Compare commits
1 Commits
f34b0dc85f
...
e9629feb9b
Author | SHA1 | Date |
---|---|---|
|
e9629feb9b |
|
@ -1,5 +1,5 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: "1.0"
|
appVersion: "1.0"
|
||||||
description: MOLGENIS vault
|
description: Vault for secrets
|
||||||
name: molgenis-vault
|
name: molgenis-vault
|
||||||
version: 0.1.1
|
version: 0.1.0
|
||||||
|
|
|
@ -1,33 +0,0 @@
|
||||||
# MOLGENIS Vault helm chart
|
|
||||||
|
|
||||||
This chart creates a vault operator, but NO vault.
|
|
||||||
The vault operator defines a new custom resource named `vault` that you can use to create vaults.
|
|
||||||
|
|
||||||
After launching the operator, create the molgenis vault manually:
|
|
||||||
`kubectl create -f resources/vault.yaml`
|
|
||||||
|
|
||||||
That creates a new vault with two vault pods.
|
|
||||||
|
|
||||||
See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
|
|
||||||
|
|
||||||
The UI will be exposed on the host name you specify.
|
|
||||||
|
|
||||||
## Parameters
|
|
||||||
|
|
||||||
### Azure cloud credentials
|
|
||||||
Define credentials for backup to the Azure Blob Store.
|
|
||||||
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
|
|
||||||
|
|
||||||
| Parameter | Description | Default |
|
|
||||||
| --------------- | ----------------------------- | ------------------ |
|
|
||||||
| `abs.account` | name of storage account | `fdlkops` |
|
|
||||||
| `abs.accessKey` | access key of storage account | `xxxx` |
|
|
||||||
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |
|
|
||||||
|
|
||||||
### Backup job
|
|
||||||
Define the schedule of the backup job
|
|
||||||
|
|
||||||
| Parameter | Description | Default |
|
|
||||||
| -------------------- | ---------------------------- | ------------------ |
|
|
||||||
| `backupJob.enable` | Enable backup cronjob | `true` |
|
|
||||||
| `backupJob.schedule` | cron schedule for the backup | `0 0 0 ? * MON *` |
|
|
Binary file not shown.
|
@ -2,8 +2,5 @@ dependencies:
|
||||||
- name: vault-operator
|
- name: vault-operator
|
||||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
version: 0.1.1
|
version: 0.1.1
|
||||||
- name: etcd-operator
|
digest: sha256:8cd19cf0df06025e88d0f3b027ade85da299a43f9ef773c41c044f006da8677a
|
||||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
generated: 2018-09-06T16:57:56.959434943+02:00
|
||||||
version: 0.8.0
|
|
||||||
digest: sha256:47aa645df7dfce9760905800321599de05995ae50090735d45310936dbaa46de
|
|
||||||
generated: 2018-09-06T18:59:39.861922543+02:00
|
|
||||||
|
|
|
@ -2,6 +2,3 @@ dependencies:
|
||||||
- name: vault-operator
|
- name: vault-operator
|
||||||
version: ^0.1.1
|
version: ^0.1.1
|
||||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
- name: etcd-operator
|
|
||||||
version: ^0.8.0
|
|
||||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
|
|
@ -1,12 +0,0 @@
|
||||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
|
||||||
kind: "EtcdBackup"
|
|
||||||
metadata:
|
|
||||||
name: backup
|
|
||||||
namespace: "vault-operator"
|
|
||||||
spec:
|
|
||||||
etcdEndpoints: ["https://vault-etcd-client:2379"]
|
|
||||||
storageType: ABS
|
|
||||||
clientTLSSecret: vault-etcd-client-tls
|
|
||||||
abs:
|
|
||||||
path: vault/backup
|
|
||||||
absSecret: abs
|
|
|
@ -1,14 +0,0 @@
|
||||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
|
||||||
kind: "EtcdRestore"
|
|
||||||
metadata:
|
|
||||||
# The restore CR name must be the same as spec.etcdCluster.name
|
|
||||||
name: vault-etcd
|
|
||||||
namespace: vault-operator
|
|
||||||
spec:
|
|
||||||
etcdCluster:
|
|
||||||
# The namespace is the same as this EtcdRestore CR
|
|
||||||
name: vault-etcd
|
|
||||||
backupStorageType: ABS
|
|
||||||
abs:
|
|
||||||
path: vault/backup
|
|
||||||
absSecret: abs
|
|
|
@ -1,8 +0,0 @@
|
||||||
apiVersion: "vault.security.coreos.com/v1alpha1"
|
|
||||||
kind: "VaultService"
|
|
||||||
metadata:
|
|
||||||
name: "vault"
|
|
||||||
namespace: "vault-operator"
|
|
||||||
spec:
|
|
||||||
nodes: 2
|
|
||||||
version: "0.9.1-0"
|
|
|
@ -1 +1,19 @@
|
||||||
Good luck!
