feat (molgenis-vault): Use vault-operator chart and etcd-operator chart to deploy a vault with backup secret.
This commit is contained in:
parent
4683bd6649
commit
7df68882b6
@ -1,5 +1,5 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: "1.0"
|
appVersion: "1.0"
|
||||||
description: Vault for secrets
|
description: MOLGENIS vault
|
||||||
name: molgenis-vault
|
name: molgenis-vault
|
||||||
version: 0.1.0
|
version: 0.1.0
|
||||||
|
25
molgenis-vault/README.md
Normal file
25
molgenis-vault/README.md
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# MOLGENIS Vault helm chart
|
||||||
|
|
||||||
|
This chart creates a vault operator, but NO vault.
|
||||||
|
The vault operator defines a new custom resource named `vault` that you can use to create vaults.
|
||||||
|
|
||||||
|
After launching the operator, create the molgenis vault manually:
|
||||||
|
`kubectl create -f resources/vault.yaml`
|
||||||
|
|
||||||
|
That creates a new vault with two vault pods.
|
||||||
|
|
||||||
|
See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
|
||||||
|
|
||||||
|
The UI will be exposed on the host name you specify.
|
||||||
|
|
||||||
|
## Parameters
|
||||||
|
|
||||||
|
### Azure cloud credentials
|
||||||
|
Define credentials for backup to the Azure Blob Store.
|
||||||
|
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
|
||||||
|
|
||||||
|
| Parameter | Description | Default |
|
||||||
|
| --------------- | ----------------------------- | ------------------ |
|
||||||
|
| `abs.account` | name of storage account | `fdlkops` |
|
||||||
|
| `abs.accessKey` | access key of storage account | `xxxx` |
|
||||||
|
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |
|
12
molgenis-vault/resources/backup.yaml
Normal file
12
molgenis-vault/resources/backup.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||||
|
kind: "EtcdBackup"
|
||||||
|
metadata:
|
||||||
|
name: backup
|
||||||
|
namespace: "vault-operator"
|
||||||
|
spec:
|
||||||
|
etcdEndpoints: ["https://vault-etcd-client:2379"]
|
||||||
|
storageType: ABS
|
||||||
|
clientTLSSecret: vault-etcd-client-tls
|
||||||
|
abs:
|
||||||
|
path: vault/backup
|
||||||
|
absSecret: abs
|
14
molgenis-vault/resources/restore.yaml
Normal file
14
molgenis-vault/resources/restore.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||||
|
kind: "EtcdRestore"
|
||||||
|
metadata:
|
||||||
|
# The restore CR name must be the same as spec.etcdCluster.name
|
||||||
|
name: vault-etcd
|
||||||
|
namespace: vault-operator
|
||||||
|
spec:
|
||||||
|
etcdCluster:
|
||||||
|
# The namespace is the same as this EtcdRestore CR
|
||||||
|
name: vault-etcd
|
||||||
|
backupStorageType: ABS
|
||||||
|
abs:
|
||||||
|
path: vault/backup
|
||||||
|
absSecret: abs
|
8
molgenis-vault/resources/vault.yaml
Normal file
8
molgenis-vault/resources/vault.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
apiVersion: "vault.security.coreos.com/v1alpha1"
|
||||||
|
kind: "VaultService"
|
||||||
|
metadata:
|
||||||
|
name: "vault"
|
||||||
|
namespace: "vault-operator"
|
||||||
|
spec:
|
||||||
|
nodes: 2
|
||||||
|
version: "0.9.1-0"
|
@ -1,19 +1 @@
|
|||||||
1. Get the application URL by running these commands:
|
Good luck!
