djpbessems/Kubernetes.K3s.installLog
djpbessems/Kubernetes.K3s.installLog
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Vault--(reference docs left);SealedSecrets++

Browse Source
This commit is contained in:
Danny Bessems 2022-01-09 20:16:16 +01:00
parent 4475ab3f10
commit c3c660cbd4
2 changed files with 45 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
README.md
View File

@ -151,57 +151,27 @@ kubectl delete ingressroute traefik-dashboard --namespace kube-system
``` ```
### 3) Secret management ### 3) Secret management
*Perform these steps **after** configuring persistent storage **and** ingress* *Prereq*: latest `kubeseal` [release](https://github.com/bitnami-labs/sealed-secrets/releases)
##### 3.1) Create `persistentVolume` and `ingressRoute`
*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`* ##### 3.1) Install Helm Chart
See [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets#helm-chart):
```shell ```shell
kubectl create namespace vault helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
kubectl apply -f services/Vault/persistentVolume-Vault.yml
kubectl apply -f services/Vault/ingressRoute-Vault.yml
```
##### 3.2) Install Helm Chart
*REMOVED; left for reference*
See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
```shell
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update helm repo update
helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml helm install sealed-secrets-controller -n kube-system sealed-secrets/sealed-secrets
``` ```
Configure Vault for use;
- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~ Fix servicename (see [#502](https://github.com/bitnami-labs/sealed-secrets/issues/502)):
- Store basic access policy template
- Enable `kv`-engine
``` ```
# kubectl exec -n vault -it vault-0 -- sh kubectl patch service -n kube-system sealed-secrets-controller -p '{"spec": {"ports": [{"port": 8080, protocol: "TCP", targetPort: 8080}]}}'
# It might be necessary to first login with an existing token:
# vault login
cat <<EOF > /home/vault/app-policy.hcl
path "secret*" {
capabilities = ["read"]
}
EOF
vault secrets enable -path=secret -version=2 kv
``` ```
### 4) Services ### 4) Services
##### 4.1) [Adminer](https://www.adminer.org/) <small>(SQL management)</small> ##### 4.1) [Adminer](https://www.adminer.org/) <small>(SQL management)</small>
```shell ```shell
kubectl apply -f services/Adminer/configMap-Adminer.yml kubectl apply -f services/Adminer/configMap-Adminer.yml
kubectl apply -f services/Adminer/deploy-Adminer.yml kubectl apply -f services/Adminer/deploy-Adminer.yml
``` ```
Vault configuration:
```
vault kv put secret/adminer \
sqlitepw=<value>
vault write auth/kubernetes/role/adminer \
bound_service_account_names=adminer \
bound_service_account_namespaces=default \
policies=adminer \
ttl=1h
vault policy write adminer /home/vault/app-policy.hcl
```
##### 4.2) [Vaultwarden](https://github.com/dani-garcia/vaultwarden) <small>(password manager)</small> ##### 4.2) [Vaultwarden](https://github.com/dani-garcia/vaultwarden) <small>(password manager)</small>
*Requires [mount.cifs](https://linux.die.net/man/8/mount.cifs)' option `nobrl`* *Requires [mount.cifs](https://linux.die.net/man/8/mount.cifs)' option `nobrl`*
```shell ```shell

35
services/Vault/README.md Normal file
View File

@ -0,0 +1,35 @@
### 1) HashiCorp Vault
Not currently in use (using bitnami sealed-secrets instead); left for reference
##### 1.1) Create `persistentVolume` and `ingressRoute`
*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
```shell
kubectl create namespace vault
kubectl apply -f services/Vault/persistentVolume-Vault.yml
kubectl apply -f services/Vault/ingressRoute-Vault.yml
```
##### 1.2) Install Helm Chart
*REMOVED; left for reference*
See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
```shell
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
```
Configure Vault for use;
- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~- Store basic access policy template
- Enable `kv`-engine
```
# kubectl exec -n vault -it vault-0 -- sh
# It might be necessary to first login with an existing token:
# vault login
cat <<EOF > /home/vault/app-policy.hcl
path "secret*" {
capabilities = ["read"]
}
EOF
vault secrets enable -path=secret -version=2 kv
```