From 25aa9afa0d8b87e6217b1a238a13df0e3f56769b Mon Sep 17 00:00:00 2001 From: Anurag Guda Date: Mon, 1 Mar 2021 01:27:35 +0000 Subject: [PATCH] vault consul on kubernetes --- vault-consul-kubernetes/README.md | 12 +++ .../consul-statefulset.yaml | 84 +++++++++++++++++++ vault-consul-kubernetes/consul-svc.yaml | 42 ++++++++++ vault-consul-kubernetes/create.json | 8 ++ vault-consul-kubernetes/secret.json | 4 + vault-consul-kubernetes/vault-configmap.yaml | 20 +++++ vault-consul-kubernetes/vault-deployment.yaml | 71 ++++++++++++++++ vault-consul-kubernetes/vault-svc.yaml | 15 ++++ vault-consul-kubernetes/vaultinit.sh | 9 ++ 9 files changed, 265 insertions(+) create mode 100644 vault-consul-kubernetes/README.md create mode 100644 vault-consul-kubernetes/consul-statefulset.yaml create mode 100644 vault-consul-kubernetes/consul-svc.yaml create mode 100644 vault-consul-kubernetes/create.json create mode 100644 vault-consul-kubernetes/secret.json create mode 100644 vault-consul-kubernetes/vault-configmap.yaml create mode 100644 vault-consul-kubernetes/vault-deployment.yaml create mode 100644 vault-consul-kubernetes/vault-svc.yaml create mode 100644 vault-consul-kubernetes/vaultinit.sh diff --git a/vault-consul-kubernetes/README.md b/vault-consul-kubernetes/README.md new file mode 100644 index 0000000..3e44bb0 --- /dev/null +++ b/vault-consul-kubernetes/README.md @@ -0,0 +1,12 @@ +# Vault Consul on Kubernetes + +Deploy Vault and Consul on kubernetes with below steps + +``` +kubectl apply -f vault-consul-kubernetes/ +``` + +Now Execute below script to initialize the vault +``` +bash vaultinit.sh +``` diff --git a/vault-consul-kubernetes/consul-statefulset.yaml b/vault-consul-kubernetes/consul-statefulset.yaml new file mode 100644 index 0000000..dee102b --- /dev/null +++ b/vault-consul-kubernetes/consul-statefulset.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: consul +spec: + serviceName: consul + replicas: 3 + selector: + matchLabels: + app: consul + template: + metadata: + labels: + app: consul + spec: + securityContext: + fsGroup: 1000 + containers: + - name: consul + image: "consul:1.9.1" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: GOSSIP_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: consul + key: gossip-encryption-key + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + args: + - "agent" + - "-advertise=$(POD_IP)" + - "-node=$(POD_NAME)" + - "-bind=0.0.0.0" + - "-bootstrap-expect=3" + - "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local" + - "-retry-join=consul-1.consul.$(NAMESPACE).svc.cluster.local" + - "-retry-join=consul-2.consul.$(NAMESPACE).svc.cluster.local" + - "-client=0.0.0.0" + - "-datacenter=dc1" + - "-data-dir=/consul/data" + - "-domain=cluster.local" + - "-server" + - "-ui" + - "-disable-host-node-id" + lifecycle: + preStop: + exec: + command: + - /bin/sh + - -c + - consul leave + ports: + - containerPort: 8500 + name: ui-port + - containerPort: 8400 + name: alt-port + - containerPort: 53 + name: udp-port + - containerPort: 8443 + name: https-port + - containerPort: 8080 + name: http-port + - containerPort: 8301 + name: serflan + - containerPort: 8302 + name: serfwan + - containerPort: 8600 + name: consuldns + - containerPort: 8300 + name: server + volumes: + - name: config + configMap: + name: consul diff --git a/vault-consul-kubernetes/consul-svc.yaml b/vault-consul-kubernetes/consul-svc.yaml new file mode 100644 index 0000000..0643365 --- /dev/null +++ b/vault-consul-kubernetes/consul-svc.