forked from edgefarm/vault-plugin-secrets-nats
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvault.yaml
223 lines (194 loc) · 6.62 KB
/
vault.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
name: "vault"
spec:
size: 1
# Use the custom vault image containing the NATS secrets plugin
image: ghcr.io/edgefarm/vault-plugin-secrets-nats/vault-with-nats-secrets:1.5.0
# Common annotations for all created resources
annotations:
common/annotation: "true"
# Vault Pods , Services and TLS Secret annotations
vaultAnnotations:
type/instance: "vault"
# Vault Configurer Pods and Services annotations
vaultConfigurerAnnotations:
type/instance: "vaultconfigurer"
# Vault Pods , Services and TLS Secret labels
vaultLabels:
example.com/log-format: "json"
# Vault Configurer Pods and Services labels
vaultConfigurerLabels:
example.com/log-format: "string"
# Support for affinity Rules, same as in PodSpec
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key : "node-role.kubernetes.io/your_role"
# operator: In
# values: ["true"]
# Support for pod nodeSelector rules to control which nodes can be chosen to run
# the given pods
# nodeSelector:
# "node-role.kubernetes.io/your_role": "true"
# Support for node tolerations that work together with node taints to control
# the pods that can like on a node
# tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/your_role
# operator: Equal
# value: "true"
existingTlsSecretName: vault-server-tls
# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
serviceAccount: vault
# Specify the Service's type where the Vault Service is exposed
# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
# forces you to expose your Service on a NodePort
serviceType: ClusterIP
# Specify existing secret contains TLS certificate (accepted secret type: kubernetes.io/tls)
# If it is set, generating certificate will be disabled
# existingTlsSecretName: selfsigned-cert-tls
# Specify threshold for renewing certificates. Valid time units are "ns", "us", "ms", "s", "m", "h".
# tlsExpiryThreshold: 168h
# Request an Ingress controller with the default configuration
ingress:
# Specify Ingress object annotations here, if TLS is enabled (which is by default)
# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
# to support TLS backends
annotations: {}
# Override the default Ingress specification here
# This follows the same format as the standard Kubernetes Ingress
# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
spec: {}
# Use local disk to store Vault file data, see config section.
volumes:
- name: vault-file
persistentVolumeClaim:
claimName: vault-file
volumeMounts:
- name: vault-file
mountPath: /vault/file
# Support for distributing the generated CA certificate Secret to other namespaces.
# Define a list of namespaces or use ["*"] for all namespaces.
caNamespaces:
- "cert-manager"
- "vswh"
# Describe where you would like to store the Vault unseal keys and root token.
unsealConfig:
options:
# The preFlightChecks flag enables unseal and root token storage tests
# This is true by default
preFlightChecks: true
# The storeRootToken flag enables storing of root token in chosen storage
# This is true by default
storeRootToken: true
kubernetes:
secretNamespace: vault
secretName: bank-vaults
# A YAML representation of a final vault config file.
# See https://www.vaultproject.io/docs/configuration/ for more information.
config:
disable_mlock: true
plugin_directory: "/etc/vault/vault_plugins"
storage:
file:
path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used
listener:
tcp:
address: "0.0.0.0:8200"
tls_cert_file: /vault/tls/server.crt
tls_key_file: /vault/tls/server.key
telemetry:
statsd_address: localhost:9125
ui: true
api_addr: "https://0.0.0.0:8200"
externalConfig:
plugins:
- plugin_name: vault-plugin-secrets-nats
command: vault-plugin-secrets-nats --tls-skip-verify --ca-cert=/vault/tls/ca.crt
sha256: 5639d8581b6d6680a19771ba854befb9b897a99c4325aea5c5d77ca3c7fc488e
type: secret
policies:
- name: allow_nats_secrets
rules: path "nats_secrets/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
groups:
- name: nats-secret-admin
policies:
- allow_nats_secrets
metadata:
privileged: true
type: external
group-aliases:
- name: nats-secret-admin
mountpath: token
group: nats-secret-admin
auth:
- type: kubernetes
roles:
# Allow nats provider pods in the crossplane-system namespace to use the secret nats-secrets backend
- name: provider-nats
bound_service_account_names: ["provider-nats-*"]
bound_service_account_namespaces: ["crossplane-system"]
policies: ["allow_nats_secrets"]
ttl: 1h
secrets:
- path: nats-secrets
type: plugin
plugin_name: vault-plugin-secrets-nats
description: NATS secrets backend
vaultEnvsConfig:
- name: VAULT_LOG_LEVEL
value: trace
- name: VAULT_STORAGE_FILE
value: "/vault/file"
# If you are using a custom certificate and are setting the hostname in a custom way
sidecarEnvsConfig:
- name: VAULT_ADDR
value: https://vault.local:8200
# # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
vaultPodSpec:
hostAliases:
- ip: "127.0.0.1"
hostnames:
- "vault.local"
# Marks presence of Istio, which influences things like port namings
resources:
vault:
limits:
cpu: 2
memory: 1024Mi
requests:
cpu: 1
memory: 1024Mi
istioEnabled: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-file
spec:
# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
# storageClassName: ""
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
# ---
# apiVersion: v1
# kind: PersistentVolume
# metadata:
# name: vault-file
# spec:
# capacity:
# storage: 1Gi
# accessModes:
# - ReadWriteOnce
# persistentVolumeReclaimPolicy: Recycle
# hostPath:
# path: /vault/file