sa_8001/ncp-terraform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

terraform script add

Browse Source
This commit is contained in:
ByeonJungHun
2023-10-19 16:35:47 +09:00
commit 65f305d107
947 changed files with 81629 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packer/ansible/roles/helm_install/files/vault/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
dont_delete_me

28
packer/ansible/roles/helm_install/files/vault/.helmignore Normal file
View File

@@ -0,0 +1,28 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.terraform/
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# CI and test
.circleci/
.github/
.gitlab-ci.yml
test/

58
packer/ansible/roles/helm_install/files/vault/00.old/override-values.yaml_221117 Normal file
View File

@@ -0,0 +1,58 @@
injector:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
server:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
dataStorage:
enabled: true
size: 1Gi
storageClass: null
auditStorage:
enabled: false
size: 1Gi
storageClass: null
ui:
enabled: true
serviceType: "NodePort"
serviceNodePort: 32702
csi:
pod:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka

14
packer/ansible/roles/helm_install/files/vault/00.old/override-values.yaml_bak Normal file
View File

@@ -0,0 +1,14 @@
server:
dataStorage:
enabled: true
# storageClass: openebs-hostpath
size: 1Gi
auditStorage:
enabled: true
# storageClass: openebs-hostpath
size: 1Gi
ui:
enabled: true
serviceType: "NodePort"
serviceNodePort: 32702

433
packer/ansible/roles/helm_install/files/vault/CHANGELOG.md Normal file
View File

@@ -0,0 +1,433 @@
## Unreleased
## 0.22.1 (October 26th, 2022)
Changes:
* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803)
## 0.22.0 (September 8th, 2022)
Features:
* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772)
Changes:
* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784)
* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785)
## 0.21.0 (August 10th, 2022)
CHANGES:
* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771)
* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744)
* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745)
Features:
* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767)
* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610)
* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753)
## 0.20.1 (May 25th, 2022)
CHANGES:
* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739)
Improvements:
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
Bugs:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
## 0.20.0 (May 16th, 2022)
CHANGES:
* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703)
* Vault default image to 1.10.3
* CSI provider default image to 1.1.0
* Vault K8s default image to 0.16.0
* Earliest Kubernetes version tested is now 1.16
* Helm 3.6+ now required
Features:
* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652)
Improvements:
* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710)
* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709)
* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694)
* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684)
* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692)
## 0.19.0 (January 20th, 2022)
CHANGES:
* Vault image default 1.9.2
* Vault K8s image default 0.14.2
Features:
* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653)
* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659)
* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661)
* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670)
Improvements:
* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)
## 0.18.0 (November 17th, 2021)
CHANGES:
* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649)
* Vault image default 1.9.0
* Vault K8s image default 0.14.1
Improvements:
* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621)
## 0.17.1 (October 25th, 2021)
Improvements:
* Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634)
## 0.17.0 (October 21st, 2021)
KNOWN ISSUES:
* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set
CHANGES:
* Vault image default 1.8.4
* Vault K8s image default 0.14.0
Improvements:
* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590)
* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626)
* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630)
Bugs:
* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628)
## 0.16.1 (September 29th, 2021)
CHANGES:
* Vault image default 1.8.3
* Vault K8s image default 0.13.1
## 0.16.0 (September 16th, 2021)
CHANGES:
* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`.
Improvements:
* Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603)
* Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607)
## 0.15.0 (August 23rd, 2021)
Improvements:
* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572)
* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584)
## 0.14.0 (July 28th, 2021)
Features:
* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560)
Improvements:
* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565)
* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567)
* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570)
* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576)
## 0.13.0 (June 17th, 2021)
Improvements:
* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531)
* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547)
* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549)
Bugs:
* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537)
* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535)
* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545)
## 0.12.0 (May 25th, 2021)
Features:
* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526)
Improvements:
* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510)
* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513)
* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521)
* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437)
Bugs:
* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519)
## 0.11.0 (April 14th, 2021)
Features:
* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471)
* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489)
* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493)
* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460)
* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488)
Improvements:
* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495)
Bugs:
* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486)
## 0.10.0 (March 25th, 2021)
Features:
* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461)
Improvements:
* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456)
## 0.9.1 (February 2nd, 2021)
Bugs:
* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442)
* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446)
## 0.9.0 (January 5th, 2021)
Features:
* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436)
* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436)
Improvements:
* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421)
* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415)
* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395)
* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408)
* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425)
* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428)
* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429)
* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389)
## 0.8.0 (October 20th, 2020)
Improvements:
* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381)
* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387)
* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393)
* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394)
* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400)
* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398)
* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392)
Bugs:
* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378)
## 0.7.0 (August 24th, 2020)
Features:
* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314).
* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372)
Improvements:
* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321)
* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177)
* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290)
* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363)
* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199)
* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367)
* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371)
* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364)
* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285)
Bugs:
* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337)
* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352)
* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358)
## 0.6.0 (June 3rd, 2020)
Features:
* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258)
* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315)
* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319)
Improvements:
* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213)
* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)]
* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)]
* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)]
* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)]
* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)]
* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)]
* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317)
Bugs:
* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)]
* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)]
* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)]
* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)]
* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298)
## 0.5.0 (April 9th, 2020)
Features:
* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)]
* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)]
* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)]
* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)]
* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)]
* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)]
* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)]
## 0.4.0 (February 21st, 2020)
Improvements:
* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)]
* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)]
* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)]
* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)]
* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)]
Bugs:
* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)]
## 0.3.3 (January 14th, 2020)
Security:
* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175)
Bugs:
* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files
## 0.3.2 (January 8th, 2020)
Bugs:
* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]
## 0.3.1 (January 2nd, 2020)
Bugs:
* Fixed injection bug causing kube-system pods to be rejected [VK8S-14]
## 0.3.0 (December 19th, 2019)
Features:
* Extra containers can now be added to the Vault pods
* Added configurability of pod probes
* Added Vault Agent Injector
Improvements:
* Moved `global.image` to `server.image`
* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true`
* Added better HTTP/HTTPS scheme support to http probes
* Added configurable node port for Vault service
* `server.authDelegator` is now enabled by default
Bugs:
* Fixed upgrade bug by removing chart label which contained the version
* Fixed typo on `serviceAccount` (was `serviceaccount`)
* Fixed readiness/liveliness HTTP probe default to accept standbys
## 0.2.1 (November 12th, 2019)
Bugs:
* Removed `readOnlyRootFilesystem` causing issues when validating deployments
## 0.2.0 (October 29th, 2019)
Features:
* Added load balancer support
* Added ingress support
* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
* Removed root requirements, now runs as Vault user
Improvements:
* Added namespace value to all rendered objects
* Made ports configurable in services
* Added the ability to add custom annotations to services
* Added docker image for running bats test in CircleCI
* Removed restrictions around `dev` mode such as annotations
* `readOnlyRootFilesystem` is now configurable
* Image Pull Policy is now configurable
Bugs:
* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
* Fixed bug where audit storage was not being mounted in HA mode
* Fixed bug where Vault pod wasn't receiving SIGTERM signals
## 0.1.2 (August 22nd, 2019)
Features:
* Added `extraSecretEnvironmentVars` to allow users to mount secrets as
environment variables
* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS
depending on the value
* Added `serviceNodePort` to configure a NodePort value when setting `serviceType`
to "NodePort"
Improvements:
* Changed UI port to 8200 for better HTTP protocol support
* Added `path` to `extraVolumes` to define where the volume should be
mounted. Defaults to `/vault/userconfig`
* Upgraded Vault to 1.2.2
Bugs:
* Fixed bug where upgrade would fail because immutable labels were being
changed (Helm Version label)
* Fixed bug where UI service used wrong selector after updating helm labels
* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks
Consul is the active node
* Removed `step-down` preStop since it requires authentication. Shutdown signal
sent by Kube acts similar to `step-down`
## 0.1.1 (August 7th, 2019)
Features:
* Added `authDelegator` Cluster Role Binding to Vault service account for
bootstrapping Kube auth method
Improvements:
* Added `server.service.clusterIP` to `values.yml` so users can toggle
the Vault service to headless by using the value `None`.
* Upgraded Vault to 1.2.1
## 0.1.0 (August 6th, 2019)
Initial release

247
packer/ansible/roles/helm_install/files/vault/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,247 @@
# Contributing to Vault Helm
**Please note:** We take Vault's security and our users' trust very seriously.
If you believe you have found a security issue in Vault, please responsibly
disclose by contacting us at security@hashicorp.com.
**First:** if you're unsure or afraid of _anything_, just ask or submit the
issue or pull request anyways. You won't be yelled at for giving it your best
effort. The worst that can happen is that you'll be politely asked to change
something. We appreciate any sort of contributions, and don't want a wall of
rules to get in the way of that.
That said, if you want to ensure that a pull request is likely to be merged,
talk to us! You can find out our thoughts and ensure that your contribution
won't clash or be obviated by Vault's normal direction. A great way to do this
is via the [Vault Discussion Forum][1].
This document will cover what we're looking for in terms of reporting issues.
By addressing all the points we're looking for, it raises the chances we can
quickly merge or address your contributions.
[1]: https://discuss.hashicorp.com/c/vault
## Issues
### Reporting an Issue
* Make sure you test against the latest released version. It is possible
we already fixed the bug you're experiencing. Even better is if you can test
against `main`, as bugs are fixed regularly but new versions are only
released every few months.
* Provide steps to reproduce the issue, and if possible include the expected
results as well as the actual results. Please provide text, not screen shots!
* Respond as promptly as possible to any questions made by the Vault
team to your issue. Stale issues will be closed periodically.
### Issue Lifecycle
1. The issue is reported.
2. The issue is verified and categorized by a Vault Helm collaborator.
Categorization is done via tags. For example, bugs are marked as "bugs".
3. Unless it is critical, the issue may be left for a period of time (sometimes
many weeks), giving outside contributors -- maybe you!? -- a chance to
address the issue.
4. The issue is addressed in a pull request or commit. The issue will be
referenced in the commit message so that the code that fixes it is clearly
linked.
5. The issue is closed. Sometimes, valid issues will be closed to keep
the issue tracker clean. The issue is still indexed and available for
future viewers, or can be re-opened if necessary.
## Testing
The Helm chart ships with both unit and acceptance tests.
The unit tests don't require any active Kubernetes cluster and complete
very quickly. These should be used for fast feedback during development.
The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
### Test Using Docker Container
The following are the instructions for running bats tests using a Docker container.
#### Prerequisites
* Docker installed
* `vault-helm` checked out locally
#### Test
**Note:** the following commands should be run from the `vault-helm` directory.
First, build the Docker image for running the tests:
```shell
docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test
```
Next, execute the tests with the following commands:
```shell
docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit
```
It's possible to only run specific bats tests using regular expressions.
For example, the following will run only tests with "injector" in the name:
```shell
docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector"
```
### Test Manually
The following are the instructions for running bats tests on your workstation.
#### Prerequisites
* [Bats](https://github.com/bats-core/bats-core)
```bash
brew install bats-core
```
* [yq](https://pypi.org/project/yq/)
```bash
brew install python-yq
```
* [helm](https://helm.sh)
```bash
brew install kubernetes-helm
```
#### Test
To run the unit tests:
bats ./test/unit
To run the acceptance tests:
bats ./test/acceptance
If the acceptance tests fail, deployed resources in the Kubernetes cluster
may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate.
**Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
cluster.
### Writing Unit Tests
Changes to the Helm chart should be accompanied by appropriate unit tests.
#### Formatting
- Put tests in the test file in the same order as the variables appear in the `values.yaml`.
- Start tests for a chart value with a header that says what is being tested, like this:
```
#--------------------------------------------------------------------
# annotations
```
- Name the test based on what it's testing in the following format (this will be its first line):
```
@test "<section being tested>: <short description of the test case>" {
```
When adding tests to an existing file, the first section will be the same as the other tests in the file.
#### Test Details
[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way.
In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output.
In this way, we're able to test that the various conditionals in the templates render as we would expect.
Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well.
The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/).
`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length).
The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match.
The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`.
The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`.
#### Test Examples
Here are some examples of common test patterns:
- Check that a value is disabled by default
```
@test "ui/Service: no type by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
```
In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`.
This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`.
- Check that a template value is rendered to a specific value
```
@test "ui/Service: specified type" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/ui-service.yaml \
--set 'ui.serviceType=LoadBalancer' \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "LoadBalancer" ]
}
```
This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value.
- Check that a template value contains several values
```
@test "server/standalone-StatefulSet: custom resources" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.standalone.enabled=true' \
--set 'server.resources.requests.memory=256Mi' \
--set 'server.resources.requests.cpu=250m' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr)
[ "${actual}" = "256Mi" ]
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.standalone.enabled=true' \
--set 'server.resources.limits.memory=256Mi' \
--set 'server.resources.limits.cpu=250m' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr)
[ "${actual}" = "256Mi" ]
```
*Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work.
- Check that an entire template file is not rendered
```
@test "syncCatalog/Deployment: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-statefulset.yaml \
--set 'global.enabled=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
```
Here we are check the length of the command output to see if the anything is rendered.
This style can easily be switched to check that a file is rendered instead.
## Contributor License Agreement
We require that all contributors sign our Contributor License Agreement ("CLA")
before we can accept the contribution.
[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla)

21
packer/ansible/roles/helm_install/files/vault/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
appVersion: 1.12.0
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
keywords:
- vault
- security
- encryption
- secrets
- management
- automation
- infrastructure
kubeVersion: '>= 1.16.0-0'
name: vault
sources:
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault-helm
- https://github.com/hashicorp/vault-k8s
- https://github.com/hashicorp/vault-csi-provider
version: 0.22.1