|
||||||
{{- if .Values.ingress.enabled }}
|
|
||||||
{{- range .Values.ingress.hosts }}
|
|
||||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if contains "NodePort" .Values.service.type }}
|
|
||||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "molgenis-vault.fullname" . }})
|
|
||||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
|
||||||
echo http://$NODE_IP:$NODE_PORT
|
|
||||||
{{- else if contains "LoadBalancer" .Values.service.type }}
|
|
||||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
|
||||||
You can watch the status of by running 'kubectl get svc -w {{ template "molgenis-vault.fullname" . }}'
|
|
||||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "molgenis-vault.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
|
||||||
echo http://$SERVICE_IP:{{ .Values.service.port }}
|
|
||||||
{{- else if contains "ClusterIP" .Values.service.type }}
|
|
||||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "molgenis-vault.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
|
||||||
echo "Visit http://127.0.0.1:8080 to use your application"
|
|
||||||
kubectl port-forward $POD_NAME 8080:80
|
|
||||||
{{- end }}
|
|
9
molgenis-vault/templates/abs-secret.yaml
Normal file
9
molgenis-vault/templates/abs-secret.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: abs
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
storage-account: {{ .Values.abs.account }}
|
||||||
|
storage-key: {{ .Values.abs.accessKey }}
|
||||||
|
cloud: {{ .Values.abs.cloud }}
|
@ -1,51 +0,0 @@
|
|||||||
apiVersion: apps/v1beta2
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ template "molgenis-vault.fullname" . }}
|
|
||||||
labels:
|
|
||||||
app: {{ template "molgenis-vault.name" . }}
|
|
||||||
chart: {{ template "molgenis-vault.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.replicaCount }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: {{ template "molgenis-vault.name" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: {{ template "molgenis-vault.name" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: {{ .Chart.Name }}
|
|
||||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
containerPort: 80
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
port: http
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
port: http
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.resources | indent 12 }}
|
|
||||||
{{- with .Values.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
@ -1,19 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ template "molgenis-vault.fullname" . }}
|
|
||||||
labels:
|
|
||||||
app: {{ template "molgenis-vault.name" . }}
|
|
||||||
chart: {{ template "molgenis-vault.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
spec:
|
|
||||||
type: {{ .Values.service.type }}
|
|
||||||
ports:
|
|
||||||
- port: {{ .Values.service.port }}
|
|
||||||
targetPort: http
|
|
||||||
protocol: TCP
|
|
||||||
name: http
|
|
||||||
selector:
|
|
||||||
app: {{ template "molgenis-vault.name" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
@ -2,16 +2,41 @@
|
|||||||
# This is a YAML-formatted file.
|
# This is a YAML-formatted file.
|
||||||
# Declare variables to be passed into your templates.
|
# Declare variables to be passed into your templates.
|
||||||
|
|
||||||
replicaCount: 1
|
#abs details of the credentials to reach the azure backup storage
|
||||||
|
abs:
|
||||||
|
# account is the name of the Storage account
|
||||||
|
account: fdlkops
|
||||||
|
# access key for the Storage account
|
||||||
|
accessKey: xxxx
|
||||||
|
# default cloud
|
||||||
|
cloud: AzurePublicCloud
|
||||||
|
|
||||||
|
###
|
||||||
|
# All of the config variables related to setting up the etcd-operator
|
||||||
|
# If you want more information about the variables exposed, please visit:
|
||||||
|
# https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
|
||||||
|
###
|
||||||
|
etcd-operator:
|
||||||
|
deployments:
|
||||||
|
etcdOperator: true
|
||||||
|
backupOperator: true
|
||||||
|
restoreOperator: true
|
||||||
|
serviceAccount:
|
||||||
|
etcdOperatorServiceAccount:
|
||||||
|
create: true
|
||||||
|
backupOperatorServiceAccount:
|
||||||
|
create: true
|
||||||
|
restoreOperatorServiceAccount:
|
||||||
|
create: true
|
||||||
|
etcdOperator:
|
||||||
image:
|
image:
|
||||||
repository: nginx
|
tag: v0.9.2
|
||||||
tag: stable
|
backupOperator:
|
||||||
pullPolicy: IfNotPresent
|
image:
|
||||||
|
tag: v0.9.2
|
||||||
service:
|
restoreOperator:
|
||||||
type: ClusterIP
|
image:
|
||||||
port: 80
|
tag: v0.9.2
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: false
|
enabled: false
|
||||||
@ -22,24 +47,4 @@ ingress:
|
|||||||
hosts:
|
hosts:
|
||||||
- chart-example.local
|
- chart-example.local
|
||||||
tls: []
|
tls: []
|
||||||
# - secretName: chart-example-tls
|
|
||||||
# hosts:
|
|
||||||
# - chart-example.local
|
|
||||||
|
|
||||||
resources: {}
|
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
||||||
# choice for the user. This also increases chances charts run on environments with little
|
|
||||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
||||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
||||||
# limits:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
# requests:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
|
|
||||||
nodeSelector: {}
|
|
||||||
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
affinity: {}
|
|
||||||
|
@ -1,18 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: tiller
|
|
||||||
namespace: kube-system
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: tiller
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cluster-admin
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: tiller
|
|
||||||
namespace: kube-system
|
|
Loading…
Reference in New Issue
Block a user