From fdc0499d219d1c5b42cfeee3970f13adb33da724 Mon Sep 17 00:00:00 2001
From: Fleur Kelpin <f.kelpin@umcg.nl>
Date: Fri, 7 Sep 2018 15:13:00 +0200
Subject: [PATCH] feat: Use vault-operator chart and etcd-operator chart to
 deploy a vault with backup secret.

---
 molgenis-vault/Chart.yaml                |  2 +-
 molgenis-vault/README.md                 | 25 ++++++++++
 molgenis-vault/resources/backup.yaml     | 12 +++++
 molgenis-vault/resources/restore.yaml    | 14 ++++++
 molgenis-vault/resources/vault.yaml      |  8 +++
 molgenis-vault/templates/NOTES.txt       | 20 +-------
 molgenis-vault/templates/abs-secret.yaml |  9 ++++
 molgenis-vault/templates/deployment.yaml | 51 -------------------
 molgenis-vault/templates/service.yaml    | 19 -------
 molgenis-vault/values.yaml               | 63 +++++++++++++-----------
 rbac-config.yml                          | 18 -------
 11 files changed, 104 insertions(+), 137 deletions(-)
 create mode 100644 molgenis-vault/README.md
 create mode 100644 molgenis-vault/resources/backup.yaml
 create mode 100644 molgenis-vault/resources/restore.yaml
 create mode 100644 molgenis-vault/resources/vault.yaml
 create mode 100644 molgenis-vault/templates/abs-secret.yaml
 delete mode 100644 molgenis-vault/templates/deployment.yaml
 delete mode 100644 molgenis-vault/templates/service.yaml
 delete mode 100644 rbac-config.yml

diff --git a/molgenis-vault/Chart.yaml b/molgenis-vault/Chart.yaml
index fb0fa84..cc807f6 100644
--- a/molgenis-vault/Chart.yaml
+++ b/molgenis-vault/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
 appVersion: "1.0"
-description: Vault for secrets
+description: MOLGENIS vault
 name: molgenis-vault
 version: 0.1.0
diff --git a/molgenis-vault/README.md b/molgenis-vault/README.md
new file mode 100644
index 0000000..3f9255b
--- /dev/null
+++ b/molgenis-vault/README.md
@@ -0,0 +1,25 @@
+# MOLGENIS Vault helm chart
+
+This chart creates a vault operator, but NO vault.
+The vault operator defines a new custom resource named `vault` that you can use to create vaults.
+
+After launching the operator, create the molgenis vault manually:
+`kubectl create -f resources/vault.yaml`
+
+That creates a new vault with two vault pods.
+
+See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
+
+The UI will be exposed on the host name you specify.
+
+## Parameters
+
+### Azure cloud credentials
+Define credentials for backup to the Azure Blob Store.
+See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
+
+| Parameter       | Description                   | Default            |
+| --------------- | ----------------------------- | ------------------ |
+| `abs.account`   | name of storage account       | `fdlkops`          |
+| `abs.accessKey` | access key of storage account | `xxxx`             |
+| `abs.cloud`     | name of cloud environment     | `AzurePublicCloud` |
\ No newline at end of file
diff --git a/molgenis-vault/resources/backup.yaml b/molgenis-vault/resources/backup.yaml
new file mode 100644
index 0000000..3945a00
--- /dev/null
+++ b/molgenis-vault/resources/backup.yaml
@@ -0,0 +1,12 @@
+apiVersion: "etcd.database.coreos.com/v1beta2"
+kind: "EtcdBackup"
+metadata:
+  name: backup
+  namespace: "vault-operator"
+spec:
+  etcdEndpoints: ["https://vault-etcd-client:2379"]
+  storageType: ABS
+  clientTLSSecret: vault-etcd-client-tls
+  abs:
+    path: vault/backup
+    absSecret: abs
\ No newline at end of file
diff --git a/molgenis-vault/resources/restore.yaml b/molgenis-vault/resources/restore.yaml
new file mode 100644
index 0000000..a819724
--- /dev/null
+++ b/molgenis-vault/resources/restore.yaml
@@ -0,0 +1,14 @@
+apiVersion: "etcd.database.coreos.com/v1beta2"
+kind: "EtcdRestore"
+metadata:
+  # The restore CR name must be the same as spec.etcdCluster.name
+  name: vault-etcd
+  namespace: vault-operator
+spec:
+  etcdCluster:
+    # The namespace is the same as this EtcdRestore CR
+    name: vault-etcd
+  backupStorageType: ABS
+  abs:
+    path: vault/backup
+    absSecret: abs
\ No newline at end of file
diff --git a/molgenis-vault/resources/vault.yaml b/molgenis-vault/resources/vault.yaml
new file mode 100644
index 0000000..a4158b8
--- /dev/null
+++ b/molgenis-vault/resources/vault.yaml
@@ -0,0 +1,8 @@
+apiVersion: "vault.security.coreos.com/v1alpha1"
+kind: "VaultService"
+metadata:
+  name: "vault"
+  namespace: "vault-operator"
+spec:
+  nodes: 2
+  version: "0.9.1-0"
\ No newline at end of file
diff --git a/molgenis-vault/templates/NOTES.txt b/molgenis-vault/templates/NOTES.txt
index bab1cc7..ae4cce7 100644
--- a/molgenis-vault/templates/NOTES.txt
+++ b/molgenis-vault/templates/NOTES.txt
@@ -1,19 +1 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "molgenis-vault.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get svc -w {{ template "molgenis-vault.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "molgenis-vault.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "molgenis-vault.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
-{{- end }}
+Good luck!
\ No newline at end of file
diff --git a/molgenis-vault/templates/abs-secret.yaml b/molgenis-vault/templates/abs-secret.yaml
new file mode 100644
index 0000000..519c814
--- /dev/null
+++ b/molgenis-vault/templates/abs-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: abs
+type: Opaque
+stringData:
+  storage-account: {{ .Values.abs.account }}
+  storage-key: {{ .Values.abs.accessKey }}
+  cloud: {{ .Values.abs.cloud }}
\ No newline at end of file
diff --git a/molgenis-vault/templates/deployment.yaml b/molgenis-vault/templates/deployment.yaml
deleted file mode 100644
index e201f30..0000000
--- a/molgenis-vault/templates/deployment.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ template "molgenis-vault.fullname" . }}
-  labels:
-    app: {{ template "molgenis-vault.name" . }}
-    chart: {{ template "molgenis-vault.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app: {{ template "molgenis-vault.name" . }}
-      release: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app: {{ template "molgenis-vault.name" . }}
-        release: {{ .Release.Name }}
-    spec:
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
diff --git a/molgenis-vault/templates/service.yaml b/molgenis-vault/templates/service.yaml
deleted file mode 100644
index 09aaaed..0000000
--- a/molgenis-vault/templates/service.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "molgenis-vault.fullname" . }}
-  labels:
-    app: {{ template "molgenis-vault.name" . }}
-    chart: {{ template "molgenis-vault.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app: {{ template "molgenis-vault.name" . }}
-    release: {{ .Release.Name }}
diff --git a/molgenis-vault/values.yaml b/molgenis-vault/values.yaml
index ce610a8..5d47683 100644
--- a/molgenis-vault/values.yaml
+++ b/molgenis-vault/values.yaml
@@ -2,16 +2,41 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-replicaCount: 1
+#abs details of the credentials to reach the azure backup storage
+abs:
+  # account is the name of the Storage account
+  account: fdlkops
+  # access key for the Storage account
+  accessKey: xxxx
+  # default cloud
+  cloud: AzurePublicCloud
 
-image:
-  repository: nginx
-  tag: stable
-  pullPolicy: IfNotPresent
-
-service:
-  type: ClusterIP
-  port: 80
+###
+# All of the config variables related to setting up the etcd-operator
+# If you want more information about the variables exposed, please visit:
+#   https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
+###
+etcd-operator:
+  deployments:
+    etcdOperator: true
+    backupOperator: true
+    restoreOperator: true
+  serviceAccount:
+    etcdOperatorServiceAccount:
+      create: true
+    backupOperatorServiceAccount:
+      create: true
+    restoreOperatorServiceAccount:
+      create: true
+  etcdOperator:
+    image:
+      tag: v0.9.2
+  backupOperator:
+    image:
+      tag: v0.9.2
+  restoreOperator:
+    image:
+      tag: v0.9.2
 
 ingress:
   enabled: false
@@ -22,24 +47,4 @@ ingress:
   hosts:
     - chart-example.local
   tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
 
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
diff --git a/rbac-config.yml b/rbac-config.yml
deleted file mode 100644
index c5ae63a..0000000
--- a/rbac-config.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tiller
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: tiller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: tiller
-    namespace: kube-system