feat (molgenis-vault): Use vault-operator chart and etcd-operator chart to deploy a vault with backup secret.
This commit is contained in:
parent
4683bd6649
commit
7df68882b6
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
appVersion: "1.0"
|
||||
description: Vault for secrets
|
||||
description: MOLGENIS vault
|
||||
name: molgenis-vault
|
||||
version: 0.1.0
|
||||
|
25
molgenis-vault/README.md
Normal file
25
molgenis-vault/README.md
Normal file
@ -0,0 +1,25 @@
|
||||
# MOLGENIS Vault helm chart
|
||||
|
||||
This chart creates a vault operator, but NO vault.
|
||||
The vault operator defines a new custom resource named `vault` that you can use to create vaults.
|
||||
|
||||
After launching the operator, create the molgenis vault manually:
|
||||
`kubectl create -f resources/vault.yaml`
|
||||
|
||||
That creates a new vault with two vault pods.
|
||||
|
||||
See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
|
||||
|
||||
The UI will be exposed on the host name you specify.
|
||||
|
||||
## Parameters
|
||||
|
||||
### Azure cloud credentials
|
||||
Define credentials for backup to the Azure Blob Store.
|
||||
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| --------------- | ----------------------------- | ------------------ |
|
||||
| `abs.account` | name of storage account | `fdlkops` |
|
||||
| `abs.accessKey` | access key of storage account | `xxxx` |
|
||||
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |
|
12
molgenis-vault/resources/backup.yaml
Normal file
12
molgenis-vault/resources/backup.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||
kind: "EtcdBackup"
|
||||
metadata:
|
||||
name: backup
|
||||
namespace: "vault-operator"
|
||||
spec:
|
||||
etcdEndpoints: ["https://vault-etcd-client:2379"]
|
||||
storageType: ABS
|
||||
clientTLSSecret: vault-etcd-client-tls
|
||||
abs:
|
||||
path: vault/backup
|
||||
absSecret: abs
|
14
molgenis-vault/resources/restore.yaml
Normal file
14
molgenis-vault/resources/restore.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||
kind: "EtcdRestore"
|
||||
metadata:
|
||||
# The restore CR name must be the same as spec.etcdCluster.name
|
||||
name: vault-etcd
|
||||
namespace: vault-operator
|
||||
spec:
|
||||
etcdCluster:
|
||||
# The namespace is the same as this EtcdRestore CR
|
||||
name: vault-etcd
|
||||
backupStorageType: ABS
|
||||
abs:
|
||||
path: vault/backup
|
||||
absSecret: abs
|
8
molgenis-vault/resources/vault.yaml
Normal file
8
molgenis-vault/resources/vault.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
apiVersion: "vault.security.coreos.com/v1alpha1"
|
||||
kind: "VaultService"
|
||||
metadata:
|
||||
name: "vault"
|
||||
namespace: "vault-operator"
|
||||
spec:
|
||||
nodes: 2
|
||||
version: "0.9.1-0"
|
@ -1,19 +1 @@
|
||||
1. Get the application URL by running these commands:
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- range .Values.ingress.hosts }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
|
||||
{{- end }}
|
||||
{{- else if contains "NodePort" .Values.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "molgenis-vault.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get svc -w {{ template "molgenis-vault.fullname" . }}'
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "molgenis-vault.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||
echo http://$SERVICE_IP:{{ .Values.service.port }}
|
||||
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "molgenis-vault.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
echo "Visit http://127.0.0.1:8080 to use your application"
|
||||
kubectl port-forward $POD_NAME 8080:80
|
||||
{{- end }}
|
||||
Good luck!
|
9
molgenis-vault/templates/abs-secret.yaml
Normal file
9
molgenis-vault/templates/abs-secret.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: abs
|
||||
type: Opaque
|
||||
stringData:
|
||||
storage-account: {{ .Values.abs.account }}
|
||||
storage-key: {{ .Values.abs.accessKey }}
|
||||
cloud: {{ .Values.abs.cloud }}
|
@ -1,51 +0,0 @@
|
||||
apiVersion: apps/v1beta2
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "molgenis-vault.fullname" . }}
|
||||
labels:
|
||||
app: {{ template "molgenis-vault.name" . }}
|
||||
chart: {{ template "molgenis-vault.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "molgenis-vault.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: {{ template "molgenis-vault.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
resources:
|
||||
{{ toYaml .Values.resources | indent 12 }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
@ -1,19 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "molgenis-vault.fullname" . }}
|
||||
labels:
|
||||
app: {{ template "molgenis-vault.name" . }}
|
||||
chart: {{ template "molgenis-vault.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
targetPort: http
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
app: {{ template "molgenis-vault.name" . }}
|
||||
release: {{ .Release.Name }}
|
@ -2,16 +2,41 @@
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
replicaCount: 1
|
||||
#abs details of the credentials to reach the azure backup storage
|
||||
abs:
|
||||
# account is the name of the Storage account
|
||||
account: fdlkops
|
||||
# access key for the Storage account
|
||||
accessKey: xxxx
|
||||
# default cloud
|
||||
cloud: AzurePublicCloud
|
||||
|
||||
###
|
||||
# All of the config variables related to setting up the etcd-operator
|
||||
# If you want more information about the variables exposed, please visit:
|
||||
# https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
|
||||
###
|
||||
etcd-operator:
|
||||
deployments:
|
||||
etcdOperator: true
|
||||
backupOperator: true
|
||||
restoreOperator: true
|
||||
serviceAccount:
|
||||
etcdOperatorServiceAccount:
|
||||
create: true
|
||||
backupOperatorServiceAccount:
|
||||
create: true
|
||||
restoreOperatorServiceAccount:
|
||||
create: true
|
||||
etcdOperator:
|
||||
image:
|
||||
repository: nginx
|
||||
tag: stable
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
tag: v0.9.2
|
||||
backupOperator:
|
||||
image:
|
||||
tag: v0.9.2
|
||||
restoreOperator:
|
||||
image:
|
||||
tag: v0.9.2
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
@ -22,24 +47,4 @@ ingress:
|
||||
hosts:
|
||||
- chart-example.local
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
@ -1,18 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: tiller
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: tiller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: tiller
|
||||
namespace: kube-system
|
Loading…
Reference in New Issue
Block a user