355
packer/ansible/roles/helm_install/files/vault/LICENSE Normal file
View File

@@ -0,0 +1,355 @@
Copyright (c) 2018 HashiCorp, Inc.
Mozilla Public License, version 2.0
1. Definitions
1.1. “Contributor”
means each individual or legal entity that creates, contributes to the
creation of, or owns Covered Software.
1.2. “Contributor Version”
means the combination of the Contributions of others (if any) used by a
Contributor and that particular Contributors Contribution.
1.3. “Contribution”
means Covered Software of a particular Contributor.
1.4. “Covered Software”
means Source Code Form to which the initial Contributor has attached the
notice in Exhibit A, the Executable Form of such Source Code Form, and
Modifications of such Source Code Form, in each case including portions
thereof.
1.5. “Incompatible With Secondary Licenses”
means
a. that the initial Contributor has attached the notice described in
Exhibit B to the Covered Software; or
b. that the Covered Software was made available under the terms of version
1.1 or earlier of the License, but not also under the terms of a
Secondary License.
1.6. “Executable Form”
means any form of the work other than Source Code Form.
1.7. “Larger Work”
means a work that combines Covered Software with other material, in a separate
file or files, that is not Covered Software.
1.8. “License”
means this document.
1.9. “Licensable”
means having the right to grant, to the maximum extent possible, whether at the
time of the initial grant or subsequently, any and all of the rights conveyed by
this License.
1.10. “Modifications”
means any of the following:
a. any file in Source Code Form that results from an addition to, deletion
from, or modification of the contents of Covered Software; or
b. any new file in Source Code Form that contains any Covered Software.
1.11. “Patent Claims” of a Contributor
means any patent claim(s), including without limitation, method, process,
and apparatus claims, in any patent Licensable by such Contributor that
would be infringed, but for the grant of the License, by the making,
using, selling, offering for sale, having made, import, or transfer of
either its Contributions or its Contributor Version.
1.12. “Secondary License”
means either the GNU General Public License, Version 2.0, the GNU Lesser
General Public License, Version 2.1, the GNU Affero General Public
License, Version 3.0, or any later versions of those licenses.
1.13. “Source Code Form”
means the form of the work preferred for making modifications.
1.14. “You” (or “Your”)
means an individual or a legal entity exercising rights under this
License. For legal entities, “You” includes any entity that controls, is
controlled by, or is under common control with You. For purposes of this
definition, “control” means (a) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or
otherwise, or (b) ownership of more than fifty percent (50%) of the
outstanding shares or beneficial ownership of such entity.
2. License Grants and Conditions
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
a. under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or as
part of a Larger Work; and
b. under Patent Claims of such Contributor to make, use, sell, offer for
sale, have made, import, and otherwise transfer either its Contributions
or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution become
effective for each Contribution on the date the Contributor first distributes
such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under this
License. No additional rights or licenses will be implied from the distribution
or licensing of Covered Software under this License. Notwithstanding Section
2.1(b) above, no patent license is granted by a Contributor:
a. for any code that a Contributor has removed from Covered Software; or
b. for infringements caused by: (i) Your and any other third partys
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
c. under Patent Claims infringed by Covered Software in the absence of its
Contributions.
This License does not grant any rights in the trademarks, service marks, or
logos of any Contributor (except as may be necessary to comply with the
notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this License
(see Section 10.2) or under the terms of a Secondary License (if permitted
under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its Contributions
are its original creation(s) or it has sufficient rights to grant the
rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under applicable
copyright doctrines of fair use, fair dealing, or other equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
Section 2.1.
3. Responsibilities
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under the
terms of this License. You must inform recipients that the Source Code Form
of the Covered Software is governed by the terms of this License, and how
they can obtain a copy of this License. You may not attempt to alter or
restrict the recipients rights in the Source Code Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the
Executable Form how they can obtain a copy of such Source Code Form by
reasonable means in a timely manner, at a charge no more than the cost
of distribution to the recipient; and
b. You may distribute such Executable Form under the terms of this License,
or sublicense it under different terms, provided that the license for
the Executable Form does not attempt to limit or alter the recipients
rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for the
Covered Software. If the Larger Work is a combination of Covered Software
with a work governed by one or more Secondary Licenses, and the Covered
Software is not Incompatible With Secondary Licenses, this License permits
You to additionally distribute such Covered Software under the terms of
such Secondary License(s), so that the recipient of the Larger Work may, at
their option, further distribute the Covered Software under the terms of
either this License or such Secondary License(s).
3.4. Notices
You may not remove or alter the substance of any license notices (including
copyright notices, patent notices, disclaimers of warranty, or limitations
of liability) contained within the Source Code Form of the Covered
Software, except that You may alter any license notices to the extent
required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on behalf
of any Contributor. You must make it absolutely clear that any such
warranty, support, indemnity, or liability obligation is offered by You
alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
If it is impossible for You to comply with any of the terms of this License
with respect to some or all of the Covered Software due to statute, judicial
order, or regulation then You must: (a) comply with the terms of this License
to the maximum extent possible; and (b) describe the limitations and the code
they affect. Such description must be placed in a text file included with all
distributions of the Covered Software under this License. Except to the
extent prohibited by statute or regulation, such description must be
sufficiently detailed for a recipient of ordinary skill to be able to
understand it.
5. Termination
5.1. The rights granted under this License will terminate automatically if You
fail to comply with any of its terms. However, if You become compliant,
then the rights granted under this License from a particular Contributor
are reinstated (a) provisionally, unless and until such Contributor
explicitly and finally terminates Your grants, and (b) on an ongoing basis,
if such Contributor fails to notify You of the non-compliance by some
reasonable means prior to 60 days after You have come back into compliance.
Moreover, Your grants from a particular Contributor are reinstated on an
ongoing basis if such Contributor notifies You of the non-compliance by
some reasonable means, this is the first time You have received notice of
non-compliance with this License from such Contributor, and You become
compliant prior to 30 days after Your receipt of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions, counter-claims,
and cross-claims) alleging that a Contributor Version directly or
indirectly infringes any patent, then the rights granted to You by any and
all Contributors for the Covered Software under Section 2.1 of this License
shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
license agreements (excluding distributors and resellers) which have been
validly granted by You or Your distributors under this License prior to
termination shall survive termination.
6. Disclaimer of Warranty
Covered Software is provided under this License on an “as is” basis, without
warranty of any kind, either expressed, implied, or statutory, including,
without limitation, warranties that the Covered Software is free of defects,
merchantable, fit for a particular purpose or non-infringing. The entire
risk as to the quality and performance of the Covered Software is with You.
Should any Covered Software prove defective in any respect, You (not any
Contributor) assume the cost of any necessary servicing, repair, or
correction. This disclaimer of warranty constitutes an essential part of this
License. No use of any Covered Software is authorized under this License
except under this disclaimer.
7. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including
negligence), contract, or otherwise, shall any Contributor, or anyone who
distributes Covered Software as permitted above, be liable to You for any
direct, indirect, special, incidental, or consequential damages of any
character including, without limitation, damages for lost profits, loss of
goodwill, work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses, even if such party shall have been
informed of the possibility of such damages. This limitation of liability
shall not apply to liability for death or personal injury resulting from such
partys negligence to the extent applicable law prohibits such limitation.
Some jurisdictions do not allow the exclusion or limitation of incidental or
consequential damages, so this exclusion and limitation may not apply to You.
8. Litigation
Any litigation relating to this License may be brought only in the courts of
a jurisdiction where the defendant maintains its principal place of business
and such litigation shall be governed by laws of that jurisdiction, without
reference to its conflict-of-law provisions. Nothing in this Section shall
prevent a partys ability to bring cross-claims or counter-claims.
9. Miscellaneous
This License represents the complete agreement concerning the subject matter
hereof. If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make it
enforceable. Any law or regulation which provides that the language of a
contract shall be construed against the drafter shall not be used to construe
this License against a Contributor.
10. Versions of the License
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version of
the License under which You originally received the Covered Software, or
under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a modified
version of this License if you rename the license and remove any
references to the name of the license steward (except to note that such
modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
If You choose to distribute Source Code Form that is Incompatible With
Secondary Licenses under the terms of this version of the License, the
notice described in Exhibit B of this License must be attached.
Exhibit A - Source Code Form License Notice
This Source Code Form is subject to the
terms of the Mozilla Public License, v.
2.0. If a copy of the MPL was not
distributed with this file, You can
obtain one at
http://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular file, then
You may include the notice in a location (such as a LICENSE file in a relevant
directory) where a recipient would be likely to look for such a notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - “Incompatible With Secondary Licenses” Notice
This Source Code Form is “Incompatible
With Secondary Licenses”, as defined by
the Mozilla Public License, v. 2.0.

101
packer/ansible/roles/helm_install/files/vault/Makefile Normal file
View File

@@ -0,0 +1,101 @@
TEST_IMAGE?=vault-helm-test
GOOGLE_CREDENTIALS?=vault-helm-test.json
CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514
# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats
ACCEPTANCE_TESTS?=acceptance
# filter bats unit tests to run.
UNIT_TESTS_FILTER?='.*'
# set to 'true' to run acceptance tests locally in a kind cluster
LOCAL_ACCEPTANCE_TESTS?=false
# kind cluster name
KIND_CLUSTER_NAME?=vault-helm
# kind k8s version
KIND_K8S_VERSION?=v1.25.0
# Generate json schema for chart values. See test/README.md for more details.
values-schema:
helm schema-gen values.yaml > values.schema.json
test-image:
@docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
test-unit:
@docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit
test-bats: test-unit test-acceptance
test: test-image test-bats
# run acceptance tests on GKE
# set google project/credential vars above
test-acceptance:
ifeq ($(LOCAL_ACCEPTANCE_TESTS),true)
make setup-kind acceptance
else
@docker run -it -v ${PWD}:/helm-test \
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \
-e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \
-w /helm-test \
$(TEST_IMAGE) \
make acceptance
endif
# destroy GKE cluster using terraform
test-destroy:
@docker run -it -v ${PWD}:/helm-test \
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-w /helm-test \
$(TEST_IMAGE) \
make destroy-cluster
# provision GKE cluster using terraform
test-provision:
@docker run -it -v ${PWD}:/helm-test \
-e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \
-e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \
-e KUBECONFIG=/helm-test/.kube/config \
-w /helm-test \
$(TEST_IMAGE) \
make provision-cluster
# this target is for running the acceptance tests
# it is run in the docker container above when the test-acceptance target is invoked
acceptance:
ifneq ($(LOCAL_ACCEPTANCE_TESTS),true)
gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
endif
bats --tap --timing test/${ACCEPTANCE_TESTS}
# this target is for provisioning the GKE cluster
# it is run in the docker container above when the test-provision target is invoked
provision-cluster:
gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS}
terraform init test/terraform
terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform
# this target is for removing the GKE cluster
# it is run in the docker container above when the test-destroy target is invoked
destroy-cluster:
terraform destroy -auto-approve
# create a kind cluster for running the acceptance tests locally
setup-kind:
kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \
kind create cluster \
--image kindest/node:${KIND_K8S_VERSION} \
--name ${KIND_CLUSTER_NAME} \
--config $(CURDIR)/test/kind/config.yaml
kubectl config use-context kind-${KIND_CLUSTER_NAME}
# delete the kind cluster
delete-kind:
kind delete cluster --name ${KIND_CLUSTER_NAME} || :
.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster

127
packer/ansible/roles/helm_install/files/vault/README.MD Normal file
View File

@@ -0,0 +1,127 @@
## override-values.yaml 내용 확인
#
```
# user_vault의 access_key, secret_key를 입력.
# vault-auto-unseal key id를 입력.
seal "awskms" {
region = "ap-northeast-2"
access_key = user_vault의 access_key
secret_key = user_vault의 secret_key
kms_key_id = aws kms vault-auto-unseal key id
}
```
## vault server 설치
```
helm install vault-server -n dsk-middle -f override-values.yaml .
```
## vault server 생성 확인
```
kubectl get pods -n dsk-middle
```
## vault server 초기화
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault operator init
```
위 명령어로 나온 key 값들은 반드시 파일로 저장 후 반드시 보관 필요\
vault server 봉인 해제, ui 접속 등에 필요
## vault server 봉인 해제. unseal key 5 개 중, 아무거나 3 개 필요
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal
```
### unseal key 입력
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal
```
### unseal key 입력
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault operator unseal
```
### unseal key 입력
## vault server login
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault login
```
### Initial Root Token 입력
## vault secret engine 활성화. 사용 엔진 kv (key value)
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault secrets enable -version=2 -path=tls kv
```
## secret engine 활성화 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault secrets list
```
## approle 활성화
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault auth enable approle
```
## approle 활성화 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault auth list
```
## policy 생성. (secret에 접근하는 권한 설정)
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault policy write datasaker -<<EOF
path "tls/data/client" {
capabilities = [ "read", "list" ]
}
path "tls/data/server" {
capabilities = [ "read", "list" ]
}
EOF
```
## policy 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault policy list
```
## policy 세부 사항 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault policy read datasaker
```
## role 생성
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault write auth/approle/role/datasaker token_policies="datasaker" token_ttl=12h token_max_ttl=24h
```
## role 생성 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault list auth/approle/role
```
## role 세부사항 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault read auth/approle/role/datasaker
```
## role의 role-id 획득
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault read auth/approle/role/datasaker/role-id
```
## role의 secret-id 획득
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault write -force auth/approle/role/datasaker/secret-id
```
## role-id와 secret-id는 vault agent가 참고하는 volume에 저장
#### vault agent가 token 획득하는데 사용됨
## tls 키 생성
```
/tls/generator.sh 실행
```
## 생성된 tls data 확인
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault kv get -mount=tls client
```
```
kubectl exec -it -n dsk-middle vault-server-0 -- vault kv get -mount=tls server
```

82
packer/ansible/roles/helm_install/files/vault/override-values.yaml Normal file
View File

@@ -0,0 +1,82 @@
injector:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
server:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
standalone:
enabled: "-"
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
# user_vault의 access_key, secret_key를 입력.
# vault-auto-unseal key id를 입력.
seal "awskms" {
region = "ap-northeast-2"
access_key =
secret_key =
kms_key_id =
}
dataStorage:
enabled: true
size: 1Gi
storageClass: null
auditStorage:
enabled: false
size: 1Gi
storageClass: null
ui:
enabled: true
serviceType: "NodePort"
serviceNodePort: 32702
csi:
pod:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka

82
packer/ansible/roles/helm_install/files/vault/override-values.yaml_bak Normal file
View File

@@ -0,0 +1,82 @@
injector:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
server:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
standalone:
enabled: "-"
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
# user_vault의 access_key, secret_key를 입력.
# vault-auto-unseal key id를 입력.
seal "awskms" {
region = "ap-northeast-2"
access_key =
secret_key =
kms_key_id =
}
dataStorage:
enabled: true
size: 1Gi
storageClass: null
auditStorage:
enabled: false
size: 1Gi
storageClass: null
ui:
enabled: true
serviceType: "NodePort"
serviceNodePort: 32702
csi:
pod:
tolerations:
- key: "dev/data-kafka"
operator: "Exists"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka

14
packer/ansible/roles/helm_install/files/vault/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,14 @@
Thank you for installing HashiCorp Vault!
Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:
https://www.vaultproject.io/docs/
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get manifest {{ .Release.Name }}

