doc: Clean up vault documentation

Needs to run under service account created by the etcd-operator subchart so there's some template magic needed to figure out what it's called.

README.md

@@ -104,7 +104,8 @@ This repository is serves also as a catalogue for Rancher. We have serveral apps
 - [Jenkins](molgenis-jenkins/README.md)
 - [NEXUS](molgenis-nexus/README.md)
 - [HTTPD](molgenis-httpd/README.md)
-- [MOLNIGES preview](molgenis-preview/README.md)
+- [MOLGENIS preview](molgenis-preview/README.md)
+- [MOLGENIS vault](molgenis-vault/README.md)
 
 ### Useful commands
 You can you need to know to easily develop and deploy helm-charts

molgenis-jenkins/values.yaml

@@ -606,10 +606,9 @@ PipelineSecrets:
             <username>admin</username>
             <password>xxxx</password>
           </server>
-          <!-- to authenticate against GOGS for MAVEN release -->
           <server>
-            <id>gogs</id>
-            <username>xxxx</username>
+            <id>registry.hub.docker.com</id>
+            <username>molgenisci</username>
             <password>xxxx</password>
           </server>
         </servers>

molgenis-preview/questions.yml

@@ -9,6 +9,23 @@ questions:
   required: true
   group: "Services and Load Balancing"
   label: Hostname
+- variable: molgenis.image.repository
+  default: "registry.hub.docker.com"
+  description: "Select a registry to pull from"
+  type: enum
+  options:
+  - "registry.hub.docker.com"
+  - "registry.molgenis.org"
+  required: true
+  group: "MOLGENIS - Version"
+  label: Registry
+- variable: molgenis.image.tag
+  default: "stable"
+  description: "Select a MOLGENIS version (check the registry.molgenis.org or hub.docker.com for other tags)"
+  type: string
+  required: true
+  group: "MOLGENIS - Version"
+  label: Version
 - variable: molgenis.resources.limits.cpu
   default: 1
   description: "CPU limit for this MOLGENIS instance"

molgenis-preview/templates/deployment.yaml

@@ -26,7 +26,7 @@ spec:
       containers:
         - name: molgenis
         {{- with .Values.molgenis }}
-          image: "{{ .image.repository }}:{{ .image.tag }}"
+          image: "{{ .image.repository }}/{{ .image.name }}:{{ .image.tag }}"
           imagePullPolicy: {{ .image.pullPolicy }}
           env:
             - name: molgenis.home

molgenis-preview/values.yaml

@@ -17,7 +17,8 @@ ingress:
 
 molgenis:
   image:
-    repository: registry.molgenis.org/molgenis/molgenis-app
+    repository: registry.molgenis.org
+    name: molgenis/molgenis-app
     tag: 7.0.0-SNAPSHOT
     pullPolicy: Always
   adminPassword: admin

molgenis-vault/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

molgenis-vault/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: MOLGENIS vault
+name: molgenis-vault
+version: 0.1.1

molgenis-vault/README.md

@@ -0,0 +1,31 @@
+# MOLGENIS Vault helm chart
+
+This chart creates a vault operator, but NO vault.
+The vault operator defines a new custom resource named `vault` that you can use to create vaults.
+
+After launching the operator, create the molgenis vault manually:
+`kubectl create -f resources/vault.yaml`
+
+That creates a new vault with two vault pods.
+
+See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
+
+## Parameters
+
+### Azure cloud credentials
+Define credentials for backup to the Azure Blob Store.
+See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
+
+| Parameter       | Description                   | Default            |
+| --------------- | ----------------------------- | ------------------ |
+| `abs.account`   | name of storage account       | `fdlkops`          |
+| `abs.accessKey` | access key of storage account | `xxxx`             |
+| `abs.cloud`     | name of cloud environment     | `AzurePublicCloud` |
+
+### Backup job
+Define the schedule of the backup job
+
+| Parameter            | Description                  | Default            |
+| -------------------- | ---------------------------- | ------------------ |
+| `backupJob.enable`   | Enable backup cronjob        | `true`             |
+| `backupJob.schedule` | cron schedule for the backup | `0 0 0 ? * MON *`  |

molgenis-vault/requirements.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: vault-operator
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 0.1.1
+- name: etcd-operator
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 0.8.0
+digest: sha256:47aa645df7dfce9760905800321599de05995ae50090735d45310936dbaa46de
+generated: 2018-09-06T18:59:39.861922543+02:00

molgenis-vault/requirements.yaml

@@ -0,0 +1,7 @@
+dependencies:
+  - name: vault-operator
+    version: ^0.1.1
+    repository: https://kubernetes-charts.storage.googleapis.com/
+  - name: etcd-operator
+    version: ^0.8.0
+    repository: https://kubernetes-charts.storage.googleapis.com/