|
1. Get the application URL by running these commands:
|
||||||
|
{{- if .Values.ingress.enabled }}
|
||||||
|
{{- range .Values.ingress.hosts }}
|
||||||
|
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else if contains "NodePort" .Values.service.type }}
|
||||||
|
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "molgenis-vault.fullname" . }})
|
||||||
|
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||||
|
echo http://$NODE_IP:$NODE_PORT
|
||||||
|
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||||
|
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||||
|
You can watch the status of by running 'kubectl get svc -w {{ template "molgenis-vault.fullname" . }}'
|
||||||
|
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "molgenis-vault.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||||
|
echo http://$SERVICE_IP:{{ .Values.service.port }}
|
||||||
|
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||||
|
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "molgenis-vault.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||||
|
echo "Visit http://127.0.0.1:8080 to use your application"
|
||||||
|
kubectl port-forward $POD_NAME 8080:80
|
||||||
|
{{- end }}
|
||||||
|
|
|
@ -1,11 +1,3 @@
|
||||||
{{/* See https://github.com/helm/helm/issues/4535 */}}
|
|
||||||
{{- define "call-nested" }}
|
|
||||||
{{- $dot := index . 0 }}
|
|
||||||
{{- $subchart := index . 1 }}
|
|
||||||
{{- $template := index . 2 }}
|
|
||||||
{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/* vim: set filetype=mustache: */}}
|
{{/* vim: set filetype=mustache: */}}
|
||||||
{{/*
|
{{/*
|
||||||
Expand the name of the chart.
|
Expand the name of the chart.
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: abs
|
|
||||||
type: Opaque
|
|
||||||
stringData:
|
|
||||||
storage-account: {{ .Values.abs.account }}
|
|
||||||
storage-key: {{ .Values.abs.accessKey }}
|
|
||||||
cloud: {{ .Values.abs.cloud }}
|
|
|
@ -1,17 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: backup-config
|
|
||||||
data:
|
|
||||||
backup_cr.yaml: |
|
|
||||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
|
||||||
kind: "EtcdBackup"
|
|
||||||
metadata:
|
|
||||||
generateName: vault-backup-
|
|
||||||
spec:
|
|
||||||
etcdEndpoints: ["https://vault-etcd-client:2379"]
|
|
||||||
storageType: ABS
|
|
||||||
clientTLSSecret: vault-etcd-client-tls
|
|
||||||
abs:
|
|
||||||
path: vault/backup.<NOW>
|
|
||||||
absSecret: abs
|
|
|
@ -1,29 +0,0 @@
|
||||||
{{- if .Values.backupJob.enable }}
|
|
||||||
apiVersion: batch/v1beta1
|
|
||||||
kind: CronJob
|
|
||||||
metadata:
|
|
||||||
name: etcd-backup
|
|
||||||
spec:
|
|
||||||
schedule: {{ .Values.backupJob.schedule | quote }}
|
|
||||||
jobTemplate:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
serviceAccountName: {{ include "call-nested" (list . "etcd-operator" "etcd-operator.serviceAccountName") }}
|
|
||||||
containers:
|
|
||||||
- name: etcd-backup
|
|
||||||
image: lachlanevenson/k8s-kubectl
|
|
||||||
command:
|
|
||||||
- /bin/sh
|
|
||||||
- "-ec"
|
|
||||||
- |
|
|
||||||
sed -e "s|<NOW>|$(date '+%Y-%m-%d_%H:%M:%S')|g" /var/etcd_backup/backup_cr.yaml | kubectl create -f -
|
|
||||||
volumeMounts:
|
|
||||||
- name: backup-config
|
|
||||||
mountPath: /var/etcd_backup
|
|
||||||
restartPolicy: OnFailure
|
|
||||||
volumes:
|
|
||||||
- name: backup-config
|
|
||||||
configMap:
|
|
||||||
name: backup-config
|
|
||||||
{{- end }}
|
|
|
@ -0,0 +1,51 @@
|
||||||
|
apiVersion: apps/v1beta2
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ template "molgenis-vault.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ template "molgenis-vault.name" . }}
|
||||||
|
chart: {{ template "molgenis-vault.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.replicaCount }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: {{ template "molgenis-vault.name" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: {{ template "molgenis-vault.name" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: {{ .Chart.Name }}
