-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup-vault.sh
executable file
·148 lines (125 loc) · 4.06 KB
/
setup-vault.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/usr/bin/env bash
set -e
log(){
echo "---------------------------------------------------------------------------------------"
echo $1
echo "---------------------------------------------------------------------------------------"
}
wait_ready(){
local NAME=${1:-pods}
local TIMEOUT=${2:-5m}
local SELECTOR=${3:---all}
log "WAIT $NAME ($TIMEOUT) ..."
kubectl wait -A --timeout=$TIMEOUT --for=condition=ready $NAME $SELECTOR
}
wait_pods_ready(){
local TIMEOUT=${1:-5m}
wait_ready pods $TIMEOUT --field-selector=status.phase!=Succeeded
}
log "Vault ..."
helm upgrade --install --wait --timeout 35m --atomic --namespace vault --create-namespace \
--repo https://helm.releases.hashicorp.com vault vault --values - <<EOF
server:
ha:
enabled: true
raft:
enabled: true
ingress:
enabled: true
ingressClassName: nginx
hosts:
- host: vault.kind.cluster
paths:
- /
EOF
# Wait Vault to downloaded and installed
sleep 30
# Get Vault unseal and root key
kubectl exec vault-0 -n vault -- vault operator init \
-key-shares=1 \
-key-threshold=1 \
-format=json > cluster-keys.json
cat cluster-keys.json
VAULT_UNSEAL_KEY=$(jq -r ".unseal_keys_b64[]" cluster-keys.json)
# Unseal HA Vault installation
kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
kubectl exec -ti vault-1 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
kubectl exec -ti vault-2 -n vault -- vault operator raft join http://vault-0.vault-internal:8200
kubectl exec -ti vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
kubectl exec -ti vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY
VAULT_ROOT_TOKEN=$(jq -r ".root_token" cluster-keys.json)
export VAULT_ADDR=http://vault.kind.cluster
# Wait Vault is ready...
sleep 30
vault login $VAULT_ROOT_TOKEN
# Enable kv version 2 secret engine
vault secrets enable -path=secret kv-v2
# Create secret
vault kv put -mount=secret config username="static-user" password="static-password"
vault kv get -mount=secret config
# Enable kubernetes auth method
vault auth enable kubernetes
#Configure kubernetes auth method
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc:443"
# Create policy to read secrets in kv
vault policy write eso - <<EOF
path "secret/*" {
capabilities = ["read", "list"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
EOF
# Create role and bind in to our read policy and to service account in cluster for ESO
vault write auth/kubernetes/role/eso \
bound_service_account_names=vault-auth \
bound_service_account_namespaces=vault \
policies=eso \
ttl=24h
# Create service account for role
kubectl create serviceaccount vault-auth -n vault
# Add secret to service account vault-auth (from kubernetes 1.24 service account created without tokens)
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
namespace: vault
name: vault-auth
annotations:
kubernetes.io/service-account.name: "vault-auth"
type: kubernetes.io/service-account-token
EOF
# Add secret to service account vault(from kubernetes 1.24 service account created without tokens)
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
namespace: vault
name: vault
annotations:
kubernetes.io/service-account.name: "vault"
type: kubernetes.io/service-account-token
EOF
# Add role to Vault service account allowing VAult to use TokenReviewAPI
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
EOF
# Create role and bind in to our read policy and to service account in cluster for webapp (Vault Injector)
vault write auth/kubernetes/role/webapp \
bound_service_account_names=webapp-auth \
bound_service_account_namespaces=app \
policies=eso \
ttl=24h