoan.com / cloudlab
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

cloudlab / infra / _modules / bootstrap / vault.tf
at master 250 lines 8.3 kB view raw
Khue Doan chore: move demo Vault secret to example app
5ae9618b
1resource "kubectl_manifest" "vault_operator" { 2 server_side_apply = true 3 yaml_body = yamlencode({ 4 apiVersion = "argoproj.io/v1alpha1" 5 kind = "Application" 6 metadata = { 7 name = "vault-operator" 8 namespace = helm_release.argocd.namespace 9 finalizers = ["resources-finalizer.argocd.argoproj.io"] 10 labels = local.common_labels 11 } 12 spec = { 13 project = "default" 14 destination = { 15 name = "in-cluster" 16 namespace = "vault" 17 } 18 syncPolicy = local.sync_policy 19 source = { 20 repoURL = "ghcr.io" 21 chart = "bank-vaults/helm-charts/vault-operator" 22 targetRevision = "1.23.0" 23 } 24 } 25 }) 26} 27 28resource "kubectl_manifest" "vault_secrets_webhook" { 29 server_side_apply = true 30 yaml_body = yamlencode({ 31 apiVersion = "argoproj.io/v1alpha1" 32 kind = "Application" 33 metadata = { 34 name = "vault-secrets-webhook" 35 namespace = helm_release.argocd.namespace 36 finalizers = ["resources-finalizer.argocd.argoproj.io"] 37 labels = local.common_labels 38 } 39 spec = { 40 project = "default" 41 destination = { 42 name = "in-cluster" 43 namespace = "vault" 44 } 45 syncPolicy = local.sync_policy 46 source = { 47 repoURL = "ghcr.io" 48 chart = "bank-vaults/helm-charts/vault-secrets-webhook" 49 targetRevision = "1.22.0" 50 helm = { 51 valuesObject = { 52 env = { 53 VAULT_ADDR = "http://vault-cluster.vault.svc.cluster.local:8200" 54 } 55 } 56 } 57 } 58 } 59 }) 60} 61 62resource "kubectl_manifest" "vault" { 63 server_side_apply = true 64 yaml_body = yamlencode({ 65 apiVersion = "argoproj.io/v1alpha1" 66 kind = "Application" 67 metadata = { 68 name = "vault" 69 namespace = helm_release.argocd.namespace 70 finalizers = ["resources-finalizer.argocd.argoproj.io"] 71 labels = local.common_labels 72 } 73 spec = { 74 project = "default" 75 destination = { 76 name = "in-cluster" 77 namespace = "vault" 78 } 79 syncPolicy = local.sync_policy 80 source = { 81 repoURL = "https://bjw-s-labs.github.io/helm-charts" 82 chart = "app-template" 83 targetRevision = "3.7.3" 84 helm = { 85 valuesObject = { 86 rawResources = { 87 cluster = { 88 apiVersion = "vault.banzaicloud.com/v1alpha1" 89 kind = "Vault" 90 spec = { 91 spec = { 92 size = 1 93 image = "docker.io/hashicorp/vault:1.20.2" 94 serviceAccount = "vault" 95 config = { 96 storage = { 97 file = { 98 path = "/vault/data" 99 } 100 } 101 listener = { 102 tcp = { 103 address = "0.0.0.0:8200" 104 tls_disable = true 105 } 106 } 107 ui = true 108 } 109 unsealConfig = { 110 kubernetes = { 111 secretNamespace = "{{ .Release.Namespace }}" 112 } 113 } 114 externalConfig = { 115 secrets = [ 116 { 117 path = "secret" 118 type = "kv" 119 options = { 120 version = 2 121 } 122 } 123 ] 124 policies = [ 125 { 126 name = "allow_secrets" 127 # TODO make it less ugly 128 rules = file("${path.module}/vault-policies/allow_secrets.hcl") 129 } 130 ] 131 auth = [ 132 { 133 type = "kubernetes" 134 roles = [ 135 { 136 # TODO optimize this 137 name = "default" 138 bound_service_account_names = ["*"] 139 bound_service_account_namespaces = ["*"] 140 policies = ["allow_secrets"] 141 ttl = "1h" 142 } 143 ] 144 } 145 ] 146 } 147 volumes = [{ 148 name = "vault-data" 149 persistentVolumeClaim = { 150 claimName = "vault-data" 151 } 152 }] 153 volumeMounts = [{ 154 name = "vault-data" 155 mountPath = "/vault/data" 156 }] 157 ingress = { 158 annotations = { 159 "cert-manager.io/cluster-issuer" = "letsencrypt-prod" 160 } 161 spec = { 162 ingressClassName = "nginx" 163 rules = [{ 164 host = "vault.${var.cluster_domain}" 165 http = { 166 paths = [{ 167 backend = { 168 service = { 169 name = "vault-cluster" 170 port = { 171 "number" = 8200 172 } 173 } 174 } 175 path = "/" 176 pathType = "Prefix" 177 }] 178 } 179 }] 180 tls = [{ 181 hosts = ["vault.${var.cluster_domain}"] 182 secretName = "vault-tls-certificate" 183 }] 184 } 185 } 186 } 187 } 188 } 189 } 190 serviceAccount = { 191 create = true 192 } 193 rbac = { 194 roles = { 195 vault = { 196 type = "Role" 197 rules = [{ 198 apiGroups = [""] 199 resources = ["secrets"] 200 verbs = ["*"] 201 }, { 202 apiGroups = [""] 203 resources = ["pods"] 204 verbs = ["get", "update", "patch"] 205 }] 206 } 207 } 208 bindings = { 209 namespace = { 210 forceRename = "vault" 211 type = "RoleBinding" 212 roleRef = { 213 apiGroup = "rbac.authorization.k8s.io" 214 kind = "Role" 215 name = "vault" 216 } 217 subjects = [{ 218 kind = "ServiceAccount" 219 namespace = "{{ .Release.Namespace }}" 220 name = "vault" 221 }] 222 } 223 cluster = { 224 forceRename = "vault" 225 type = "ClusterRoleBinding" 226 roleRef = { 227 apiGroup = "rbac.authorization.k8s.io" 228 kind = "ClusterRole" 229 name = "system:auth-delegator" 230 } 231 subjects = [{ 232 kind = "ServiceAccount" 233 namespace = "{{ .Release.Namespace }}" 234 name = "vault" 235 }] 236 } 237 } 238 } 239 persistence = { 240 data = { 241 accessMode = "ReadWriteOnce" 242 size = "2Gi" 243 } 244 } 245 } 246 } 247 } 248 } 249 }) 250}