953
packer/ansible/roles/helm_install/files/vault/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,953 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will
be used as a full name.
*/}}
{{- define "vault.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}
{{- define "vault.csiEnabled" -}}
{{- $_ := set . "csiEnabled" (or
(eq (.Values.csi.enabled | toString) "true")
(and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the injector is enabled.
*/}}
{{- define "vault.injectorEnabled" -}}
{{- $_ := set . "injectorEnabled" (or
(eq (.Values.injector.enabled | toString) "true")
(and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server is enabled.
*/}}
{{- define "vault.serverEnabled" -}}
{{- $_ := set . "serverEnabled" (or
(eq (.Values.server.enabled | toString) "true")
(and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverServiceAccountEnabled" -}}
{{- $_ := set . "serverServiceAccountEnabled"
(and
(eq (.Values.server.serviceAccount.create | toString) "true" )
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server auth delegator serviceaccount is enabled.
*/}}
{{- define "vault.serverAuthDelegator" -}}
{{- $_ := set . "serverAuthDelegator"
(and
(eq (.Values.server.authDelegator.enabled | toString) "true" )
(or (eq (.Values.server.serviceAccount.create | toString) "true")
(not (eq .Values.server.serviceAccount.name "")))
(or
(eq (.Values.server.enabled | toString) "true")
(eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute if the server service is enabled.
*/}}
{{- define "vault.serverServiceEnabled" -}}
{{- template "vault.serverEnabled" . -}}
{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}}
{{- end -}}
{{/*
Compute if the ui is enabled.
*/}}
{{- define "vault.uiEnabled" -}}
{{- $_ := set . "uiEnabled" (or
(eq (.Values.ui.enabled | toString) "true")
(and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}}
{{- end -}}
{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Add a special case for replicas=1, where it should default to 0 as well.
*/}}
{{- define "vault.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.ha.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}}
{{ .Values.server.ha.disruptionBudget.maxUnavailable -}}
{{- else -}}
{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}}
{{- end -}}
{{- end -}}
{{/*
Set the variable 'mode' to the server mode requested by the user to simplify
template logic.
*/}}
{{- define "vault.mode" -}}
{{- template "vault.serverEnabled" . -}}
{{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}}
{{- $_ := set . "mode" "external" -}}
{{- else if not .serverEnabled -}}
{{- $_ := set . "mode" "external" -}}
{{- else if eq (.Values.server.dev.enabled | toString) "true" -}}
{{- $_ := set . "mode" "dev" -}}
{{- else if eq (.Values.server.ha.enabled | toString) "true" -}}
{{- $_ := set . "mode" "ha" -}}
{{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}}
{{- $_ := set . "mode" "standalone" -}}
{{- else -}}
{{- $_ := set . "mode" "" -}}
{{- end -}}
{{- end -}}
{{/*
Set's the replica count based on the different modes configured by user
*/}}
{{- define "vault.replicas" -}}
{{ if eq .mode "standalone" }}
{{- default 1 -}}
{{ else if eq .mode "ha" }}
{{- .Values.server.ha.replicas | default 3 -}}
{{ else }}
{{- default 1 -}}
{{ end }}
{{- end -}}
{{/*
Set's up configmap mounts if this isn't a dev deployment and the user
defined a custom configuration. Additionally iterates over any
extra volumes the user may have specified (such as a secret with TLS).
*/}}
{{- define "vault.volumes" -}}
{{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
configMap:
name: {{ template "vault.fullname" . }}-config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
defaultMode: {{ .defaultMode | default 420 }}
{{- end }}
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 8}}
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
secret:
secretName: {{ .Values.server.enterpriseLicense.secretName }}
defaultMode: 0440
{{- end }}
{{- end -}}
{{/*
Set's the args for custom command to render the Vault configuration
file with IP addresses to make the out of box experience easier
for users looking to use this chart with Consul Helm.
*/}}
{{- define "vault.args" -}}
{{ if or (eq .mode "standalone") (eq .mode "ha") }}
- |
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }}
{{ else if eq .mode "dev" }}
- |
/usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }}
{{ end }}
{{- end -}}
{{/*
Set's additional environment variables based on the mode.
*/}}
{{- define "vault.envs" -}}
{{ if eq .mode "dev" }}
- name: VAULT_DEV_ROOT_TOKEN_ID
value: {{ .Values.server.dev.devRootToken }}
- name: VAULT_DEV_LISTEN_ADDRESS
value: "[::]:8200"
{{ end }}
{{- end -}}
{{/*
Set's which additional volumes should be mounted to the container
based on the mode configured.
*/}}
{{- define "vault.mounts" -}}
{{ if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- name: audit
mountPath: {{ .Values.server.auditStorage.mountPath }}
{{ end }}
{{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }}
{{ if eq (.Values.server.dataStorage.enabled | toString) "true" }}
- name: data
mountPath: {{ .Values.server.dataStorage.mountPath }}
{{ end }}
{{ end }}
{{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }}
- name: config
mountPath: /vault/config
{{ end }}
{{- range .Values.server.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }}
{{- end }}
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 12}}
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: vault-license
mountPath: /vault/license
readOnly: true
{{- end }}
{{- end -}}
{{/*
Set's up the volumeClaimTemplates when data or audit storage is required. HA
might not use data storage since Consul is likely it's backend, however, audit
storage might be desired by the user.
*/}}
{{- define "vault.volumeclaims" -}}
{{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }}
volumeClaimTemplates:
{{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }}
- metadata:
name: data
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
resources:
requests:
storage: {{ .Values.server.dataStorage.size }}
{{- if .Values.server.dataStorage.storageClass }}
storageClassName: {{ .Values.server.dataStorage.storageClass }}
{{- end }}
{{ end }}
{{- if eq (.Values.server.auditStorage.enabled | toString) "true" }}
- metadata:
name: audit
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
resources:
requests:
storage: {{ .Values.server.auditStorage.size }}
{{- if .Values.server.auditStorage.storageClass }}
storageClassName: {{ .Values.server.auditStorage.storageClass }}
{{- end }}
{{ end }}
{{ end }}
{{- end -}}
{{/*
Set's the affinity for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.affinity" -}}
{{- if and (ne .mode "dev") .Values.server.affinity }}
affinity:
{{ $tp := typeOf .Values.server.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the injector affinity for pod placement
*/}}
{{- define "injector.affinity" -}}
{{- if .Values.injector.affinity }}
affinity:
{{ $tp := typeOf .Values.injector.affinity }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.affinity . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.affinity | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the topologySpreadConstraints when running in standalone and HA modes.
*/}}
{{- define "vault.topologySpreadConstraints" -}}
{{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.server.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the injector topologySpreadConstraints for pod placement
*/}}
{{- define "injector.topologySpreadConstraints" -}}
{{- if .Values.injector.topologySpreadConstraints }}
topologySpreadConstraints:
{{ $tp := typeOf .Values.injector.topologySpreadConstraints }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }}
{{- end }}
{{ end }}
{{- end -}}
{{/*
Sets the toleration for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.tolerations" -}}
{{- if and (ne .mode "dev") .Values.server.tolerations }}
tolerations:
{{- $tp := typeOf .Values.server.tolerations }}
{{- if eq $tp "string" }}
{{ tpl .Values.server.tolerations . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.tolerations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector toleration for pod placement
*/}}
{{- define "injector.tolerations" -}}
{{- if .Values.injector.tolerations }}
tolerations:
{{- $tp := typeOf .Values.injector.tolerations }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.tolerations . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.tolerations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the node selector for pod placement when running in standalone and HA modes.
*/}}
{{- define "vault.nodeselector" -}}
{{- if and (ne .mode "dev") .Values.server.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.server.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.server.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.server.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector node selector for pod placement
*/}}
{{- define "injector.nodeselector" -}}
{{- if .Values.injector.nodeSelector }}
nodeSelector:
{{- $tp := typeOf .Values.injector.nodeSelector }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.injector.nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector deployment update strategy
*/}}
{{- define "injector.strategy" -}}
{{- if .Values.injector.strategy }}
strategy:
{{- $tp := typeOf .Values.injector.strategy }}
{{- if eq $tp "string" }}
{{ tpl .Values.injector.strategy . | nindent 4 | trim }}
{{- else }}
{{- toYaml .Values.injector.strategy | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra pod annotations
*/}}
{{- define "vault.annotations" -}}
{{- if .Values.server.annotations }}
annotations:
{{- $tp := typeOf .Values.server.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.server.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector pod annotations
*/}}
{{- define "injector.annotations" -}}
{{- if .Values.injector.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.injector.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector service annotations
*/}}
{{- define "injector.service.annotations" -}}
{{- if .Values.injector.service.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.service.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.service.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.service.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector pod level.
*/}}
{{- define "injector.securityContext.pod" -}}
{{- if .Values.injector.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
fsGroup: {{ .Values.injector.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector container level.
*/}}
{{- define "injector.securityContext.container" -}}
{{- if .Values.injector.securityContext.container}}
securityContext:
{{- $tp := typeOf .Values.injector.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.injector.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset pod template.
*/}}
{{- define "server.statefulSet.securityContext.pod" -}}
{{- if .Values.server.statefulSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the statefulset vault container
*/}}
{{- define "server.statefulSet.securityContext.container" -}}
{{- if .Values.server.statefulSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.server.statefulSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }}
{{- end }}
{{- else if not .Values.global.openshift }}
securityContext:
allowPrivilegeEscalation: false
{{- end }}
{{- end -}}
{{/*
Sets extra injector service account annotations
*/}}
{{- define "injector.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.injector.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra injector webhook annotations
*/}}
{{- define "injector.webhookAnnotations" -}}
{{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }}
annotations:
{{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }}
{{- if eq $tp "string" }}
{{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }}
{{- else }}
{{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the injector webhook objectSelector
*/}}
{{- define "injector.objectSelector" -}}
{{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}}
{{ if $v }}
objectSelector:
{{- $tp := typeOf $v -}}
{{ if eq $tp "string" }}
{{ tpl $v . | indent 6 | trim }}
{{ else }}
{{ toYaml $v | indent 6 | trim }}
{{ end }}
{{ end }}
{{ end }}
{{/*
Sets extra ui service annotations
*/}}
{{- define "vault.ui.annotations" -}}
{{- if .Values.ui.annotations }}
annotations:
{{- $tp := typeOf .Values.ui.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.ui.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.ui.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "vault.serviceAccount.name" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Sets extra service account annotations
*/}}
{{- define "vault.serviceAccount.annotations" -}}
{{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.server.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra ingress annotations
*/}}
{{- define "vault.ingress.annotations" -}}
{{- if .Values.server.ingress.annotations }}
annotations:
{{- $tp := typeOf .Values.server.ingress.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.ingress.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.ingress.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra route annotations
*/}}
{{- define "vault.route.annotations" -}}
{{- if .Values.server.route.annotations }}
annotations:
{{- $tp := typeOf .Values.server.route.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.route.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.route.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra vault server Service annotations
*/}}
{{- define "vault.service.annotations" -}}
{{- if .Values.server.service.annotations }}
{{- $tp := typeOf .Values.server.service.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.service.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.service.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets PodSecurityPolicy annotations
*/}}
{{- define "vault.psp.annotations" -}}
{{- if .Values.global.psp.annotations }}
annotations:
{{- $tp := typeOf .Values.global.psp.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.global.psp.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.global.psp.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra statefulset annotations
*/}}
{{- define "vault.statefulSet.annotations" -}}
{{- if .Values.server.statefulSet.annotations }}
annotations:
{{- $tp := typeOf .Values.server.statefulSet.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.statefulSet.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.statefulSet.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim annotations for data volume
*/}}
{{- define "vault.dataVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.dataStorage.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.dataStorage.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.dataStorage.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim annotations for audit volume
*/}}
{{- define "vault.auditVolumeClaim.annotations" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }}
annotations:
{{- $tp := typeOf .Values.server.auditStorage.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.auditStorage.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.auditStorage.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the container resources if the user has set any.
*/}}
{{- define "vault.resources" -}}
{{- if .Values.server.resources -}}
resources:
{{ toYaml .Values.server.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets the container resources if the user has set any.
*/}}
{{- define "injector.resources" -}}
{{- if .Values.injector.resources -}}
resources:
{{ toYaml .Values.injector.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets the container resources if the user has set any.
*/}}
{{- define "csi.resources" -}}
{{- if .Values.csi.resources -}}
resources:
{{ toYaml .Values.csi.resources | indent 12}}
{{ end }}
{{- end -}}
{{/*
Sets extra CSI daemonset annotations
*/}}
{{- define "csi.daemonSet.annotations" -}}
{{- if .Values.csi.daemonSet.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.daemonSet.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for pod template
*/}}
{{- define "csi.daemonSet.securityContext.pod" -}}
{{- if .Values.csi.daemonSet.securityContext.pod }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets CSI daemonset securityContext for container
*/}}
{{- define "csi.daemonSet.securityContext.container" -}}
{{- if .Values.csi.daemonSet.securityContext.container }}
securityContext:
{{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }}
{{- else }}
{{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets the injector toleration for pod placement
*/}}
{{- define "csi.pod.tolerations" -}}
{{- if .Values.csi.pod.tolerations }}
tolerations:
{{- $tp := typeOf .Values.csi.pod.tolerations }}
{{- if eq $tp "string" }}
{{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }}
{{- else }}
{{- toYaml .Values.csi.pod.tolerations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra CSI provider pod annotations
*/}}
{{- define "csi.pod.annotations" -}}
{{- if .Values.csi.pod.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.pod.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.pod.annotations . | nindent 8 }}
{{- else }}
{{- toYaml .Values.csi.pod.annotations | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets extra CSI service account annotations
*/}}
{{- define "csi.serviceAccount.annotations" -}}
{{- if .Values.csi.serviceAccount.annotations }}
annotations:
{{- $tp := typeOf .Values.csi.serviceAccount.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}
{{- define "vault.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }}
- name: {{ printf "%s" $key | replace "." "_" | upper | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Inject extra environment populated by secrets, if populated
*/}}
{{- define "vault.extraSecretEnvironmentVars" -}}
{{- if .extraSecretEnvironmentVars -}}
{{- range .extraSecretEnvironmentVars }}
- name: {{ .envName }}
valueFrom:
secretKeyRef:
name: {{ .secretName }}
key: {{ .secretKey }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Scheme for health check and local endpoint */}}
{{- define "vault.scheme" -}}
{{- if .Values.global.tlsDisable -}}
{{ "http" }}
{{- else -}}
{{ "https" }}
{{- end -}}
{{- end -}}
{{/*
imagePullSecrets generates pull secrets from either string or map values.
A map value must be indexable by the key 'name'.
*/}}
{{- define "imagePullSecrets" -}}
{{- with .Values.global.imagePullSecrets -}}
imagePullSecrets:
{{- range . -}}
{{- if typeIs "string" . }}
- name: {{ . }}
{{- else if index . "name" }}
- name: {{ .name }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable.
Supported inputs are Values.server.service and Values.ui
*/}}
{{- define "service.externalTrafficPolicy" -}}
{{- $type := "" -}}
{{- if .serviceType -}}
{{- $type = .serviceType -}}
{{- else if .type -}}
{{- $type = .type -}}
{{- end -}}
{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }}
externalTrafficPolicy: {{ .externalTrafficPolicy }}
{{- else }}
{{- end }}
{{- end -}}
{{/*
loadBalancer configuration for the the UI service.
Supported inputs are Values.ui
*/}}
{{- define "service.loadBalancer" -}}
{{- if eq (.serviceType | toString) "LoadBalancer" }}
{{- if .loadBalancerIP }}
loadBalancerIP: {{ .loadBalancerIP }}
{{- end }}
{{- with .loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range . }}
- {{ . }}
{{- end }}
{{- end -}}
{{- end }}
{{- end -}}

