Compare commits
2 Commits
09e1bbbc52
...
4075203b1e
| Author | SHA1 | Date | |
|---|---|---|---|
|
4075203b1e | ||
|
|
92decafc3f |
8
08_Vault/auth-token-secret.yaml
Normal file
8
08_Vault/auth-token-secret.yaml
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: vault-auth-token
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/service-account.name: vault-auth
|
||||||
|
type: kubernetes.io/service-account-token
|
||||||
|
|
||||||
@@ -50,10 +50,77 @@ install:
|
|||||||
kubectl wait pod --for=condition=PodReadyToStartContainers \
|
kubectl wait pod --for=condition=PodReadyToStartContainers \
|
||||||
-n ${K8S_VAULT_NAMESPACE} vault-0 --timeout=5m
|
-n ${K8S_VAULT_NAMESPACE} vault-0 --timeout=5m
|
||||||
|
|
||||||
|
# Wait for Vault service to be ready to accept connections
|
||||||
|
echo "Waiting for Vault service to be ready..."
|
||||||
|
for i in {1..30}; do
|
||||||
|
if kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- \
|
||||||
|
vault status 2>&1 | grep -qE "(Initialized|Sealed)"; then
|
||||||
|
echo "✓ Vault service is ready"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
if [ $i -eq 30 ]; then
|
||||||
|
echo "Error: Timeout waiting for Vault service to be ready"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
sleep 3
|
||||||
|
done
|
||||||
|
|
||||||
|
init_output=$(kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- \
|
||||||
|
vault operator init -key-shares=1 -key-threshold=1 -format=json || true)
|
||||||
|
|
||||||
|
root_token=""
|
||||||
|
if echo "${init_output}" | grep -q "Vault is already initialized"; then
|
||||||
|
echo "Vault is already initialized"
|
||||||
|
while [ -z "${root_token}" ]; do
|
||||||
|
root_token=$(gum input --prompt="Vault root token: " --password --width=100)
|
||||||
|
done
|
||||||
|
else
|
||||||
|
unseal_key=$(echo "${init_output}" | jq -r '.unseal_keys_b64[0]')
|
||||||
|
root_token=$(echo "${init_output}" | jq -r '.root_token')
|
||||||
|
kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- \
|
||||||
|
vault operator unseal "${unseal_key}"
|
||||||
|
echo "Vault initialized and unsealed successfully"
|
||||||
|
echo "Root Token: ${root_token}"
|
||||||
|
echo "Unseal Key: ${unseal_key}"
|
||||||
|
echo "Please save these credentials securely!"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Wait for all vault instances to pass readiness checks and be ready to serve requests
|
||||||
|
kubectl wait pod --for=condition=ready -n ${K8S_VAULT_NAMESPACE} \
|
||||||
|
-l app.kubernetes.io/name=vault --timeout=5m
|
||||||
|
|
||||||
|
just setup-kubernetes-auth "${root_token}"
|
||||||
|
|
||||||
|
|
||||||
# Uninstall Vault
|
# Uninstall Vault
|
||||||
uninstall delete-ns='false':
|
uninstall delete-ns='false':
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
helm uninstall vault -n ${K8S_VAULT_NAMESPACE} --ignore-not-found --wait
|
helm uninstall vault -n ${K8S_VAULT_NAMESPACE} --ignore-not-found --wait
|
||||||
just delete-namespace
|
just delete-namespace
|
||||||
|
|
||||||
|
|
||||||
|
# Setup Kubernetes authentication
|
||||||
|
setup-kubernetes-auth root_token='':
|
||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
export VAULT_TOKEN="{{ root_token }}"
|
||||||
|
while [ -z "${VAULT_TOKEN}" ]; do
|
||||||
|
VAULT_TOKEN=$(gum input --prompt="Vault root token: " --password --width=100)
|
||||||
|
done
|
||||||
|
|
||||||
|
gomplate -f ./serviceaccount.gomplate.yaml | kubectl apply -n "${K8S_VAULT_NAMESPACE}" -f -
|
||||||
|
gomplate -f ./rolebinding.gomplate.yaml | kubectl apply -n "${K8S_VAULT_NAMESPACE}" -f -
|
||||||
|
kubectl apply -n "${K8S_VAULT_NAMESPACE}" -f ./auth-token-secret.yaml
|
||||||
|
|
||||||
|
SA_SECRET="vault-auth-token"
|
||||||
|
SA_JWT=$(kubectl get secret -n ${K8S_VAULT_NAMESPACE} ${SA_SECRET} -o jsonpath='{.data.token}' | base64 --decode)
|
||||||
|
SA_CA=$(kubectl get secret -n ${K8S_VAULT_NAMESPACE} ${SA_SECRET} -o jsonpath='{.data.ca\.crt}' | base64 --decode)
|
||||||
|
|
||||||
|
vault auth list -format=json | jq -e '.["kubernetes/"]' >/dev/null 2>&1 || \
|
||||||
|
vault auth enable kubernetes
|
||||||
|
|
||||||
|
vault write auth/kubernetes/config \
|
||||||
|
token_reviewer_jwt="${SA_JWT}" \
|
||||||
|
kubernetes_host="https://kubernetes.default.svc" \
|
||||||
|
kubernetes_ca_cert="${SA_CA}"
|
||||||
|
|||||||
12
08_Vault/rolebinding.gomplate.yaml
Normal file
12
08_Vault/rolebinding.gomplate.yaml
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: vault-auth-binding
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:auth-delegator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: vault-auth
|
||||||
|
namespace: {{ .Env.K8S_VAULT_NAMESPACE }}
|
||||||
5
08_Vault/serviceaccount.gomplate.yaml
Normal file
5
08_Vault/serviceaccount.gomplate.yaml
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: vault-auth
|
||||||
|
namespace: {{ .Env.K8S_VAULT_NAMESPACE }}
|
||||||
Reference in New Issue
Block a user