Skip to content

stuttgart-things/vault-base-setup

BranchesTags

Repository files navigation

stuttgart-things/vault-base-setup

terraform module for base-setup configuration of hashicorp vault.

EXAMPLE USAGE

EXECUTE VAULT CONFIG (VAULT SERVER)

MODULE CALL

cat > vault-base.tf <<'EOF'
module "vault-secrets-setup" {
  source                   = "github.com/stuttgart-things/vault-base-setup"
  kubeconfig_path          = "/home/sthings/.kube/demo-infra"
  vault_addr               = "https://vault.demo-infra.sthings-vsphere.labul.sva.de"
  createDefaultAdminPolicy = true
  csi_enabled              = false
  vso_enabled              = false
  enableApproleAuth        = true
  skip_tls_verify          = true

  approle_roles = [
    {
      name           = "read-k8s"
      token_policies = ["read-k8s"]
    }
  ]

  secret_engines = [
    {
      path        = "apps"
      name        = "s3"
      description = "minio app secrets"
      data_json   = <<EOT
      {
        "accessKey": "this",
        "secretKey": "andThat"
      }
      EOT
    },
    {
      path        = "kubeconfigs"
      name        = "kind-dev2"
      description = "kubeconfig for kind-dev2 cluster"
      data_json   = jsonencode({
        kubeconfig = file("/home/sthings/.kube/kind-dev2")
      })
    }
  ]

  kv_policies = [
    {
      name         = "read-k8s"
      capabilities = <<CAPS
path "apps/s3" {
  capabilities = ["create", "read", "update", "patch", "list"]
}
path "kubeconfigs/data/*" {
  capabilities = ["read", "list"]
}
CAPS
    }
  ]
}

output "role_ids" {
  description = "Role IDs from the vault approle module"
  value       = module.vault-secrets-setup.role_id
}

output "secret_ids" {
  description = "Secret IDs from the vault approle module"
  value       = module.vault-secrets-setup.secret_id
  sensitive   = true
}
EOF

EXECUTION

export VAULT_TOKEN=hvs.#..
terraform init
terraform apply --auto-approve
terraform output -json

TEST APPROLE w/ ANSIBLE (OPTIONAL)

cat <<EOF > test-approle.yaml
---
- hosts: localhost
  become: true

  vars:
    vault_approle_id: "INSERT-HERE"
    vault_approle_secret: "INSERT-HERE" # pragma: allowlist secret
    vault_url: "https://vault.demo-infra.example.com"

    username: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/s3:accessKey validate_certs=false auth_method=approle role_id={{ vault_approle_id }} secret_id={{ vault_approle_secret }} url={{ vault_url }}') }}"
    kubeconfig: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=kubeconfigs/data/kind-dev2:kubeconfig validate_certs=false auth_method=approle role_id={{ vault_approle_id }} secret_id={{ vault_approle_secret }} url={{ vault_url }}') }}" # pragma: allowlist secret

  tasks:
    - name: Debug
      debug:
        var: username
    - name: Debug
      debug:
        var: kubeconfig

EOF

ansible-playbook test-approle.yaml -vv
DEPLOY K8S AUTH ON CLUSTER 
cat > vault-k8s.tf <<'EOF'
module "vault-base-setup" {
  source          = "github.com/stuttgart-things/vault-base-setup"
  vault_addr      = "https://vault.demo-infra.example.com"
  cluster_name    = "kind-dev2"
  context         = "kind-dev2"
  skip_tls_verify = true
  kubeconfig_path = "/home/sthings/.kube/kind-dev2"
  csi_enabled     = true
  namespace_csi   = "vault"
  vso_enabled     = true
  namespace_vso   = "vault"
  k8s_auths = [
    {
      name           = "dev"
      namespace      = "default"
      token_policies = ["read-k8s"]
      token_ttl      = 3600
    },
  ]
}
EOF
# ONLY APPLY IF VSO IS ENABLED
kubectl apply -f https://raw.githubusercontent.com/hashicorp/vault-secrets-operator/main/chart/crds/secrets.hashicorp.com_vaultconnections.yaml
kubectl apply -f https://raw.githubusercontent.com/hashicorp/vault-secrets-operator/main/chart/crds/secrets.hashicorp.com_vaultauths.yaml

export VAULT_TOKEN=<TOKEN>
terraform init --upgrade
terraform apply
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: demo-infra
  namespace: default
spec:
  vaultAuthRef: dev            # Reference to a VaultAuth CRD, e.g., token or approle
  mount: kubeconfigs                  # The KV mount path in Vault
  type: kv-v2                  # KV engine version
  path: demo-infra             # Path under the mount
  refreshAfter: 10s            # How often to sync from Vault
  destination:
    create: true
    name: demo-infra-kube # Name of the Kubernetes Secret to create
CALL MODULE W/ VALUES 
module "vault-base-setup" {
  source = "github.com/stuttgart-things/vault-base-setup"
  createDefaultAdminPolicy = true
  secret_engines = [
    {
      path         = "cloud"
      name         = "vsphere"
      description  = "vsphere secrets",
      data_json    = <<EOT
      {
        "ip": "10.31.101.51"
      }
      EOT
    },
    {
      path         = "apps"
      name         = "s3"
      description  = "minio s3 secrets"
      data_json    = <<EOT
      {
        "accessKey": "this",
        "secretKey": "andThat" # pragma: allowlist secret
      }
      EOT
    }
  ]
  kv_policies = [
    {
      name         = "read-all-s3-kvv2"
      capabilities = <<EOF
path "s3-*/*" {
    capabilities = ["list", "read"]
}
EOF
    },
    {
      name         = "read-write-all-s3-kvv2"
      capabilities = <<EOF
path "s3-*/*" {
    capabilities = ["create", "read", "update", "patch", "list"]
}
EOF
    }
  ]
  enableApproleAuth = true
  approle_roles = [
    {
      name         = "s3"
      token_policies = ["read-all-s3-kvv2", "read-write-all-s3-kvv2"]
    },
    {
      name         = "s4"
      token_policies = ["read-all-s3-kvv2"]
    }
  ]
  enableUserPass = true
  user_list = [
    {
      path         = "auth/userpass/users/user1"
      data_json    = <<EOT
      {
        "password": "helloGitHub", # pragma: allowlist secret
        "policies": ""read-all-s3-kvv2", "read-write-all-s3-kvv2", "admin"
      }
      EOT
  }
  ]
  kubeconfig_path = "/home/sthings/.kube/labda-app"
  k8s_auths = [
    {
      name = "dev"
      namespace = "default"
      token_policies = ["read-all-s3-kvv2", "read-write-all-s3-kvv2"]
      token_ttl = 3600
    },
    {
      name = "cicd"
      namespace = "tektoncd"
      token_policies = ["read-all-tektoncd-kvv2"]
      token_ttl = 3600
    }
  ]
}

output "role_id" {
    value = module.vault-base-setup.role_id
}

output "secret_id" {
    value = module.vault-base-setup.secret_id
}
EXECUTE TERRAFORM 
export VAULT_ADDR=${VAULT_ADDR}
export VAULT_TOKEN=${VAULT_TOKEN}

terraform init
terraform validate
terraform plan
terraform apply

Author Information

Xiaomin Lai, stuttgart-things 10/2023
Patrick Hermann, stuttgart-things 12/2023

License

Licensed under the Apache License, Version 2.0 (the "License").

You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.

See the License for the specific language governing permissions and limitations under the License.

About

terraform module for base-setup configuration of hashicorp vault.

Topics

vault terraform vso csi-secrets-store k8s-auth

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages