-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvault.yaml
193 lines (170 loc) · 5.97 KB
/
vault.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
name: "vault"
spec:
size: 1
image: hashicorp/vault:1.14.1
# specify a custom bank-vaults image with bankVaultsImage:
bankVaultsImage: ghcr.io/bank-vaults/bank-vaults:latest
# Common annotations for all created resources
annotations:
common/annotation: "true"
# Vault Pods , Services and TLS Secret annotations
vaultAnnotations:
type/instance: "vault"
# Vault Configurer Pods and Services annotations
vaultConfigurerAnnotations:
type/instance: "vaultconfigurer"
# Vault Pods , Services and TLS Secret labels
vaultLabels:
example.com/log-format: "json"
# Vault Configurer Pods and Services labels
vaultConfigurerLabels:
example.com/log-format: "string"
# Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
serviceAccount: vault
# Specify the Service's type where the Vault Service is exposed
# Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
# forces you to expose your Service on a NodePort
serviceType: ClusterIP
# Request an Ingress controller with the default configuration
ingress:
# Specify Ingress object annotations here, if TLS is enabled (which is by default)
# the operator will add NGINX, Traefik and HAProxy Ingress compatible annotations
# to support TLS backends
annotations: {}
# Override the default Ingress specification here
# This follows the same format as the standard Kubernetes Ingress
# See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#ingressspec-v1beta1-extensions
spec: {}
# Use local disk to store Vault file data, see config section.
volumes:
- name: vault-file
persistentVolumeClaim:
claimName: vault-file
volumeMounts:
- name: vault-file
mountPath: /vault/file
# Support for distributing the generated CA certificate Secret to other namespaces.
# Define a list of namespaces or use ["*"] for all namespaces.
caNamespaces:
- "bank-vaults-infra"
# Describe where you would like to store the Vault unseal keys and root token.
unsealConfig:
options:
# The preFlightChecks flag enables unseal and root token storage tests
# This is true by default
preFlightChecks: true
# The storeRootToken flag enables storing of root token in chosen storage
# This is true by default
storeRootToken: true
# The secretShares represents the total number of unseal key shares
# This is 5 by default
secretShares: 5
# The secretThreshold represents the minimum number of shares required to reconstruct the unseal key
# This is 3 by default
secretThreshold: 3
kubernetes:
secretNamespace: default
# A YAML representation of a final vault config file.
# See https://www.vaultproject.io/docs/configuration/ for more information.
config:
storage:
file:
path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used
listener:
tcp:
address: "0.0.0.0:8200"
# Uncommenting the following line and deleting tls_cert_file and tls_key_file disables TLS
# tls_disable: true
tls_cert_file: /vault/tls/server.crt
tls_key_file: /vault/tls/server.key
telemetry:
statsd_address: localhost:9125
ui: true
# See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
# The repository also contains a lot examples in the test/deploy and operator/deploy directories.
externalConfig:
policies:
- name: allow_secrets
rules: path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# define a new policy for the Reloader
- name: read_secrets
rules: path "secret/*" {
capabilities = ["read", "list"]
}
groups:
- name: admin
policies:
- allow_secrets
- read_secrets
metadata:
privileged: true
type: external
group-aliases:
- name: admin
mountpath: token
group: admin
auth:
- type: kubernetes
roles:
- name: default
bound_service_account_names: ["default", "secrets-webhook"]
bound_service_account_namespaces: ["default", "bank-vaults-infra"]
policies: ["allow_secrets"]
ttl: 1h
- name: reloader
bound_service_account_names: ["vault-secrets-reloader"]
bound_service_account_namespaces: ["bank-vaults-infra"]
policies: ["read_secrets"] # use the read_secrets policy in the reloader role
ttl: 1h
secrets:
- path: secret
type: kv
description: General secrets.
options:
version: 2
# Allows writing some secrets to Vault (useful for development purposes).
# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
startupSecrets:
- type: kv
path: secret/data/accounts/aws
data:
data:
AWS_ACCESS_KEY_ID: secretId
AWS_SECRET_ACCESS_KEY: s3cr3t
- type: kv
path: secret/data/dockerrepo
data:
data:
DOCKER_REPO_USER: dockerrepouser
DOCKER_REPO_PASSWORD: dockerrepopassword
- type: kv
path: secret/data/mysql
data:
data:
MYSQL_ROOT_PASSWORD: s3cr3t
MYSQL_PASSWORD: 3xtr3ms3cr3t
secretInitsConfig:
- name: VAULT_LOG_LEVEL
value: debug
- name: VAULT_STORAGE_FILE
value: "/vault/file"
# Marks presence of Istio, which influences things like port namings
istioEnabled: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-file
spec:
# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
# storageClassName: ""
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi