vault consul on kubernetes

vault-consul-kubernetes/README.md

@@ -0,0 +1,12 @@
+# Vault Consul on Kubernetes 
+
+Deploy Vault and Consul on kubernetes with below steps
+
+```
+kubectl apply -f vault-consul-kubernetes/
+```
+
+Now Execute below script to initialize the vault
+```
+bash vaultinit.sh
+```

vault-consul-kubernetes/consul-statefulset.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: consul
+spec:
+  serviceName: consul
+  replicas: 3
+  selector:
+    matchLabels:
+      app: consul
+  template:
+    metadata:
+      labels:
+        app: consul
+    spec:
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: consul
+          image: "consul:1.9.1"
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: GOSSIP_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: consul
+                  key: gossip-encryption-key
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          args:
+            - "agent"
+            - "-advertise=$(POD_IP)"
+            - "-node=$(POD_NAME)"
+            - "-bind=0.0.0.0"
+            - "-bootstrap-expect=3"
+            - "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local"
+            - "-retry-join=consul-1.consul.$(NAMESPACE).svc.cluster.local"
+            - "-retry-join=consul-2.consul.$(NAMESPACE).svc.cluster.local"
+            - "-client=0.0.0.0"
+            - "-datacenter=dc1"
+            - "-data-dir=/consul/data"
+            - "-domain=cluster.local"
+            - "-server"
+            - "-ui"
+            - "-disable-host-node-id"
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - /bin/sh
+                - -c
+                - consul leave
+          ports:
+            - containerPort: 8500
+              name: ui-port
+            - containerPort: 8400
+              name: alt-port
+            - containerPort: 53
+              name: udp-port
+            - containerPort: 8443
+              name: https-port
+            - containerPort: 8080
+              name: http-port
+            - containerPort: 8301
+              name: serflan
+            - containerPort: 8302
+              name: serfwan
+            - containerPort: 8600
+              name: consuldns
+            - containerPort: 8300
+              name: server
+      volumes:
+        - name: config
+          configMap:
+            name: consul

vault-consul-kubernetes/consul-svc.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: consul
+  labels:
+    name: consul
+spec:
+  type: NodePort
+  ports:
+    - name: http
+      port: 8500
+      targetPort: 8500
+    - name: https
+      port: 8443
+      targetPort: 8443
+    - name: rpc
+      port: 8400
+      targetPort: 8400
+    - name: serflan-tcp
+      protocol: "TCP"
+      port: 8301
+      targetPort: 8301
+    - name: serflan-udp
+      protocol: "UDP"
+      port: 8301
+      targetPort: 8301
+    - name: serfwan-tcp
+      protocol: "TCP"
+      port: 8302
+      targetPort: 8302
+    - name: serfwan-udp
+      protocol: "UDP"
+      port: 8302
+      targetPort: 8302
+    - name: server
+      port: 8300
+      targetPort: 8300
+    - name: consuldns
+      port: 8600
+      targetPort: 8600
+  selector:
+    app: consul

vault-consul-kubernetes/create.json

@@ -0,0 +1,8 @@
+{
+  "type": "kv",
+  "path": "kv",
+  "option": {
+	  "version": "2"
+  },
+  "generate_signing_key" : "true"
+}

vault-consul-kubernetes/secret.json

@@ -0,0 +1,4 @@
+{
+  "foo": "bar",
+  "zip": "zap"
+}

vault-consul-kubernetes/vault-configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-conf
+data:
+  vault.hcl: |
+
+    ui = "true"
+    cluster_name = "dc1"
+
+    storage "consul" {
+      address = "consul:8500"
+      path    = "vault/"
+      ha_enabled = "true"
+    }
+
+    listener "tcp" {
+      address     = "0.0.0.0:8200"
+      tls_disable = "true"
+    }

vault-consul-kubernetes/vault-deployment.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault
+  labels:
+    app: vault
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: vault
+  template:
+    metadata:
+      labels:
+        app: vault
+    spec:
+      containers:
+      - name: vault
+        command: ["vault", "server", "-config", "/vault/config/vault.hcl"]
+        image: "vault:1.6.1"
+        imagePullPolicy: IfNotPresent
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: VAULT_CLUSTER_ADDR
+            value: "http://$(POD_IP):8201"
+          - name: VAULT_API_ADDR
+            value: "http://$(POD_IP):8200"
+        ports:
+          - containerPort: 8200
+            name: vault
+          - containerPort: 8201
+            name: vault1
+        securityContext:
+          capabilities:
+            add:
+              - IPC_LOCK
+        volumeMounts:
+          - name: configurations
+            mountPath: /vault/config/vault.hcl
+            subPath: vault.hcl
+      - name: consul-vault-agent
+        image: "consul:1.9.1"
+        env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+        args:
+          - "agent"
+          - "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local"
+          - "-retry-join=consul-1.consul.$(NAMESPACE).svc.cluster.local"
+          - "-retry-join=consul-2.consul.$(NAMESPACE).svc.cluster.local"
+          - "-domain=cluster.local"
+          - "-datacenter=dc1"
+          - "-disable-host-node-id"
+          - "-node=$(NAME)"
+      volumes:
+        - name: configurations
+          configMap:
+            name: vault-conf

vault-consul-kubernetes/vault-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault
+  labels:
+    app: vault
+spec:
+  type: NodePort
+  ports:
+    - port: 8200
+      targetPort: 8200
+      protocol: TCP
+      name: vault
+  selector:
+    app: vault

vault-consul-kubernetes/vaultinit.sh

@@ -0,0 +1,9 @@
+curl --request PUT -d '{"secret_shares": 1,"secret_threshold": 1}' -vs http://$(kubectl get svc | grep vault | awk '{print $3}'):8200/v1/sys/init | jq -r '.' > ./init.json
+
+for ip in `kubectl get pods -o wide  | grep vault | awk '{print $6}'`
+do	
+item=$(cat ./init.json | jq -r '.keys_base64[]')
+curl --request PUT --data '{"key":"'$item'"}' -vs http://$ip:8200/v1/sys/unseal
+done
+root=$(cat ./init.json | jq -r '.root_token')
+curl --header "X-Vault-Token:$root" --request POST --data ../@create.json http://$(kubectl get svc | grep vault | awk '{print $3}'):8200/v1/sys/mounts/my-mount