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: Service +metadata: + name: consul + labels: + name: consul +spec: + type: NodePort + ports: + - name: http + port: 8500 + targetPort: 8500 + - name: https + port: 8443 + targetPort: 8443 + - name: rpc + port: 8400 + targetPort: 8400 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: consuldns + port: 8600 + targetPort: 8600 + selector: + app: consul diff --git a/vault-consul-kubernetes/create.json b/vault-consul-kubernetes/create.json new file mode 100644 index 0000000..fcd6b1b --- /dev/null +++ b/vault-consul-kubernetes/create.json @@ -0,0 +1,8 @@ +{ + "type": "kv", + "path": "kv", + "option": { + "version": "2" + }, + "generate_signing_key" : "true" +} diff --git a/vault-consul-kubernetes/secret.json b/vault-consul-kubernetes/secret.json new file mode 100644 index 0000000..2772369 --- /dev/null +++ b/vault-consul-kubernetes/secret.json @@ -0,0 +1,4 @@ +{ + "foo": "bar", + "zip": "zap" +} diff --git a/vault-consul-kubernetes/vault-configmap.yaml b/vault-consul-kubernetes/vault-configmap.yaml new file mode 100644 index 0000000..5d322fa --- /dev/null +++ b/vault-consul-kubernetes/vault-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-conf +data: + vault.hcl: | + + ui = "true" + cluster_name = "dc1" + + storage "consul" { + address = "consul:8500" + path = "vault/" + ha_enabled = "true" + } + + listener "tcp" { + address = "0.0.0.0:8200" + tls_disable = "true" + } diff --git a/vault-consul-kubernetes/vault-deployment.yaml b/vault-consul-kubernetes/vault-deployment.yaml new file mode 100644 index 0000000..da2d467 --- /dev/null +++ b/vault-consul-kubernetes/vault-deployment.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vault + labels: + app: vault +spec: + replicas: 3 + selector: + matchLabels: + app: vault + template: + metadata: + labels: + app: vault + spec: + containers: + - name: vault + command: ["vault", "server", "-config", "/vault/config/vault.hcl"] + image: "vault:1.6.1" + imagePullPolicy: IfNotPresent + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_CLUSTER_ADDR + value: "http://$(POD_IP):8201" + - name: VAULT_API_ADDR + value: "http://$(POD_IP):8200" + ports: + - containerPort: 8200 + name: vault + - containerPort: 8201 + name: vault1 + securityContext: + capabilities: + add: + - IPC_LOCK + volumeMounts: + - name: configurations + mountPath: /vault/config/vault.hcl + subPath: vault.hcl + - name: consul-vault-agent + image: "consul:1.9.1" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + - "agent" + - "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local" + - "-retry-join=consul-1.consul.$(NAMESPACE).svc.cluster.local" + - "-retry-join=consul-2.consul.$(NAMESPACE).svc.cluster.local" + - "-domain=cluster.local" + - "-datacenter=dc1" + - "-disable-host-node-id" + - "-node=$(NAME)" + volumes: + - name: configurations + configMap: + name: vault-conf diff --git a/vault-consul-kubernetes/vault-svc.yaml b/vault-consul-kubernetes/vault-svc.yaml new file mode 100644 index 0000000..4e51ba7 --- /dev/null +++ b/vault-consul-kubernetes/vault-svc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: vault + labels: + app: vault +spec: + type: NodePort + ports: + - port: 8200 + targetPort: 8200 + protocol: TCP + name: vault + selector: + app: vault diff --git a/vault-consul-kubernetes/vaultinit.sh b/vault-consul-kubernetes/vaultinit.sh new file mode 100644 index 0000000..d7cab1f --- /dev/null +++ b/vault-consul-kubernetes/vaultinit.sh @@ -0,0 +1,9 @@ +curl --request PUT -d '{"secret_shares": 1,"secret_threshold": 1}' -vs http://$(kubectl get svc | grep vault | awk '{print $3}'):8200/v1/sys/init | jq -r '.' > ./init.json + +for ip in `kubectl get pods -o wide | grep vault | awk '{print $6}'` +do +item=$(cat ./init.json | jq -r '.keys_base64[]') +curl --request PUT --data '{"key":"'$item'"}' -vs http://$ip:8200/v1/sys/unseal +done +root=$(cat ./init.json | jq -r '.root_token') +curl --header "X-Vault-Token:$root" --request POST --data ../@create.json http://$(kubectl get svc | grep vault | awk '{print $3}'):8200/v1/sys/mounts/my-mount