molgenis-vault/resources/restore.yaml

@@ -0,0 +1,15 @@
+# Use kubectl create -f restore.yaml to manually execute a restore of the vault
+apiVersion: "etcd.database.coreos.com/v1beta2"
+kind: "EtcdRestore"
+metadata:
+  # The restore CR name must be the same as spec.etcdCluster.name
+  name: vault-etcd
+  namespace: vault-operator
+spec:
+  etcdCluster:
+    # The namespace is the same as this EtcdRestore CR
+    name: vault-etcd
+  backupStorageType: ABS
+  abs:
+    path: vault/backup-<specify the backup name>
+    absSecret: abs

molgenis-vault/resources/vault.yaml

@@ -0,0 +1,9 @@
+# Use kubectl create -f vault.yaml to manually create a vault
+apiVersion: "vault.security.coreos.com/v1alpha1"
+kind: "VaultService"
+metadata:
+  name: "vault"
+  namespace: "vault-operator"
+spec:
+  nodes: 2
+  version: "0.9.1-0"

molgenis-vault/templates/NOTES.txt

@@ -0,0 +1,13 @@
+Vault operator created
+
+Next steps:
+
+* Manually create a vault using resources/vault.yaml
+* Manually restore a backup using resources/backup.yaml
+* Unseal the vault pods
+
+{{ if .Values.backupJob.enable }}
+!! Make sure to check if the backups succeed !!
+{{ else }}
+!!!!!! NO BACKUPS CONFIGURED !!!!!!
+{{ end }}

molgenis-vault/templates/_helpers.tpl

@@ -0,0 +1,40 @@
+{{/* See https://github.com/helm/helm/issues/4535 */}}
+{{- define "call-nested" }}
+{{- $dot := index . 0 }}
+{{- $subchart := index . 1 }}
+{{- $template := index . 2 }}
+{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }}
+{{- end }}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "molgenis-vault.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "molgenis-vault.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "molgenis-vault.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

molgenis-vault/templates/abs-secret.yaml

@@ -0,0 +1,10 @@
+# Secret to access microsoft azure blob store
+apiVersion: v1
+kind: Secret
+metadata:
+  name: abs
+type: Opaque
+stringData:
+  storage-account: {{ .Values.abs.account }}
+  storage-key: {{ .Values.abs.accessKey }}
+  cloud: {{ .Values.abs.cloud }}

molgenis-vault/templates/backup-configmap.yaml

@@ -0,0 +1,18 @@
+# configmap to use as a template by the backup cronjob to create etcdbackup instances
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: backup-config
+data:
+  backup_cr.yaml: |
+    apiVersion: "etcd.database.coreos.com/v1beta2"
+    kind: "EtcdBackup"
+    metadata:
+      generateName: vault-backup-
+    spec:
+      etcdEndpoints: ["https://vault-etcd-client:2379"]
+      storageType: ABS
+      clientTLSSecret: vault-etcd-client-tls
+      abs:
+        path: vault/backup.<NOW>
+        absSecret: abs

molgenis-vault/templates/backup-cronjob.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.backupJob.enable }}
+# cronjob that creates etcdbackups using the etcd backup serviceaccount
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: etcd-backup
+spec:
+  schedule: {{ .Values.backupJob.schedule | quote }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: {{ include "call-nested" (list . "etcd-operator" "etcd-operator.serviceAccountName") }}
+          containers:
+          - name: etcd-backup
+            image: lachlanevenson/k8s-kubectl
+            command:
+            - /bin/sh
+            - "-ec"
+            - |
+              sed -e "s|<NOW>|$(date '+%Y-%m-%d_%H:%M:%S')|g" /var/etcd_backup/backup_cr.yaml | kubectl create -f -
+            volumeMounts:
+            - name: backup-config
+              mountPath: /var/etcd_backup
+          restartPolicy: OnFailure
+          volumes:
+          - name: backup-config
+            configMap:
+              name: backup-config
+{{- end }}

molgenis-vault/values.yaml

@@ -0,0 +1,47 @@
+# Default values for molgenis-vault.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# abs gives details of the credentials to reach the azure backup storage
+abs:
+  # account is the name of the Storage account
+  account: fdlkops
+  # access key for the Storage account
+  accessKey: xxxx
+  # default cloud
+  cloud: AzurePublicCloud
+
+# backupjob describes the backup cronjob
+backupJob:
+  # enable enables the backup job
+  enable: true
+  # schedule gives the cron schedule for the backup job
+  schedule: "0 0 0 ? * MON *"
+
+###
+# All of the config variables related to setting up the etcd-operator
+# If you want more information about the variables exposed, please visit:
+#   https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
+###
+etcd-operator:
+  deployments:
+    etcdOperator: true
+    backupOperator: true
+    restoreOperator: true
+  serviceAccount:
+    etcdOperatorServiceAccount:
+      create: true
+    backupOperatorServiceAccount:
+      create: true
+    restoreOperatorServiceAccount:
+      create: true
+  etcdOperator:
+    image:
+      tag: v0.9.2
+  backupOperator:
+    image:
+      tag: v0.9.2
+  restoreOperator:
+    image:
+      tag: v0.9.2
+

rbac-config.yml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tiller
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: tiller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: tiller
-    namespace: kube-system