18
packer/ansible/roles/helm_install/files/vault/templates/csi-clusterrole.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
{{- end }}

19
packer/ansible/roles/helm_install/files/vault/templates/csi-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
{{- end }}

100
packer/ansible/roles/helm_install/files/vault/templates/csi-daemonset.yaml Normal file
View File

@@ -0,0 +1,100 @@
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.daemonSet.extraLabels -}}
{{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.daemonSet.annotations" . }}
spec:
updateStrategy:
type: {{ .Values.csi.daemonSet.updateStrategy.type }}
{{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
rollingUpdate:
maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.csi.pod.extraLabels -}}
{{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "csi.pod.annotations" . }}
spec:
{{ template "csi.daemonSet.securityContext.pod" . }}
{{- if .Values.csi.priorityClassName }}
priorityClassName: {{ .Values.csi.priorityClassName }}
{{- end }}
serviceAccountName: {{ template "vault.fullname" . }}-csi-provider
{{- template "csi.pod.tolerations" . }}
containers:
- name: {{ include "vault.name" . }}-csi-provider
{{ template "csi.resources" . }}
{{ template "csi.daemonSet.securityContext.container" . }}
image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}"
imagePullPolicy: {{ .Values.csi.image.pullPolicy }}
args:
- --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }}
{{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }}
env:
- name: VAULT_ADDR
{{- if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol
mountPath: "/provider"
- name: mountpoint-dir
mountPath: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
mountPropagation: HostToContainer
{{- if .Values.csi.volumeMounts }}
{{- toYaml .Values.csi.volumeMounts | nindent 12}}
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }}
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.csi.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }}
volumes:
- name: providervol
hostPath:
path: {{ .Values.csi.daemonSet.providersDir }}
- name: mountpoint-dir
hostPath:
path: {{ .Values.csi.daemonSet.kubeletRootDir }}/pods
{{- if .Values.csi.volumes }}
{{- toYaml .Values.csi.volumes | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{- end }}

16
packer/ansible/roles/helm_install/files/vault/templates/csi-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.csi.serviceAccount.extraLabels -}}
{{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}}
{{- end -}}
{{ template "csi.serviceAccount.annotations" . }}
{{- end }}

14
packer/ansible/roles/helm_install/files/vault/templates/injector-certs-secret.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}

19
packer/ansible/roles/helm_install/files/vault/templates/injector-clusterrole.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
{{ end }}

19
packer/ansible/roles/helm_install/files/vault/templates/injector-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{ end }}

156
packer/ansible/roles/helm_install/files/vault/templates/injector-deployment.yaml Normal file
View File

@@ -0,0 +1,156 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
replicas: {{ .Values.injector.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{ template "injector.strategy" . }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- if .Values.injector.extraLabels -}}
{{- toYaml .Values.injector.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "injector.annotations" . }}
spec:
{{ template "injector.affinity" . }}
{{ template "injector.topologySpreadConstraints" . }}
{{ template "injector.tolerations" . }}
{{ template "injector.nodeselector" . }}
{{- if .Values.injector.priorityClassName }}
priorityClassName: {{ .Values.injector.priorityClassName }}
{{- end }}
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{ template "injector.securityContext.pod" . -}}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }}
{{- end }}
containers:
- name: sidecar-injector
{{ template "injector.resources" . }}
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- template "injector.securityContext.container" . }}
env:
- name: AGENT_INJECT_LISTEN
value: {{ printf ":%v" .Values.injector.port }}
- name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }}
- name: AGENT_INJECT_VAULT_ADDR
{{- if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
- name: AGENT_INJECT_TLS_KEY_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }}
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}
- name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
value: "{{ .Values.injector.revokeOnShutdown | default false }}"
{{- if .Values.global.openshift }}
- name: AGENT_INJECT_SET_SECURITY_CONTEXT
value: "false"
{{- end }}
{{- if .Values.injector.metrics.enabled }}
- name: AGENT_INJECT_TELEMETRY_PATH
value: "/metrics"
{{- end }}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
- name: AGENT_INJECT_USE_LEADER_ELECTOR
value: "true"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end }}
- name: AGENT_INJECT_CPU_REQUEST
value: "{{ .Values.injector.agentDefaults.cpuRequest }}"
- name: AGENT_INJECT_CPU_LIMIT
value: "{{ .Values.injector.agentDefaults.cpuLimit }}"
- name: AGENT_INJECT_MEM_REQUEST
value: "{{ .Values.injector.agentDefaults.memRequest }}"
- name: AGENT_INJECT_MEM_LIMIT
value: "{{ .Values.injector.agentDefaults.memLimit }}"
- name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "{{ .Values.injector.agentDefaults.template }}"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}"
{{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}
- name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL
value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}"
{{- end }}
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- agent-inject
- 2>&1
livenessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /health/ready
port: {{ .Values.injector.port }}
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
{{- end }}
{{- if .Values.injector.certs.secretName }}
volumes:
- name: webhook-certs
secret:
secretName: "{{ .Values.injector.certs.secretName }}"
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ end }}

20
packer/ansible/roles/helm_install/files/vault/templates/injector-disruptionbudget.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.injector.podDisruptionBudget }}
apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }}
{{- end -}}

39
packer/ansible/roles/helm_install/files/vault/templates/injector-mutating-webhook.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-cfg
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "injector.webhookAnnotations" . }}
webhooks:
- name: vault.hashicorp.com
failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }}
matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }}
sideEffects: None
timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }}
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }}
namespaceSelector:
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- template "injector.objectSelector" . -}}
{{ end }}

24
packer/ansible/roles/helm_install/files/vault/templates/injector-network-policy.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8080
protocol: TCP
{{ end }}
{{ end }}

20
packer/ansible/roles/helm_install/files/vault/templates/injector-psp-role.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

21
packer/ansible/roles/helm_install/files/vault/templates/injector-psp-rolebinding.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}
{{- end }}

46
packer/ansible/roles/helm_install/files/vault/templates/injector-psp.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if eq (.Values.global.psp.enable | toString) "true" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

29
packer/ansible/roles/helm_install/files/vault/templates/injector-role.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs:
- "create"
- "get"
- "watch"
- "list"
- "update"
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "patch"
- "delete"
{{- end }}
{{- end }}

22
packer/ansible/roles/helm_install/files/vault/templates/injector-rolebinding.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

22
packer/ansible/roles/helm_install/files/vault/templates/injector-service.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.service.annotations" . }}
spec:
ports:
- name: https
port: 443
targetPort: {{ .Values.injector.port }}
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook
{{- end }}

13
packer/ansible/roles/helm_install/files/vault/templates/injector-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- template "vault.injectorEnabled" . -}}
{{- if .injectorEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "injector.serviceAccount.annotations" . }}
{{ end }}

26
packer/ansible/roles/helm_install/files/vault/templates/prometheus-prometheusrules.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{ if and (.Values.serverTelemetry.prometheusRules.rules)
(or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) )
}}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
groups:
- name: {{ include "vault.fullname" . }}
rules:
{{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }}
{{- end }}

44
packer/ansible/roles/helm_install/files/vault/templates/prometheus-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{ template "vault.mode" . }}
{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vault.fullname" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}}
{{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }}
{{- if $selectors }}
{{- toYaml $selectors | nindent 4 }}
{{- else }}
release: prometheus
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if eq .mode "ha" }}
vault-active: "true"
{{- else }}
vault-internal: "true"
{{- end }}
endpoints:
- port: {{ include "vault.scheme" . }}
interval: {{ .Values.serverTelemetry.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }}
scheme: {{ include "vault.scheme" . | lower }}
path: /v1/sys/metrics
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{ end }}

24
packer/ansible/roles/helm_install/files/vault/templates/server-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{ template "vault.serverAuthDelegator" . }}
{{- if .serverAuthDelegator -}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-server-binding
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}

40
packer/ansible/roles/helm_install/files/vault/templates/server-config-configmap.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if ne .mode "dev" -}}
{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
extraconfig-from-values.hcl: |-
{{- if or (eq .mode "ha") (eq .mode "standalone") }}
{{- $type := typeOf (index .Values.server .mode).config }}
{{- if eq $type "string" }}
disable_mlock = true
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }}
{{ tpl .Values.server.ha.config . | nindent 4 | trim }}
{{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }}
{{ end }}
{{- else }}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }}
{{- else }}
{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

21
packer/ansible/roles/helm_install/files/vault/templates/server-discovery-role.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]
{{ end }}
{{ end }}
{{ end }}

29
packer/ansible/roles/helm_install/files/vault/templates/server-discovery-rolebinding.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
{{- if eq .mode "ha" }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-discovery-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
{{ end }}

26
packer/ansible/roles/helm_install/files/vault/templates/server-disruptionbudget.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" -}}
{{- if .serverEnabled -}}
{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}}
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: {{ ge .Capabilities.KubeVersion.Minor "21" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end -}}
{{- end -}}
{{- end -}}

46
packer/ansible/roles/helm_install/files/vault/templates/server-ha-active-service.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for active Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-active: "true"
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.activeNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
vault-active: "true"
{{- end }}
{{- end }}
{{- end }}

45
packer/ansible/roles/helm_install/files/vault/templates/server-ha-standby-service.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if eq .mode "ha" }}
# Service for standby Vault pod
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.standbyNodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
vault-active: "false"
{{- end }}
{{- end }}
{{- end }}

34
packer/ansible/roles/helm_install/files/vault/templates/server-headless-service.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
vault-internal: "true"
annotations:
{{ template "vault.service.annotations" .}}
spec:
clusterIP: None
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: "{{ include "vault.scheme" . }}"
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}

77
packer/ansible/roles/helm_install/files/vault/templates/server-ingress.yaml Normal file
View File

@@ -0,0 +1,77 @@
{{- if not .Values.global.openshift }}
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .Values.server.ingress.enabled -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
{{- $servicePort := .Values.server.service.port -}}
{{- $pathType := .Values.server.ingress.pathType -}}
{{- $kubeVersion := .Capabilities.KubeVersion.Version }}
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
apiVersion: networking.k8s.io/v1
{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
apiVersion: networking.k8s.io/v1beta1
{{ else }}
apiVersion: extensions/v1beta1
{{ end }}
kind: Ingress
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.ingress.annotations" . }}
spec:
{{- if .Values.server.ingress.tls }}
tls:
{{- range .Values.server.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- if .Values.server.ingress.ingressClassName }}
ingressClassName: {{ .Values.server.ingress.ingressClassName }}
{{- end }}
rules:
{{- range .Values.server.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{ if $extraPaths }}
{{ toYaml $extraPaths | indent 10 }}
{{- end }}
{{- range (.paths | default (list "/")) }}
- path: {{ . }}
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
pathType: {{ $pathType }}
{{ end }}
backend:
{{ if semverCompare ">= 1.19.0-0" $kubeVersion }}
service:
name: {{ $serviceName }}
port:
number: {{ $servicePort }}
{{ else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
packer/ansible/roles/helm_install/files/vault/templates/server-network-policy.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
{{- if .Values.server.networkPolicy.egress }}
egress:
{{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
{{ end }}
{{ end }}

20
packer/ansible/roles/helm_install/files/vault/templates/server-psp-role.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

21
packer/ansible/roles/helm_install/files/vault/templates/server-psp-rolebinding.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
{{- end }}
{{- end }}

49
packer/ansible/roles/helm_install/files/vault/templates/server-psp.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{ template "vault.mode" . }}
{{- if .serverEnabled -}}
{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
- persistentVolumeClaim
{{- end }}
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}

34
packer/ansible/roles/helm_install/files/vault/templates/server-route.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if .Values.global.openshift }}
{{- if ne .mode "external" }}
{{- if .Values.server.route.enabled -}}
{{- $serviceName := include "vault.fullname" . -}}
{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }}
{{- $serviceName = printf "%s-%s" $serviceName "active" -}}
{{- end }}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.server.route.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- template "vault.route.annotations" . }}
spec:
host: {{ .Values.server.route.host }}
to:
kind: Service
name: {{ $serviceName }}
weight: 100
port:
targetPort: 8200
tls:
{{- toYaml .Values.server.route.tls | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

44
packer/ansible/roles/helm_install/files/vault/templates/server-service.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.serverServiceEnabled" . -}}
{{- if .serverServiceEnabled -}}
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
{{ template "vault.service.annotations" .}}
spec:
{{- if .Values.server.service.type}}
type: {{ .Values.server.service.type }}
{{- end}}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- include "service.externalTrafficPolicy" .Values.server.service }}
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.server.service.port }}
targetPort: {{ .Values.server.service.targetPort }}
{{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }}
nodePort: {{ .Values.server.service.nodePort }}
{{- end }}
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- end }}
{{- end }}

14
packer/ansible/roles/helm_install/files/vault/templates/server-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{ template "vault.serverServiceAccountEnabled" . }}
{{- if .serverServiceAccountEnabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}

210
packer/ansible/roles/helm_install/files/vault/templates/server-statefulset.yaml Normal file
View File

