1
0

feat (molgenis-vault): Use vault-operator chart and etcd-operator chart to deploy a vault with backup secret.

This commit is contained in:
Fleur Kelpin 2018-09-07 15:13:00 +02:00
parent 4683bd6649
commit 7df68882b6
11 changed files with 104 additions and 137 deletions

View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: Vault for secrets description: MOLGENIS vault
name: molgenis-vault name: molgenis-vault
version: 0.1.0 version: 0.1.0

25
molgenis-vault/README.md Normal file
View File

@ -0,0 +1,25 @@
# MOLGENIS Vault helm chart
This chart creates a vault operator, but NO vault.
The vault operator defines a new custom resource named `vault` that you can use to create vaults.
After launching the operator, create the molgenis vault manually:
`kubectl create -f resources/vault.yaml`
That creates a new vault with two vault pods.
See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
The UI will be exposed on the host name you specify.
## Parameters
### Azure cloud credentials
Define credentials for backup to the Azure Blob Store.
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
| Parameter | Description | Default |
| --------------- | ----------------------------- | ------------------ |
| `abs.account` | name of storage account | `fdlkops` |
| `abs.accessKey` | access key of storage account | `xxxx` |
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |

View File

@ -0,0 +1,12 @@
apiVersion: "etcd.database.coreos.com/v1beta2"
kind: "EtcdBackup"
metadata:
name: backup
namespace: "vault-operator"
spec:
etcdEndpoints: ["https://vault-etcd-client:2379"]
storageType: ABS
clientTLSSecret: vault-etcd-client-tls
abs:
path: vault/backup
absSecret: abs

View File

@ -0,0 +1,14 @@
apiVersion: "etcd.database.coreos.com/v1beta2"
kind: "EtcdRestore"
metadata:
# The restore CR name must be the same as spec.etcdCluster.name
name: vault-etcd
namespace: vault-operator
spec:
etcdCluster:
# The namespace is the same as this EtcdRestore CR
name: vault-etcd
backupStorageType: ABS
abs:
path: vault/backup
absSecret: abs

View File

@ -0,0 +1,8 @@
apiVersion: "vault.security.coreos.com/v1alpha1"
kind: "VaultService"
metadata:
name: "vault"
namespace: "vault-operator"
spec:
nodes: 2
version: "0.9.1-0"

View File

@ -1,19 +1 @@
1. Get the application URL by running these commands: Good luck!
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "molgenis-vault.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "molgenis-vault.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "molgenis-vault.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "molgenis-vault.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}

View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: abs
type: Opaque
stringData:
storage-account: {{ .Values.abs.account }}
storage-key: {{ .Values.abs.accessKey }}
cloud: {{ .Values.abs.cloud }}

View File

@ -1,51 +0,0 @@
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: {{ template "molgenis-vault.fullname" . }}
labels:
app: {{ template "molgenis-vault.name" . }}
chart: {{ template "molgenis-vault.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "molgenis-vault.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "molgenis-vault.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

View File

@ -1,19 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "molgenis-vault.fullname" . }}
labels:
app: {{ template "molgenis-vault.name" . }}
chart: {{ template "molgenis-vault.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app: {{ template "molgenis-vault.name" . }}
release: {{ .Release.Name }}

View File

@ -2,16 +2,41 @@
# This is a YAML-formatted file. # This is a YAML-formatted file.
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 #abs details of the credentials to reach the azure backup storage
abs:
# account is the name of the Storage account
account: fdlkops
# access key for the Storage account
accessKey: xxxx
# default cloud
cloud: AzurePublicCloud
###
# All of the config variables related to setting up the etcd-operator
# If you want more information about the variables exposed, please visit:
# https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
###
etcd-operator:
deployments:
etcdOperator: true
backupOperator: true
restoreOperator: true
serviceAccount:
etcdOperatorServiceAccount:
create: true
backupOperatorServiceAccount:
create: true
restoreOperatorServiceAccount:
create: true
etcdOperator:
image: image:
repository: nginx tag: v0.9.2
tag: stable backupOperator:
pullPolicy: IfNotPresent image:
tag: v0.9.2
service: restoreOperator:
type: ClusterIP image:
port: 80 tag: v0.9.2
ingress: ingress:
enabled: false enabled: false
@ -22,24 +47,4 @@ ingress:
hosts: hosts:
- chart-example.local - chart-example.local
tls: [] tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

View File

@ -1,18 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system