|
||||||
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: 80
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http
|
||||||
|
resources:
|
||||||
|
{{ toYaml .Values.resources | indent 12 }}
|
||||||
|
{{- with .Values.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{ toYaml . | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{ toYaml . | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml . | indent 8 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ template "molgenis-vault.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ template "molgenis-vault.name" . }}
|
||||||
|
chart: {{ template "molgenis-vault.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.service.type }}
|
||||||
|
ports:
|
||||||
|
- port: {{ .Values.service.port }}
|
||||||
|
targetPort: http
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
selector:
|
||||||
|
app: {{ template "molgenis-vault.name" . }}
|
||||||
|
release: {{ .Release.Name }}
|
|
@ -2,48 +2,16 @@
|
||||||
# This is a YAML-formatted file.
|
# This is a YAML-formatted file.
|
||||||
# Declare variables to be passed into your templates.
|
# Declare variables to be passed into your templates.
|
||||||
|
|
||||||
# abs gives details of the credentials to reach the azure backup storage
|
replicaCount: 1
|
||||||
abs:
|
|
||||||
# account is the name of the Storage account
|
|
||||||
account: fdlkops
|
|
||||||
# access key for the Storage account
|
|
||||||
accessKey: xxxx
|
|
||||||
# default cloud
|
|
||||||
cloud: AzurePublicCloud
|
|
||||||
|
|
||||||
# backupjob describes the backup cronjob
|
image:
|
||||||
backupJob:
|
repository: nginx
|
||||||
# enable enables the backup job
|
tag: stable
|
||||||
enable: true
|
pullPolicy: IfNotPresent
|
||||||
# schedule gives the cron schedule for the backup job
|
|
||||||
schedule: "0 0 0 ? * MON *"
|
|
||||||
|
|
||||||
###
|
service:
|
||||||
# All of the config variables related to setting up the etcd-operator
|
type: ClusterIP
|
||||||
# If you want more information about the variables exposed, please visit:
|
port: 80
|
||||||
# https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
|
|
||||||
###
|
|
||||||
etcd-operator:
|
|
||||||
deployments:
|
|
||||||
etcdOperator: true
|
|
||||||
backupOperator: true
|
|
||||||
restoreOperator: true
|
|
||||||
serviceAccount:
|
|
||||||
etcdOperatorServiceAccount:
|
|
||||||
create: true
|
|
||||||
backupOperatorServiceAccount:
|
|
||||||
create: true
|
|
||||||
restoreOperatorServiceAccount:
|
|
||||||
create: true
|
|
||||||
etcdOperator:
|
|
||||||
image:
|
|
||||||
tag: v0.9.2
|
|
||||||
backupOperator:
|
|
||||||
image:
|
|
||||||
tag: v0.9.2
|
|
||||||
restoreOperator:
|
|
||||||
image:
|
|
||||||
tag: v0.9.2
|
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
@ -54,4 +22,24 @@ ingress:
|
||||||
hosts:
|
hosts:
|
||||||
- chart-example.local
|
- chart-example.local
|
||||||
tls: []
|
tls: []
|
||||||
|
# - secretName: chart-example-tls
|
||||||
|
# hosts:
|
||||||
|
# - chart-example.local
|
||||||
|
|
||||||
|
resources: {}
|
||||||
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||||
|
# choice for the user. This also increases chances charts run on environments with little
|
||||||
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||||
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
# requests:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
|
||||||
|
nodeSelector: {}
|
||||||
|
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
affinity: {}
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: tiller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: tiller
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cluster-admin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: tiller
|
||||||
|
namespace: kube-system
|
Loading…
Reference in New Issue