@@ -0,0 +1,210 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if ne .mode "" }}
{{- if .serverEnabled -}}
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.statefulSet.annotations" . }}
spec:
serviceName: {{ template "vault.fullname" . }}-internal
podManagementPolicy: Parallel
replicas: {{ template "vault.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
template:
metadata:
labels:
helm.sh/chart: {{ template "vault.chart" . }}
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if .Values.server.extraLabels -}}
{{- toYaml .Values.server.extraLabels | nindent 8 -}}
{{- end -}}
{{ template "vault.annotations" . }}
spec:
{{ template "vault.affinity" . }}
{{ template "vault.topologySpreadConstraints" . }}
{{ template "vault.tolerations" . }}
{{ template "vault.nodeselector" . }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
serviceAccountName: {{ template "vault.serviceAccount.name" . }}
{{ if .Values.server.shareProcessNamespace }}
shareProcessNamespace: true
{{ end }}
{{- template "server.statefulSet.securityContext.pod" . }}
{{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
volumes:
{{ template "vault.volumes" . }}
- name: home
emptyDir: {}
{{- if .Values.server.extraInitContainers }}
initContainers:
{{ toYaml .Values.server.extraInitContainers | nindent 8}}
{{- end }}
containers:
- name: vault
{{ template "vault.resources" . }}
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command:
- "/bin/sh"
- "-ec"
args: {{ template "vault.args" . }}
{{- template "server.statefulSet.securityContext.container" . }}
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
- name: VAULT_API_ADDR
{{- if .Values.server.ha.apiAddr }}
value: {{ .Values.server.ha.apiAddr }}
{{- else }}
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
{{- end }}
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
{{- if .Values.server.ha.clusterAddr }}
value: {{ .Values.server.ha.clusterAddr }}
{{- else }}
value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201"
{{- end }}
{{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }}
- name: VAULT_RAFT_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
- name: HOME
value: "/home/vault"
{{- if .Values.server.logLevel }}
- name: VAULT_LOG_LEVEL
value: "{{ .Values.server.logLevel }}"
{{- end }}
{{- if .Values.server.logFormat }}
- name: VAULT_LOG_FORMAT
value: "{{ .Values.server.logFormat }}"
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
- name: VAULT_LICENSE_PATH
value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }}
{{- end }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
volumeMounts:
{{ template "vault.mounts" . }}
- name: home
mountPath: /home/vault
ports:
- containerPort: 8200
name: {{ include "vault.scheme" . }}
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: {{ include "vault.scheme" . }}-rep
{{- if .Values.server.readinessProbe.enabled }}
readinessProbe:
{{- if .Values.server.readinessProbe.path }}
httpGet:
path: {{ .Values.server.readinessProbe.path | quote }}
port: 8200
scheme: {{ include "vault.scheme" . | upper }}
{{- else }}
# Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
{{- end }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: 8200
scheme: {{ include "vault.scheme" . | upper }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.server.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
{{- end }}
lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
preStop:
exec:
command: [
"/bin/sh", "-c",
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
"sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)",
]
{{- if .Values.server.postStart }}
postStart:
exec:
command:
{{- range (.Values.server.postStart) }}
- {{ . | quote }}
{{- end }}
{{- end }}
{{- if .Values.server.extraContainers }}
{{ toYaml .Values.server.extraContainers | nindent 8}}
{{- end }}
{{- include "imagePullSecrets" . | nindent 6 }}
{{ template "vault.volumeclaims" . }}
{{ end }}
{{ end }}
{{ end }}

51
packer/ansible/roles/helm_install/files/vault/templates/tests/server-test.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if .serverEnabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-server-test"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": test
spec:
{{- include "imagePullSecrets" . | nindent 2 }}
containers:
- name: {{ .Release.Name }}-server-test
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi
exit 0
volumeMounts:
{{- if .Values.server.volumeMounts }}
{{- toYaml .Values.server.volumeMounts | nindent 8}}
{{- end }}
volumes:
{{- if .Values.server.volumes }}
{{- toYaml .Values.server.volumes | nindent 4}}
{{- end }}
restartPolicy: Never
{{- end }}
{{- end }}

37
packer/ansible/roles/helm_install/files/vault/templates/ui-service.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- template "vault.uiEnabled" . -}}
{{- if .uiEnabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.ui.annotations" . }}
spec:
selector:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
component: server
{{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }}
vault-active: "true"
{{- end }}
publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }}
ports:
- name: {{ include "vault.scheme" . }}
port: {{ .Values.ui.externalPort }}
targetPort: {{ .Values.ui.targetPort }}
{{- if .Values.ui.serviceNodePort }}
nodePort: {{ .Values.ui.serviceNodePort }}
{{- end }}
type: {{ .Values.ui.serviceType }}
{{- include "service.externalTrafficPolicy" .Values.ui }}
{{- include "service.loadBalancer" .Values.ui }}
{{- end -}}
{{- end }}

600
packer/ansible/roles/helm_install/files/vault/test Normal file
View File

@@ -0,0 +1,600 @@
---
# Source: vault/templates/injector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: release-name-vault-agent-injector
namespace: dsk-middle
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
---
# Source: vault/templates/server-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: release-name-vault
namespace: dsk-middle
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
---
# Source: vault/templates/server-config-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: release-name-vault-config
namespace: dsk-middle
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
data:
extraconfig-from-values.hcl: |-
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
seal "awskms" {
region = "ap-northeast-2"
access_key = "AKIAXMVVF3TA3NTIIHN6"
secret_key = "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"
kms_key_id = "c5b3ae3a-e976-4773-abcb-18d68c26a67d"
}
---
# Source: vault/templates/injector-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-vault-agent-injector-clusterrole
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
---
# Source: vault/templates/injector-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-vault-agent-injector-binding
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-vault-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
name: release-name-vault-agent-injector
namespace: dsk-middle
---
# Source: vault/templates/server-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-vault-server-binding
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: release-name-vault
namespace: dsk-middle
---
# Source: vault/templates/injector-service.yaml
apiVersion: v1
kind: Service
metadata:
name: release-name-vault-agent-injector-svc
namespace: dsk-middle
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
spec:
ports:
- name: https
port: 443
targetPort: 8080
selector:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
component: webhook
---
# Source: vault/templates/server-headless-service.yaml
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: release-name-vault-internal
namespace: dsk-middle
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
vault-internal: "true"
annotations:
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "http"
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
component: server
---
# Source: vault/templates/server-service.yaml
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
name: release-name-vault
namespace: dsk-middle
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
annotations:
spec:
# We want the servers to become available even if they're not ready
# since this DNS is also used for join operations.
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
component: server
---
# Source: vault/templates/ui-service.yaml
apiVersion: v1
kind: Service
metadata:
name: release-name-vault-ui
namespace: dsk-middle
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault-ui
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
spec:
selector:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
component: server
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
nodePort: 32702
type: NodePort
externalTrafficPolicy: Cluster
---
# Source: vault/templates/injector-deployment.yaml
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-vault-agent-injector
namespace: dsk-middle
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
component: webhook
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
component: webhook
template:
metadata:
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
component: webhook
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
tolerations:
- key: dev/data-kafka
operator: Exists
serviceAccountName: "release-name-vault-agent-injector"
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
hostNetwork: false
containers:
- name: sidecar-injector
image: "hashicorp/vault-k8s:1.0.1"
imagePullPolicy: "IfNotPresent"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
env:
- name: AGENT_INJECT_LISTEN
value: :8080
- name: AGENT_INJECT_LOG_LEVEL
value: info
- name: AGENT_INJECT_VAULT_ADDR
value: http://release-name-vault.dsk-middle.svc:8200
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: auth/kubernetes
- name: AGENT_INJECT_VAULT_IMAGE
value: "hashicorp/vault:1.12.0"
- name: AGENT_INJECT_TLS_AUTO
value: release-name-vault-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: release-name-vault-agent-injector-svc,release-name-vault-agent-injector-svc.dsk-middle,release-name-vault-agent-injector-svc.dsk-middle.svc
- name: AGENT_INJECT_LOG_FORMAT
value: standard
- name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
value: "false"
- name: AGENT_INJECT_CPU_REQUEST
value: "250m"
- name: AGENT_INJECT_CPU_LIMIT
value: "500m"
- name: AGENT_INJECT_MEM_REQUEST
value: "64Mi"
- name: AGENT_INJECT_MEM_LIMIT
value: "128Mi"
- name: AGENT_INJECT_DEFAULT_TEMPLATE
value: "map"
- name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE
value: "true"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- agent-inject
- 2>&1
livenessProbe:
httpGet:
path: /health/ready
port: 8080
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /health/ready
port: 8080
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
---
# Source: vault/templates/server-statefulset.yaml
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: release-name-vault
namespace: dsk-middle
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
spec:
serviceName: release-name-vault-internal
podManagementPolicy: Parallel
replicas: 1
updateStrategy:
type: OnDelete
selector:
matchLabels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
component: server
template:
metadata:
labels:
helm.sh/chart: vault-0.22.1
app.kubernetes.io/name: vault
app.kubernetes.io/instance: release-name
component: server
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: datasaker/group
operator: In
values:
- data-kafka
tolerations:
- key: dev/data-kafka
operator: Exists
terminationGracePeriodSeconds: 10
serviceAccountName: release-name-vault
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
hostNetwork: false
volumes:
- name: config
configMap:
name: release-name-vault-config
- name: home
emptyDir: {}
containers:
- name: vault
image: hashicorp/vault:1.12.0
imagePullPolicy: IfNotPresent
command:
- "/bin/sh"
- "-ec"
args:
- |
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
securityContext:
allowPrivilegeEscalation: false
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: "http://127.0.0.1:8200"
- name: VAULT_API_ADDR
value: "http://$(POD_IP):8200"
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
value: "https://$(HOSTNAME).release-name-vault-internal:8201"
- name: HOME
value: "/home/vault"
volumeMounts:
- name: data
mountPath: /vault/data
- name: config
mountPath: /vault/config
- name: home
mountPath: /home/vault
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: http-rep
readinessProbe:
# Check status; unsealed vault servers return 0
# The exit code reflects the seal status:
# 0 - unsealed
# 1 - error
# 2 - sealed
exec:
command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
lifecycle:
# Vault container doesn't receive SIGTERM from Kubernetes
# and after the grace period ends, Kube sends SIGKILL. This
# causes issues with graceful shutdowns such as deregistering itself
# from Consul (zombie services).
preStop:
exec:
command: [
"/bin/sh", "-c",
# Adding a sleep here to give the pod eviction a
# chance to propagate, so requests will not be made
# to this pod while it's terminating
"sleep 5 && kill -SIGTERM $(pidof vault)",
]
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-provisioner-dev
---
# Source: vault/templates/injector-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: release-name-vault-agent-injector-cfg
labels:
app.kubernetes.io/name: vault-agent-injector
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
webhooks:
- name: vault.hashicorp.com
failurePolicy: Ignore
matchPolicy: Exact
sideEffects: None
timeoutSeconds: 30
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: release-name-vault-agent-injector-svc
namespace: dsk-middle
path: "/mutate"
caBundle: ""
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
objectSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: NotIn
values:
- vault-agent-injector
---
# Source: vault/templates/tests/server-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: "release-name-server-test"
namespace: dsk-middle
annotations:
"helm.sh/hook": test
spec:
containers:
- name: release-name-server-test
image: hashicorp/vault:1.12.0
imagePullPolicy: IfNotPresent
env:
- name: VAULT_ADDR
value: http://release-name-vault.dsk-middle.svc:8200
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'vault status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
vault status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'vault status' output"
exit 1
fi
exit 0
volumeMounts:
volumes:
restartPolicy: Never

32
packer/ansible/roles/helm_install/files/vault/tls/ca-cert.pem Normal file
View File

@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIUcJvZ6e+t9LnoPjpzENgZQVW8e04wDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCS1IxDTALBgNVBAgMBEFTSUExDjAMBgNVBAcMBVNFT1VM
MQ0wCwYDVQQKDARFWEVNMQ4wDAYDVQQLDAVDTE9VRDENMAsGA1UEAwwERVhFTTAe
Fw0yMjEyMDYwNzA3MThaFw0zMjEyMDMwNzA3MThaMFoxCzAJBgNVBAYTAktSMQ0w
CwYDVQQIDARBU0lBMQ4wDAYDVQQHDAVTRU9VTDENMAsGA1UECgwERVhFTTEOMAwG
A1UECwwFQ0xPVUQxDTALBgNVBAMMBEVYRU0wggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDbpnrLEJhtRspuAS0zPSdldRciPlC7pVBpiMZY5kDsCrW9D1qR
7e0Dy+J9XrJlKvByrDRxvHsdEU3LTlmuss5Pg8XQTmXm/mdznaAiQuzjmFzRXIs5
KXA0oP8LsT6wgEZSMOE4psKvVBOZRzlGSV325ucsPNa16KOX8a9skZYl6GM1COn3
dm8jNyKboRhHcs1opl0CsZ8Wh8sljJQ1M/Tm9QxGYlCVtWEarA9p4Qv2r+Nz53Da
1AicUM9PFGRmcsH8uNsQF6SB1GHgbshViV9A/gVJtWoHvjRfcVo/B4Q/wmsYfLal
yyWJxZatUJFg5z8/YRrLmRPBNeMmOl2c197J3vBNKzbwFp5AesyNfDlP51aIdg7C
TUn89Pts9afT237/lVxnxsCZJfB0QeV+EPlS8/lJdGW85EhZkhm27UjUkHwXnTcs
pagiJ07Jk3q4ulL8yT+MK1dVxpgTD3Po99LU/E+VZLtzPUD+F9+H4MQcZRDBuJrv
0PpRPgwHkCUTytnHBAZj1ZVZEjgKzW9HbVXvi+DkLJsuOSWy39STCaAkMXQA2rV5
Z/bkDKlz5JQoKRZsHFAdzJQ/+29GONbTRIUlKXMSglG4i1sHRLVRyr2Ep9II/dQX
wClXulBDfOIKWP5PD0Pqju47aR/9+SttU1TPBqT+BGP4HVst6ofiIIfnmQIDAQAB
o1MwUTAdBgNVHQ4EFgQUxDyce/PQj55GdKLbhRO2/LPksxowHwYDVR0jBBgwFoAU
xDyce/PQj55GdKLbhRO2/LPksxowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEA174OK1t8d31bO7iVYoAYmg19GJNtd3MPHfDclose7zt8wtbasVrx
SYcBcMjSYCHZoGCV1gxI2SoNN4I8Q2JohZbr9pu18SdPgh911PRPTBxRPeXGtYL5
/R0Xn83J3B+VsR1/fqmKpnWouA5ReRSjQ5cBpMS+amVdnxesNnMMVafdJ//Qn+MU
wt8oNI+opU/GPobpTfI4PWWpUANa8QUk85CrYNkfIG3anKRovEM0HQ03iVvwG7Bc
vAS/O18CrEFcSJMjsBT/yWX44k+I7ZJCSSAMnFTDEzTmgR3oV306Ycrb2IPvAXxl
VEyRYBLdkhSi3aWZqXHwMhUcNV6ozosF4qHfq1AOj8DTI+r9057bX9+JOwXyYLT7
tfnz+uF7VNCQH8PZ3PRgXQ2CKbISdm0z0y0rnVoDRv80UwJdZiuKfsW069PE5bX7
Y1r+MoQH3mup9Kotj1VWhjHN+czG7OBxhb0gga55FdyuV/gHYJfWc8UemmHed1MK
0TvUR8+yDuYrgjaNCBK7zdXX0plwaDjaCi3FZIytXZXr2dl6eza9NTf5tzCase9G
m8asGTo29ye1lt+VIx50mN5M/DYc4OOpgm+kzaiRquIV81+Qa1HCBbOHlmGheSyr
lbRwwnil2jLj3Qh81E6Z9BUEHmvFsr0s/Z2Ge3ffWsknsUcTpt49Z48=
-----END CERTIFICATE-----

1
packer/ansible/roles/helm_install/files/vault/tls/ca-cert.srl Normal file
View File

@@ -0,0 +1 @@
09BA177CB280640376E27730B98C9945A5BBBA05

52
packer/ansible/roles/helm_install/files/vault/tls/ca-key.pem Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDbpnrLEJhtRspu
AS0zPSdldRciPlC7pVBpiMZY5kDsCrW9D1qR7e0Dy+J9XrJlKvByrDRxvHsdEU3L
Tlmuss5Pg8XQTmXm/mdznaAiQuzjmFzRXIs5KXA0oP8LsT6wgEZSMOE4psKvVBOZ
RzlGSV325ucsPNa16KOX8a9skZYl6GM1COn3dm8jNyKboRhHcs1opl0CsZ8Wh8sl
jJQ1M/Tm9QxGYlCVtWEarA9p4Qv2r+Nz53Da1AicUM9PFGRmcsH8uNsQF6SB1GHg
bshViV9A/gVJtWoHvjRfcVo/B4Q/wmsYfLalyyWJxZatUJFg5z8/YRrLmRPBNeMm
Ol2c197J3vBNKzbwFp5AesyNfDlP51aIdg7CTUn89Pts9afT237/lVxnxsCZJfB0
QeV+EPlS8/lJdGW85EhZkhm27UjUkHwXnTcspagiJ07Jk3q4ulL8yT+MK1dVxpgT
D3Po99LU/E+VZLtzPUD+F9+H4MQcZRDBuJrv0PpRPgwHkCUTytnHBAZj1ZVZEjgK
zW9HbVXvi+DkLJsuOSWy39STCaAkMXQA2rV5Z/bkDKlz5JQoKRZsHFAdzJQ/+29G
ONbTRIUlKXMSglG4i1sHRLVRyr2Ep9II/dQXwClXulBDfOIKWP5PD0Pqju47aR/9
+SttU1TPBqT+BGP4HVst6ofiIIfnmQIDAQABAoICAApr8DiRTYIl0TX99UyQkr10
HEhiJ4d3tQSE2lBegGcSrQPO5i+1V8EN2+2x4An/yw/NzuE0nazH5OaIDaZF0pcg
O/MBvUEEAhmQuYfWoBG+aWz/lJV+O1Yr6139J2nNdEizDASZmPQjq5hisjt9AKnV
09McAd34r0Zmz7l5gOPEjmx2Q0+b/XLwy0ISFypQrqFP/2rAzbkOcVuTO3b4w55v
swjl4kfwJq7SyhpudJhcSRD3QroHRG9SQDvSzl60BDM+/Bnb3VDRqGEzMGsqjOvz
AYI5StIaOrbqlGsYKrSxv04WoL3mER5j0x3fDD7KSgxySYiudyr8KQ5nx4hJD8dy
uwoZRjfxi1gLxQW7PfXuiDCIL9TLWeCbNE5kLhP7nc4Y2UFUQsJ8+F3kKiCXC0y2
l7IDQzYALUgoToJou2uPkSO43z5X4dEXbVMhTH7wmurfqyJMpDrhVZ6sLHdlYOMO
5px8o7F7nW3adycTM4cII9BLO2cO7dWVhvOX+sSq3DGNTJKQBkVMbvOOcgFaoKvE
BSvMlmVP93gmp9vrN4Q830WGmwgjgeFd7B3DGLM/7fH3D0HPrAbjyq3V4LAzv+ZS
a09c8lJaZTSnDCPXYHBqJtVXUsyntPMSkFP/ko+NAD7U9pPoF4Kr0At0djZJ3PQI
4DVE4MkbLx4kAQFH7eiBAoIBAQD0ABOt/Oa24WFnP75cN5kmGlUr7WbpukcIJH1f
FwQrU3QzebIJH2gAD7DlmAZZK9jklE3yuwDBwbu4h0/lox/ow/x0sgJiKE4rtOCQ
QGM+DtpYVqVKtu0xMSA12w6rIQqfoS4ZO3fBRI3Vp9GzsiMVWLwprgfMJMOqOwdy
pwp8ko969GHyA4f4qAyXjbHgX3MmmpWvXBEq87xPsu6wJncDStSPXUSGz68RQvrG
7lTvLe32fYmcJvOLpdkTHFOSXWZTwHLKg/9mVpQ69U8y4XW5F2HjS9hH8LdEhYTY
TjSQ+BP6bY3gscgv6ZnbV7rtJmRXTpTwfu2NjkYb39XgA8GhAoIBAQDmc9cpzU3Z
ek0uYim0onyhsYNSqZypCEi1ulwuLQQS+0hQMnixZYZMNrmvNKp1lB0pVd3Uoq+r
3hAdRfFc3wX0mOvHAUxralewJ3gWz8gJeJRV0reOoAlIgekcb67NRKDYSIgKfKNT
kfMLwcXfI1NyeWATFmA7bT3vppdmMxr+7NPgqE8lZ6NZgtJBcXgwjBXXBDY45eC4
WDxzEZTypwsLNjB2RigTAFu72By50+aFgr5dC+5ivi5cT3zThY4bxi4y4fCAi8tx
3bW+j2eGwN2xVTmNiImwJ5pd4j6MU7DvMDDbAlYKCgCYh+pPqbrfblpl4XN8M0El
3dahu/0w+1L5AoIBAQC0Af6CxGn9D2cJgehRJh9REeo13w2mbuuKYUkwxs0nnYjD
lQs4WbgjG3BY4YAFdyiq8ZJT+YwEZYW1C/Zwppia40OzX8QMYEnTSrzFDwtoNBL3
SuzkovF38hMeSD6ZF2Y7/+//Y3Tk20t8DTPSyx/A1tbyNNbBz3mec6/58Kv23TUG
85XyspI0at3nTPymWCSenTrCxTxRIMGTVqFqyOXSQvlvztIIVt2D8ZMLAbcdQRgm
WdUUo1PXeYIc7C/ncgpUzUyihSD9gfAXUvSbx+NOqqZnxoOIB1ldLtejsIZtUOeE
QCCEXQQf/MmqHR3laQZrtqiAiFN+tDCazdZ+TqchAoIBAQCOXvKGeLenq88S4MIz
Pk8Q9cHTx8VpCB0jaEaaoGTr9SHvqb62maomW4jLnRXSHfcGGm45d2hgHYiHDTbX
0VC0k+TVxQ+ZLNGPmlKuhR9n+n5ppwyPqH8TtG53iufLGKLl+6lQEUA12Oz2TngY
KpLbHfEk2aYKEKs66wiNsvTymQ0stc5vpV9dZVzP4XIHTAQSGiAFdr8mJBz0WeBT
KK/B9XBrIVyQoKALpK/affbkdKl2gnB7wFKT5OeRJeltbzoLZVpXkAXYCsjFOYMT
1QMhEy3DKp8lnNHZPnS17N5aZsNICmFtQlCr6wvuu0Uf0+U1G9tk16Vf53U55hG9
uQbBAoIBAQDDYFtI0g9mG7eCyt8lZ1YW/sNPLhr2Pw8KjvZ2SMSp1rIRb6DDShiF
ayFq7KIKJMgqm88Efapqx85yePKK/voaX4zL0Medr0HNT/jifbosNm/59FdFEul1
mFYI6Nf9pTMRhuCyAtNbzZ3iZb9d1iUKKlNg7haGd+Z3C5K/CZ+7C+ovi5xKTvhp
VmEEybhILypySADSYnI6mE5dOf+kSwPdQpipLb84CrCwkJVgD3JH8tXiJR5CgWdg
Y5H0JGN4IaZpws3CdCFy6YPW9e3BjygnUxg1zIXJgJO4SNyPf6xckqnM/H27XvHc
cwaotmmDO7aug5eY2IhumKimQRSFGf7+
-----END PRIVATE KEY-----

33
packer/ansible/roles/helm_install/files/vault/tls/client-cert.pem Normal file
View File

@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFsDCCA5igAwIBAgIUU/FxrarBbSo7RaTjkegsZtiEEcQwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCS1IxDTALBgNVBAgMBEFTSUExDjAMBgNVBAcMBVNFT1VM
MQ0wCwYDVQQKDARFWEVNMQ4wDAYDVQQLDAVDTE9VRDENMAsGA1UEAwwERVhFTTAe
Fw0yMjEyMDYwNzA3MjJaFw0zMjEyMDMwNzA3MjJaMGAxCzAJBgNVBAYTAktSMQ0w
CwYDVQQIDARBU0lBMQ4wDAYDVQQHDAVTRU9VTDENMAsGA1UECgwERVhFTTEOMAwG
A1UECwwFQ0xPVUQxEzARBgNVBAMMClRFU1QtQUdFTlQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCxCa4ZQy9G+sIKVIquGnkBkPfBI7AeocbslM+jnj17
TqqJPMSOGVZGlCktKVqGd6LkuI5mf53IhYbx/mU85UdgQPYEI0JcfIkNejYybtd1
t0+/jwqx3t8YR/xG1ShOwqY2tx0ieoW4aKJEk/JT/LlNKgQwcxdFt1ShwaXKo2Fc
HgfY9hIQDKcwtSn/Clz0VM0VuOAdFLiPypf4nDqHS+aKgjAt9yZaiZwhbMGWhTT4
pR0hMsGiwwXw6tKEeWoVaAkg2wlY7ABZQRpgsqoNKXdTpkl6apryUJ3M/PvBce5J
yMErVg5Rb2s2wLpK0fakrxE7sgLVffydhICvLLr80Msq7zJw6kJPtr9I5b3U96wN
rrruioLJvXYlv1KX7jwEc+4FADCXvNf6geCemXTRJ7Sn1qFA82q6YfdcMQFZVlrR
VOzxphWoZnAoGDWv41OK6Y2NTsJA6rXeIv3D3TcmxMyba1ovcOWyR5pYTDQqkThV
q2nklI8x+h7o5N7hMWIyxYhZFQMWd1NxxZ12LISrk/vD3rTSipDwrO+hEkTZP40p
lNNwmshzHZ2R1/z7m1TIlVEjKNp+w0PMKH1TGmDHmT2sORCL2Hbo6AOgZi/3euPu
+5ipxrbkV6cJnJh4/wpipl7dmVDDy81fCeAAbmbvfB9PefgEfPRFlrVXuYuY0w1t
cwIDAQABo2gwZjAkBgNVHREEHTAbghlkZ2F0ZS5kZXYua3IuZGF0YXNha2VyLmlv
MB0GA1UdDgQWBBTIkFbBsCh4m99Lz3R4DpNncMAw/TAfBgNVHSMEGDAWgBTEPJx7
89CPnkZ0otuFE7b8s+SzGjANBgkqhkiG9w0BAQsFAAOCAgEAx31IOe39f4n5J7/E
wFpegE49QcdOlzEMzMQWEFg71OmqYIzLVnQ8RblkHMLPdMIPTqrUG3GLqAKbBvNU
8/degg1XPq2OJseo8+cyVZkEamknVjNNK4/fOxYQ2BwiFW/G+e26El6Fjg/jEHeq
w8wZXoaSF8HlZ11Lynd6EStUBsKmY0Ld/pw4EGdOm5uFpLcwhYZaQ+aFS1fX6CxB
uThYxuMXKRKr78GyQUzeHKn5wzvZtlzmNdf0xB5/kiwSEpZicAZ+ZFKRe/C5BAIR
tDmBTIb3NeBoo2h3elbvLeIC5+aW9zWXSxUOOa4QFfcCcN4+K9SVh6DqgworEhFw
iWuCh2tOYJsWnoUyoOc3A5EdKXXZOU/xvjjKPM5OLEQ0B4vuvbQref59haMToaPP
LXEiE1GPJEgzR4Pem81fjZXmtMxI44YEUqg3iN7Q7urKYdqdWnVpIdECYy9nULfN
cRrJZIRTPYIhj2xr2I9JW3i7asiF3Ht3VVNl/YKYwSIv9fLPT03lbzfijcIYLVE+
m0zzKbUOqA0S2yekzRswEF5H3QAekaix6ov81UmLM3iBPVXM+sZi7k0pZNp8bt4l
fxP1MypfQC6XvvBo74XBKj9rJSKUIhW+ZjydKGv1jQzRAUZtslYfrtXx3hDeTjaB
7DsclIKNo+8jKLC7ifCl2iK0UV0=
-----END CERTIFICATE-----

52
packer/ansible/roles/helm_install/files/vault/tls/client-key.pem Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCxCa4ZQy9G+sIK
VIquGnkBkPfBI7AeocbslM+jnj17TqqJPMSOGVZGlCktKVqGd6LkuI5mf53IhYbx
/mU85UdgQPYEI0JcfIkNejYybtd1t0+/jwqx3t8YR/xG1ShOwqY2tx0ieoW4aKJE
k/JT/LlNKgQwcxdFt1ShwaXKo2FcHgfY9hIQDKcwtSn/Clz0VM0VuOAdFLiPypf4
nDqHS+aKgjAt9yZaiZwhbMGWhTT4pR0hMsGiwwXw6tKEeWoVaAkg2wlY7ABZQRpg
sqoNKXdTpkl6apryUJ3M/PvBce5JyMErVg5Rb2s2wLpK0fakrxE7sgLVffydhICv
LLr80Msq7zJw6kJPtr9I5b3U96wNrrruioLJvXYlv1KX7jwEc+4FADCXvNf6geCe
mXTRJ7Sn1qFA82q6YfdcMQFZVlrRVOzxphWoZnAoGDWv41OK6Y2NTsJA6rXeIv3D
3TcmxMyba1ovcOWyR5pYTDQqkThVq2nklI8x+h7o5N7hMWIyxYhZFQMWd1NxxZ12
LISrk/vD3rTSipDwrO+hEkTZP40plNNwmshzHZ2R1/z7m1TIlVEjKNp+w0PMKH1T
GmDHmT2sORCL2Hbo6AOgZi/3euPu+5ipxrbkV6cJnJh4/wpipl7dmVDDy81fCeAA
bmbvfB9PefgEfPRFlrVXuYuY0w1tcwIDAQABAoICAAdyPUjhuwjUvjmaAbU99s36
j3knq542Nrw3rB4ZJ0Pa9LBOBoRli2vvimXUYfLa8FaHbrHf9z56Y0klZpOvnxds
1AwrgXyLXmZbOBFZ+SUB31BSz2PY2HBYgsNl7sqVRFFz1T1gguRVPlH9GQmwTQjy
VffFt3pesigVkYga5BrwRms5OlxDc/rH++q2wF8ke/XIb2C5wOOHZWn3BD0xk5JK
1ITyasIPHKqJPQE8PBSjOTzuuhdC9aqC7fTVeIFK/WtM2zFKx975LodXrHBeSJ8T
lO6Zskez3VdEYsBprtiaoYlVlseVFKDabVt9Rk758BMfMyBQqsHjU1hK3NiKXakw
Omb7+Jwo9AEq+9bToCdDbKyhqmgbZ6ow/ivLfzQCf4NhyhRt51KCS4CeWwqzxo5Q
eN6vl97d2xxzF9ur5hv1SlqJyOP1LtmyVf3U+7xhD/BsBVE8y9HmneeSnM/K9MFZ
cfdAPI0o2DJCK4hOtHYkf1ISIsZ06YZ+a7s18qPc439ArYM7Tu0GL3/X1C1dgLN/
xcnwVvSnGfDyV1jJAMhWptenct0ubbl9BEmeML2dOp0XaKb6VCofHXcxVwlmvbYp
B7bhluFN32zw3poBbgWh3vP40px4CDXfZsp1XSoovephiEIo5oblvLTOzFHeRd+Q
zlzn3r8hnXcIb1pSp17hAoIBAQDXq+MpKqtpe2s4fdXTrTZ3ptuujgq490eLOKVR
JjPv83HsUvfYj4Hrju0X4BDy+8+P5fdXCgAFR/sT6Ydea1r3f0VYUsyuGMPQCaYt
y2fJrC/yFtLrsIGii9+aQhqDXBlImgMKp3xpBtB4ZIeRsqTeuGSjgEHCKV7DmJS3
C3ZnvbsDhkaPxoS7iLjx8TEGzMBeLMpyXZsjFqJa9kmU+tg2ILpDMEp+fUjzahkE
y4YYVXAK3AjjBoOv/nrg/hyuKtBYLcfFfs8vfCA0/j1YMskt4mSAtthYz/kv4aSA
oE72xpVER9coq4oGklzqPjNOV+bs25r66x/AF4VuYVqCFrjTAoIBAQDSJGpV6PY1
YcJfp8BoxMKLRalrKQHnB7R9V92/lk0tPBs+0oGSHW7q7ISdtMk7PtmS6lvRK4Qy
bj+Fi3eIyei+0lCsW3hLX+aQLSME1nDIpP/v5SARCFyB8us5rknluXoVcNfSOW/s
eVTOlVDI73BZxLfC6mKGn3TeD62az6wEscLgJfB4+PNv6Y0jK61J/CqadlHqVPRL
/I9uDO+R6GyiPsfGY2VJLrABD0YaDiFh49kxPf65REDIZzoJKfJ/DcKYUYX2G7n+
TQJS8vUnAghrcjXgq3XbBYI6aLz7o9c8Pdxfv6GJNCWCBEQjDNuzNnN+Tfxcx7hD
UEKVnK73+ZThAoIBAQC7H5oCt9DtvnWzGAsUk+70NcPZWciX34UlmEpndDwP7ytj
HkGIlkrlNKcl1fUevbjDY4YM8NI/wspn5nDbTU4p+zURgxWv4DDVKeoTRa6RXmJj
K8ZpVEXF4JJrZvtWCeyt/2KwNc1N2um5649srJE75MT8z2U+r2JXVuWBQ+LB8+51
CmXijR3RELlWwiwFeFVX4IjuXaUi9pp7TcFeD57Up+S0MwwPX2iSOfXnIScBqe+C
nJLhV1+era+z0wbTXrZSK7Zu9q2Qx6OyFvzmr3m54/nLa9mehSPxlVeDepPIrVgJ
XEOkN+GT/h2756fgS4hC7e8z0hlEM6RDtxguUsSdAoIBAQC7v49FzErVLM+V2PG+
aTULa6TPOicZ+7dVWYCkYKv5Yz9QZJEhM6zatZBSuqgjh6aqbTq1ajTFPd0A+rdE
fmi0vIEZTOvwI/GCFOG5u8GuckS8V7DLpvXHoHpq4X3iglFCALzCdVC7LTgJDjzM
Gaj+exRXUEPQ1Xx7vfQ0YaDl3NAopZzw6DPPZBIWPzqm5GZH9LiBLX/KuA6Jm4Mb
kFYmqwKgDEP9G3pip/vQ4ZkPtZtiNGp1qjZbFmcyssiWnXujzQpr9R+6xaDy7WD8
hgNxw+vBHE/C7GwKtXNLPHnbt8VBwpuXUwDD5f3edul/d4G+cfysBEBr27RxqThm
ExXhAoIBACu/PJGQae6MGOOszAyEQb4c8NKanC3TikXcTYali6veodbyAVv0BpkZ
Kbn5NSMZSQZBNdeSAOQAFNaTEh7jA9zFPtFZMpSG1fjx8dlC+ZTB8746wKunwbVS
yspLcC3U1AXChbF6EHRxYnWKpTQVYtn3npTjE95I9PK7dPvM9Qv74EiXhpOy7orN
hj1XTLP89uR70gLkCjWnMi48qoyMbKrnHJR/H7qZXIfkHUA+wrzJ0sMVmDvcXV+P
9oBJIUM0PGBmqLYbhG/mkiAuX+KJyHXcJY9YxRi9nyqptZPH+igQPC0pNaDtajm/
2ePO3b8j2RJQp1ABqH7ZT0TVUwH/vWo=
-----END PRIVATE KEY-----

27
packer/ansible/roles/helm_install/files/vault/tls/client-req.pem Normal file
View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIEpTCCAo0CAQAwYDELMAkGA1UEBhMCS1IxDTALBgNVBAgMBEFTSUExDjAMBgNV
BAcMBVNFT1VMMQ0wCwYDVQQKDARFWEVNMQ4wDAYDVQQLDAVDTE9VRDETMBEGA1UE
AwwKVEVTVC1BR0VOVDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALEJ
rhlDL0b6wgpUiq4aeQGQ98EjsB6hxuyUz6OePXtOqok8xI4ZVkaUKS0pWoZ3ouS4
jmZ/nciFhvH+ZTzlR2BA9gQjQlx8iQ16NjJu13W3T7+PCrHe3xhH/EbVKE7Cpja3
HSJ6hbhookST8lP8uU0qBDBzF0W3VKHBpcqjYVweB9j2EhAMpzC1Kf8KXPRUzRW4
4B0UuI/Kl/icOodL5oqCMC33JlqJnCFswZaFNPilHSEywaLDBfDq0oR5ahVoCSDb
CVjsAFlBGmCyqg0pd1OmSXpqmvJQncz8+8Fx7knIwStWDlFvazbAukrR9qSvETuy
AtV9/J2EgK8suvzQyyrvMnDqQk+2v0jlvdT3rA2uuu6Kgsm9diW/UpfuPARz7gUA
MJe81/qB4J6ZdNEntKfWoUDzarph91wxAVlWWtFU7PGmFahmcCgYNa/jU4rpjY1O
wkDqtd4i/cPdNybEzJtrWi9w5bJHmlhMNCqROFWraeSUjzH6Hujk3uExYjLFiFkV
AxZ3U3HFnXYshKuT+8PetNKKkPCs76ESRNk/jSmU03CayHMdnZHX/PubVMiVUSMo
2n7DQ8wofVMaYMeZPaw5EIvYdujoA6BmL/d64+77mKnGtuRXpwmcmHj/CmKmXt2Z
UMPLzV8J4ABuZu98H095+AR89EWWtVe5i5jTDW1zAgMBAAGgADANBgkqhkiG9w0B
AQsFAAOCAgEAo35RHmcSHDmQDdGNOprlWMeuNbajRsERAKKuETPVHmh6QikNBD2R
l971+Feva9W0xtxNrWoly0auHelHtoRt7sBEfy5dGkVmcQOGfrUFZKOeZFjXg32d
dJdYnjur4nYUbD8sufo9711RAJz75fYUAa88pNhdrgNb5jpdBOrYVp4Xzo582wSt
VKKBYpYIy9yK1sAfUdk+yyr4XfM0GJseK5Fbbb4numqhFNlwWH26QkkbjKGZz4BM
AhC/2qaG0b7Dm691evSnPWoS++sQTtc70d/4WJp9NoxQie4wCabqgx+sG1yN9JRY
YHirPRPBBtkK9Pt6Vj99ahKWjqlknAHgiBF6CpSc/UVCqUgV1/aKRk1YSkHJpuZi
2H6w+TjF0o6vIDh2ayKdE/nib7TIbqIL1canxymePbqLN0dpIQYaUpH91lCP2rSy
Fng1jChMmN/pLi3ucx+3CTWSzrAve/2F1dC52HsAtVrKUDeg0WRk5onoxKHll0X8
H1lgHzBfSw+25kdAkOhwUBNuOXHig7Qks58JVsMmfRe26GFbTrHz3D47d8p9U/pP
muhGiOekl6/sg3rLLfZraGw9pT1kqgGKTBaAR23BLLLyTnhZLUZzL0Hl88PObrlj
UXDGbmN6knc8vpnYFJN+Gm3zFwJlnqndwPUhu8UjLgdpI4ybFMOK+2U=
-----END CERTIFICATE REQUEST-----

1
packer/ansible/roles/helm_install/files/vault/tls/ext.conf Normal file
View File

@@ -0,0 +1 @@
subjectAltName=DNS:dgate.dev.kr.datasaker.io

94
packer/ansible/roles/helm_install/files/vault/tls/generator.sh Executable file
View File

@@ -0,0 +1,94 @@
#!/bin/bash
########################### generator.sh ################################
echo "Generating TLS files..."
rm -f *.pem
# CA 인증기관의 private key 와 self-signed certificate(자체 서명 인증서)를 생성한다.
# -x509 :
# -newkey : Key 생성 방식
# -node : CA인증 개인키를 암호화 수행을 하지 않는다.
# -days : 인증서 유효기간을 설정한다.
# -keyout : 개인 키를 입력한 파일명으로 출력한다.
# -out : cert파일을 입력한 파일명으로 출력한다.
# -subj : 입력하지 않으면 CSR 생성 시 사용자 정보를 입력해야 된다.
# - C : 나라이름
# - ST : 지역이름
# - L : 도시이름
# - O : 기관
# - OU : 기관이름
# - CN : Common Name
echo "Generating CA private key..."
openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -keyout ca-key.pem -out ca-cert.pem -subj "/C=KR/ST=ASIA/L=SEOUL/O=EXEM/OU=CLOUD/CN=EXEM"
# CA Cert파일 결과를 출력합니다.
# echo "CA's self-signed certificate"
# openssl x509 -in ca-cert.pem -noout -text
# 서버의 개인키와 CSR를 생성합니다.
# -node : 개인키 암호화를 수행하지 않는다.
echo "Generating server private key..."
openssl req -newkey rsa:4096 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=KR/ST=ASIA/L=SEOUL/O=EXEM/OU=CLOUD/CN=DATAGATE"
# Kubernetes의 환경에서는 Kubernetes의 Service명으로 DNS 등록이 가능하다.
# 만약 IP를 이용하여 subjectAltName을 등록할때는 IP:0.0.0.0 으로 등록하면 된다.
#cat > ext.conf <<-EOF
#subjectAltName = @alt_names
#[alt_names]
#DNS.1=sam-datagate
#DNS.2=sam-datagate-develop
#DNS.3=sam-datagate-cloud-1675
#DNS.4=10.10.34.129
#EOF
cat > ext.conf <<-EOF
subjectAltName=DNS:dgate.dev.kr.datasaker.io
EOF
# 서버 인증서 요청에 서명합니다. (CSR)
echo "Generating server certificate..."
openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile ext.conf
# Server Cert파일 결과를 출력합니다.
# echo "Server's signed certificate"
# openssl x509 -in server-cert.pem -noout -text
# CA, Server 인증서 확인
echo "Verifying certificate"
openssl verify -CAfile ca-cert.pem server-cert.pem
# Client의 개인키와 인증서 서명 요청(CSR)를 생성합니다.
echo "Generating client private key..."
openssl req -newkey rsa:4096 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=KR/ST=ASIA/L=SEOUL/O=EXEM/OU=CLOUD/CN=TEST-AGENT"
# Client 인증서 요청에 서명합니다. (CSR)
echo "Generating client certificate..."
openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile ext.conf
# Client 인증서 서명 결과 출력
# echo "Client's signed certificate"
# openssl x509 -in client-cert.pem -noout -text
NAMESPACE="dsk-middle"
VAULT_NAME="vault-0"
CA_CERT_NAME="ca-cert.pem"
CLIENT_CERT_NAME="client-cert.pem"
CLIENT_KEY_NAME="client-key.pem"
kubectl exec -it -n "$NAMESPACE" "$VAULT_NAME" -- \
vault kv put -mount=tls client \
ca_cert=$(openssl base64 -A -in "$CA_CERT_NAME") \
cert=$(openssl base64 -A -in "$CLIENT_CERT_NAME") \
key=$(openssl base64 -A -in "$CLIENT_KEY_NAME")
SERVER_CERT_NAME="server-cert.pem"
SERVER_KEY_NAME="server-key.pem"
kubectl exec -it -n "$NAMESPACE" "$VAULT_NAME" -- \
vault kv put -mount=tls server \
ca_cert=$(openssl base64 -A -in "$CA_CERT_NAME") \
cert=$(openssl base64 -A -in "$SERVER_CERT_NAME") \
key=$(openssl base64 -A -in "$SERVER_KEY_NAME")

33
packer/ansible/roles/helm_install/files/vault/tls/server-cert.pem Normal file
View File

@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFrjCCA5agAwIBAgIUeYr9DLb76Ps4kU+TjPUqWGi++/EwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCS1IxDTALBgNVBAgMBEFTSUExDjAMBgNVBAcMBVNFT1VM
MQ0wCwYDVQQKDARFWEVNMQ4wDAYDVQQLDAVDTE9VRDENMAsGA1UEAwwERVhFTTAe
Fw0yMjEyMDYwNzA3MjBaFw0yMzAxMDUwNzA3MjBaMF4xCzAJBgNVBAYTAktSMQ0w
CwYDVQQIDARBU0lBMQ4wDAYDVQQHDAVTRU9VTDENMAsGA1UECgwERVhFTTEOMAwG
A1UECwwFQ0xPVUQxETAPBgNVBAMMCERBVEFHQVRFMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAv7EV2uwFSxTZMK5EG+QhuyZivAEjaRSrxqYbbqARWGVb
wgg6fseiwudn+4rgQTSr+FIH5xEbQxD5WncTPE4L8gwYTZ+eNykii4d82xqQUeEN
PeQ2CWBeYJfgRdN7AflU+BwbOjeErXdgxJybABnVoXdxusfo0freVSYseiT/ZLaD
0u7lK6srbY1vUwxorgQRhi0DD2Hn4SrXQv2K6y9djW2YusPOSHQcd7yK+J+30N9k
vfe7sdKiinHM65lezwPyx34PY+2RqoqqLDa1MpBpialxQuiGpz7UexNuiNFJTZbK
YmGPiMPnTMbjyqyU4tmMUhSKPFa1cAam/nDtVbzS1u9LY3Q8FMUnQV8TeBQ0cvqZ
rp0bvI3Z6ogpJeMTDOr/obLuFu7bhPnsGLEmL6BIZPeiQuCzReq0TSHWgoMWGWAn
kZoFpGgWVjx9TifoCPgvx1ULsTbPmXBs9b9NcFyLtlAuCrrnCK5zhbBVCGtAhrhE
TapQuaFK7glsncSRJMmivfVXcdnWlb6KpKmwzJl2XdMf/e+cxDxwK03U+NkInfuY
U3yo3mfL7ZZfjShEtOoKSqeWIjXPmp3qP1Ih5EMN13lBdkybV8t9ll33zpHfx57I
3B9deSz1pTnCnQ/tX29ENISs9bac0aPgCgecjO/UWkDSfwRfwbgKEAY0g+2HYxkC
AwEAAaNoMGYwJAYDVR0RBB0wG4IZZGdhdGUuZGV2LmtyLmRhdGFzYWtlci5pbzAd
BgNVHQ4EFgQU3HFs3DszdXhH2F978fk6+G4NixcwHwYDVR0jBBgwFoAUxDyce/PQ
j55GdKLbhRO2/LPksxowDQYJKoZIhvcNAQELBQADggIBAL4MoIJvwk9S512WG2kP
mCyDt1WIej1N5hioGH41XLTYBgCRZR53IiFKE5GuL0aDd9CKOPptMXDxpJJuzQBx
0FCQl5qrDpryGcRad+5ljcTcCyQTv/eeoJqR8YXu0N8/ToJ2412nc042YJ+Yueh+
gy8bOtKnh5QlG1/wC2BNpE7W6DBglz10KfiXwBUz1aDhb+GX2HSPLBko/MvVFdy/
jjVf7eJrXymPnWtQxNRurzfpT31xv2slXzsNXu53/jMeTF0ScjRltVos5cmjB+2r
7IIVhlQ767ScTCb+OrAfEJ7wCEcYVYN3+VHAYkSYYdg+slXr3lxyYgaeeQWc7zNw
5ClzNOP/juAfwC6JiCpJxR3l3pqQaaEbzWeAIUbKRaSlECV93lc1sraPVjEiAxog
2VlmtLD3MnyC8FXomIZNaZdh68cmiNsPehecWb10qrewiLYgFJQhaRSuQJ35CO0Y
u9E3JSZpVOJB6OoDNkV6AMWvDaimDtCbX8GwwNwoc0/rNc5Z6qZdjBsTfzUb/opc
XMsj/yuGZAaBe5Slqz+5FQKUMd4RrDVnZzgqriIB5jlXw8sRn+iiC/UYjQfyPiwk
lHccKWsb9CL2y0gpot+jg0e+A2Y3UO6v4opGXoSteaEj6Iqn+wINE0RJ+XTQKKao
VzjxmZAfIq9hRA6+IO3MschG
-----END CERTIFICATE-----

52
packer/ansible/roles/helm_install/files/vault/tls/server-key.pem Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC/sRXa7AVLFNkw
rkQb5CG7JmK8ASNpFKvGphtuoBFYZVvCCDp+x6LC52f7iuBBNKv4UgfnERtDEPla
dxM8TgvyDBhNn543KSKLh3zbGpBR4Q095DYJYF5gl+BF03sB+VT4HBs6N4Std2DE
nJsAGdWhd3G6x+jR+t5VJix6JP9ktoPS7uUrqyttjW9TDGiuBBGGLQMPYefhKtdC
/YrrL12NbZi6w85IdBx3vIr4n7fQ32S997ux0qKKcczrmV7PA/LHfg9j7ZGqiqos
NrUykGmJqXFC6IanPtR7E26I0UlNlspiYY+Iw+dMxuPKrJTi2YxSFIo8VrVwBqb+
cO1VvNLW70tjdDwUxSdBXxN4FDRy+pmunRu8jdnqiCkl4xMM6v+hsu4W7tuE+ewY
sSYvoEhk96JC4LNF6rRNIdaCgxYZYCeRmgWkaBZWPH1OJ+gI+C/HVQuxNs+ZcGz1
v01wXIu2UC4KuucIrnOFsFUIa0CGuERNqlC5oUruCWydxJEkyaK99Vdx2daVvoqk
qbDMmXZd0x/975zEPHArTdT42Qid+5hTfKjeZ8vtll+NKES06gpKp5YiNc+aneo/
UiHkQw3XeUF2TJtXy32WXffOkd/HnsjcH115LPWlOcKdD+1fb0Q0hKz1tpzRo+AK
B5yM79RaQNJ/BF/BuAoQBjSD7YdjGQIDAQABAoICABaR/r1Gof7rpwEE288e5tvW
0rRJPAag4PLkVwGJBlHOqWWou153GhJx1bv355y123PDENwjlv6oDnwY3iJxHBX1
V504KJRdGwyruMdBkvGZGoqJhtVGzAX6i/Ucx/R9C4SlJo2NwOj9z96Gg/eYkx9O
ZY01AZRLwgbrljwRhCKzHMVmzIP+RQBCsXNpWB/5KakPPrd+cyN/fFYObV9wtcaz
u1JuQKkmRr3QbNqGT8nfq8h0VVzELNA5QwQQjGm6kMjtbll5PPgEGLJZBK+98jc7
xLK4lzY0/ya4rICeh8+DbDP2QcS8ME1Jc8PG20b0j4GQmpAtM3LLzbjSyhcYwwhI
cbWzhlxcy7AmIQ9kdd6aodI8cqmCcf85xrLV4SFlFWHjul9uoFIPVQKhcbNu9rp+
OOLpXHuA3KTG2I+HBGU6rmkZ0h3hhnzK+KY/ecg4ZnqVaHdbrnyuua/U1lSG+T2/
RBWr0GFOHqzW/STOe5k0joYH7hVncymDw9DrRHSjeYEZjMgadBOtH+zXtL5Slfzb
OMIgkrcOJY4l4JNgg2ts+fPhXAbB7RUDFPUsW9mi79pk9JDn8MNSk3dPI9T3ZFG7
b9FG69HfK2OsnWhjQexgAVgsdyRpgMem8z/rSKw1aMwXvFGne7o/N7YaVO3w0/PA
XY0GjI8YiE8Idtkd4HRBAoIBAQDUloMgTFcv/PSHQAg5/zmfN+eNQZE2Zwft1zZD
JsYDU1kXB4iaheqsfBrHagVxyiBZaFwPGEOuS5S+6ODSB+zaiGZeZ+yj8XcYOQNj
8y693ZFkqIaliAV7sNoSwsESvOGFeWCKWnx0If6uLp6170sQ1nST4TnSHlatgy1u
+k+HBgmQChPvPvp8ov8zS59TzHEI1qfsd1Jq6fS4I6SUA6bYLtnifatAWRuag/A7
X5jAU83+jpdR/89A9k2DiowrW5Kp214/Ac66J7NhIcdiMl1EDw8tPxHv5OlOYEre
z8NSDwJMIqcZlBFskQv3YGaJLCuOzkz5QIpSyFrS55t8OLYJAoIBAQDm1i4IuabA
rGZ+cZnm31BDw2r9k2gy45PEtFkSKht4jvlMhOXpyEjq4weaEbqW/b84agB9D5Nv
NnRcLrF7DEZUgCPo86LYHsG7mXaaWmnKGQywVxCehZZ4ZZFH6iK2hANFS528TL88
QoiHbw7NgWoYRL2NqkJEbm31Th7vYQ70eoxAWTSa2Tk/9fI1xCQni+tjzZRForHv
XLNgki91UDW2CS/5nkQGhukAlh47zXB4KDO/G/M+ZGmiCBpC3gE29Hd6PDgcByeZ
FOaWSY/uS2CA65dfloUTQfYrFagMos9zYaKJNbZ59HCQJ4T0SIx1F4isf8uG/z8w
U/xFK2Gb+AiRAoIBABYitfSe/lUY2b1bhX/Ee5OAlrO2qBAqGkFBr3y+hM/D1fr3
5dlxKEZdhcxN1dNLYKLuoudPd3ymkg5u4Tn9aUQ3/7DE0XcgpW34QcoegDd04rbA
dYS27Rs8Bvj9Hm19DV6AjPTbBypwf7xTTmNTT1WpfuoHAaZHUm8uwYRUvAMrNcOx
yPGYdSyVLE2DCkwHdZ2d/E46/nHzem/SBkkDOFQ6TKWwwCwrGxyzsEf+ZEFieIiR
AGChaksxWlDgFEhPeK4HEYEuBwCLMbpjcgdfhyaXCtWDQ7Le+wwWKrWYnJXmyi5z
TUL0j/vl/oD7oLGXz9FG2ez6M2z7P7nGNAJzRUECggEASgbbom6vHFDtWZVizphE
7EZKFGHmY5N5+vX/LoUUZDgtmK1x8eQKBlGiSXVwCiX74cKUv4Z0OJEVBc7vmc9Y
6pZhbb5cNcS/SkMvttZR4L7hw9dX/A5JL/kaex6J3VA+oEVco1tVZKTNlek2rQ7Y
kEnTJBA6yilD2AwifY/5tMtsGOLCrPoGkw1zjGyHT6teZJYz+5TuTR3EZK7cy1la
sDMIEJwBoro3FLoPngwHCnGSDrKO8i5Pdef1TAZYC2CgxDF1qP9eYohCXmXe44OG
wjFLTRs/N+rKYAzE5LB9qLnh3vC7wSZzxrb1u0VczdwrN26QPY2znPMCDsiXt+X2
EQKCAQBQj8LEoX+FVdTtFw7mMtcrpTs9JhWzA4emQSdEWxSLeXalAK/HM5xvF8kq
OPN4wVZYbhJyFCBxQAo47FB53WrcUKc/01E5RRsNALAbRszCAjMQ5X50TrkQCS+X
VeXCS76KnpH9yDfBxYis4eFtH6CvRHO572MpbJzjp4n4ZTVYws02BVVF6Jynmc66
LDCw3lHaK+K0A5qX4MPTTXwELHMy4bJsWrI2r4PuMygJ8lrRxg3/YlOq9ZEegvBq
Dlv8nLIYYCRY8TRGVhtwQtEuuqrV+phFrkOwp/46UCsr7U2pTphNfebhfL5R1l2h
eAT5gUCcf6OjqDgIpD32xijmzp+r
-----END PRIVATE KEY-----

27
packer/ansible/roles/helm_install/files/vault/tls/server-req.pem Normal file
View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIEozCCAosCAQAwXjELMAkGA1UEBhMCS1IxDTALBgNVBAgMBEFTSUExDjAMBgNV
BAcMBVNFT1VMMQ0wCwYDVQQKDARFWEVNMQ4wDAYDVQQLDAVDTE9VRDERMA8GA1UE
AwwIREFUQUdBVEUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/sRXa
7AVLFNkwrkQb5CG7JmK8ASNpFKvGphtuoBFYZVvCCDp+x6LC52f7iuBBNKv4Ugfn
ERtDEPladxM8TgvyDBhNn543KSKLh3zbGpBR4Q095DYJYF5gl+BF03sB+VT4HBs6
N4Std2DEnJsAGdWhd3G6x+jR+t5VJix6JP9ktoPS7uUrqyttjW9TDGiuBBGGLQMP
YefhKtdC/YrrL12NbZi6w85IdBx3vIr4n7fQ32S997ux0qKKcczrmV7PA/LHfg9j
7ZGqiqosNrUykGmJqXFC6IanPtR7E26I0UlNlspiYY+Iw+dMxuPKrJTi2YxSFIo8
VrVwBqb+cO1VvNLW70tjdDwUxSdBXxN4FDRy+pmunRu8jdnqiCkl4xMM6v+hsu4W
7tuE+ewYsSYvoEhk96JC4LNF6rRNIdaCgxYZYCeRmgWkaBZWPH1OJ+gI+C/HVQux
Ns+ZcGz1v01wXIu2UC4KuucIrnOFsFUIa0CGuERNqlC5oUruCWydxJEkyaK99Vdx
2daVvoqkqbDMmXZd0x/975zEPHArTdT42Qid+5hTfKjeZ8vtll+NKES06gpKp5Yi
Nc+aneo/UiHkQw3XeUF2TJtXy32WXffOkd/HnsjcH115LPWlOcKdD+1fb0Q0hKz1
tpzRo+AKB5yM79RaQNJ/BF/BuAoQBjSD7YdjGQIDAQABoAAwDQYJKoZIhvcNAQEL
BQADggIBAEyXArw9/0KHqS2WWpbd6/3LyrRISPE+WSH9cErOmiU9caDxbQsRLiW6
I0G6MoJxkScsNy7i3vbQYIb5Ur+jqcC6zKZXevL9fVmYugrlR2LC9pPUVSD+brol
ooUGdjVNtEucNzCLgKg11WYp8zgt1E06mk5FYimCFWFA84ZDcFndBWpoExuTSLLc
dyQfmPQ40RAyT3qD55d0J+IiKhfWBq1blTY5uHaEp7Ok14ukSK5baA76tnpm89vU
eWM+TpaQUqYCcGT54xbcy6gS3F4slpeHBK0Lq1H9nKl0+GZWf9q9OsQNpVTW+q/y
ukBiEYHxx81LxCHrbOcRjCv9NGMVPiMGHn3wx02BIswtzp9HNeNBzno48DhBpJgt
R7tGcF102BA5P0winooqiCcDEeHC6c+MNWBIxT9dT6+jJNBLKTJuYND55BDzoeJX
O6brWipR//OHlcFDKxf+ZyukGuV+geG+7qpjc8RKqVhK2+Z1rioY/toIRuUTvkIO
KS6BCAlpr3Mavx484FUmZe9K8X3KmS1i/ItKBV5RhNwip9wOFdyQ8BmSAos0WyL8
EBcNj2u2tUTQs+w5A6LNI+HVYeFhXgwJH4yOilb7iYhcig7lPaqCFR1RIARqUW4G
8AYasXX8bMbghDRFlIOdOdEMI/iaEC2lOfa4Jo3hKuV4YUqDUh2S
-----END CERTIFICATE REQUEST-----

18
packer/ansible/roles/helm_install/files/vault/values.openshift.yaml Normal file
View File

@@ -0,0 +1,18 @@
# These overrides are appropriate defaults for deploying this chart on OpenShift
global:
openshift: true
injector:
image:
repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
tag: "1.0.1-ubi"
agentImage:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.12.0-ubi"
server:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.12.0-ubi"

1030
packer/ansible/roles/helm_install/files/vault/values.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

1121
packer/ansible/roles/helm_install/files/vault/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff