diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 5980d3f..9c3507f 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -35,7 +35,7 @@ jobs: fi - name: Run chart-testing (lint) - run: ct lint + run: ct lint --excluded-charts vault-gcr-secrets - name: Docker Lint uses: luke142367/Docker-Lint-Action@v1.0.0 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index ef14403..93ec0ff 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -50,17 +50,17 @@ jobs: - name: Build Docker Image for local testing run: | - docker build -t $KIND_REGISTRY/vault-gcr-secrets:test . - docker push $KIND_REGISTRY/vault-gcr-secrets:test + docker build -t $KIND_REGISTRY/vault-gcp-secrets:test . + docker push $KIND_REGISTRY/vault-gcp-secrets:test - name: Install Vault Service run: ./test/scripts/vault-install.sh - - name: Configure ${{ matrix.auth }} Vault authentication - run: ./test/scripts/vault-auth-${{ matrix.auth }}.sh + - name: Configure ${AUTH_METHOD} Vault authentication + run: ./test/scripts/vault-auth-${AUTH_METHOD}.sh - - name: Configure Vault ${{ matrix.auth }} Role - run: ./test/scripts/vault-role-${{ matrix.auth }}.sh + - name: Configure Vault ${AUTH_METHOD} Role + run: ./test/scripts/vault-role-${AUTH_METHOD}.sh - name: Setup GCP secrets engine id: gcp-secrets @@ -68,7 +68,7 @@ jobs: GCP_CREDENTIALS: ${{ secrets.GCP_TEST_ACCOUNT }} run: ./test/scripts/vault-gcp-secrets.sh - - name: Install vault-gcr-secrets + - name: Install vault-gcp-secrets run: ./test/scripts/install-chart.sh - name: Verify Secret diff --git a/README.md b/README.md index 51a170e..60a279b 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ -# Vault GCR Secrets +# Vault GCP Secrets -Use vault agent to keep a `vault_gcp_secret_roleset` service account key updated as a -docker-registry secret in Kubernetes. This can be used as `imagePullSecrets` to retrieve images -from a private GCR. +Use vault agent to keep a `vault_gcp_secrets_roleset` service account key updated as a +Kubernetes secret, either for docker-registry or generic (Opaque). This can be used +for various other pods needing access to Google Services without having a vault agent +for each one. It can also be used as `imagePullSecrets` (for docker type) to retrieve +images from a private GCR repository. -NOTE: This is alpha quality, use it at your own risk. +NOTE: We are using this code in the production environment. You may use it at your own risk. ## Prerequisites @@ -13,10 +15,11 @@ NOTE: This is alpha quality, use it at your own risk. ## Installation -* helm repo add vault-gcr-secrets https://tjm.github.io/vault-gcr-secrets/ +* helm repo add vault-gcp-secrets https://tjm.github.io/vault-gcp-secrets/ * helm repo update -* helm install vault-gcr-secrets/vault-gcr-secrets +* helm install vault-gcp-secrets/vault-gcp-secrets NOTE: You will most likely need to set some values, like authentication method, path, etc. -This chart was rougly based on the [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator), which at the time was unable to support GCP secrets engine. +This chart was rougly based on the [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator), +which at the time was unable to support GCP secrets engine. diff --git a/charts/vault-gcr-secrets/.helmignore b/charts/vault-gcp-secrets/.helmignore similarity index 100% rename from charts/vault-gcr-secrets/.helmignore rename to charts/vault-gcp-secrets/.helmignore diff --git a/charts/vault-gcp-secrets/Chart.yaml b/charts/vault-gcp-secrets/Chart.yaml new file mode 100644 index 0000000..c5d7095 --- /dev/null +++ b/charts/vault-gcp-secrets/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +name: vault-gcp-secrets +description: Create and maintain Kubernetes secret from Vault GCP Secrets Engine with vault agent. +home: https://github.com/TJM/vault-gcp-secrets +# icon: https://raw.githubusercontent.com/TJM/vault-gcp-secrets/master/assets/logo.png +maintainers: + - name: TJM # Tommy McNeely +version: 0.4.0 +appVersion: 0.4.0 diff --git a/charts/vault-gcr-secrets/README.md b/charts/vault-gcp-secrets/README.md similarity index 77% rename from charts/vault-gcr-secrets/README.md rename to charts/vault-gcp-secrets/README.md index 5c43ea4..510b8b4 100644 --- a/charts/vault-gcr-secrets/README.md +++ b/charts/vault-gcp-secrets/README.md @@ -1,8 +1,12 @@ -# Vault GCR Secrets +# Vault GCP Secrets -Use vault agent to keep a `vault_gcp_secret_roleset` service account key updated as a -docker-registry secret in Kubernetes. This can be used as `imagePullSecrets` to retrieve images -from a private GCR. +Use vault agent to keep a `vault_gcp_secrets_roleset` service account key updated as a +Kubernetes secret, either for docker-registry or generic (Opaque). This can be used +for various other pods needing access to Google Services without having a vault agent +for each one. It can also be used as `imagePullSecrets` (for docker type) to retrieve +images from a private GCR repository. + +NOTE: We are using this code in the production environment. You may use it at your own risk. NOTE: This is alpha quality, use it at your own risk. @@ -10,7 +14,7 @@ NOTE: This is alpha quality, use it at your own risk. | ----- | ----------- | ------- | | `replicaCount` | Number of replications which should be created. | `1` | | `deploymentStrategy` | Deployment strategy which should be used. | `{}` | -| `image.repository` | The repository of the Docker image. | `quay.io/tommydavita/vault-gcr-secrets` | +| `image.repository` | The repository of the Docker image. | `quay.io/tommydavita/vault-gcp-secrets` | | `image.tag` | The tag of the Docker image which should be used. | `1.15.2` | | `image.pullPolicy` | The pull policy for the Docker image, | `IfNotPresent` | | `image.volumeMounts` | Mount additional volumns to the container. | `[]` | @@ -21,19 +25,19 @@ NOTE: This is alpha quality, use it at your own risk. | `vault.address` | The address where Vault listen on (e.g. `http://vault.example.com`). | `"http://vault:8200"` | | `vault.authMethod` | The authentication method, which should be used by the operator. Can be `kubernetes` ([Kubernetes auth method](https://www.vaultproject.io/docs/auth/kubernetes.html)), or `approle` ([AppRole auth method](https://www.vaultproject.io/docs/auth/approle)). | `kubernetes` | | `vault.kubernetesPath` | If the Kubernetes auth method is used, this is the path where the Kubernetes auth method is enabled. | `auth/kubernetes` | -| `vault.kubernetesRole` | The name of the role which is configured for the Kubernetes auth method. | `vault-gcr-secrets` | +| `vault.kubernetesRole` | The name of the role which is configured for the Kubernetes auth method. | `vault-gcp-secrets` | | `vault.appRolePath` | If the AppRole auth method is used, this is the path where the AppRole auth method is enabled. | `auth/approle` | | `vault.reconciliationTime` | The time after which the reconcile function for the CR is rerun. If the value is 0, automatic reconciliation is skipped. | `0` | | `rbac.create` | Create RBAC object, enable Role and Role binding creation. | `true` | | `rbac.createrole` | Finetune RBAC, enable or disable Role creation. NOTE: ignored when `rbac.create` is not `true`. | `true` | | `serviceAccount.create` | Create the service account. | `true` | -| `serviceAccount.name` | The name of the service account, which should be created/used by the operator. | `vault-gcr-secrets` | -| `podAnnotations` | Annotations for vault-gcr-secrets pod(s). | `{}` | +| `serviceAccount.name` | The name of the service account, which should be created/used by the operator. | `vault-gcp-secrets` | +| `podAnnotations` | Annotations for vault-gcp-secrets pod(s). | `{}` | | `podSecurityContext`: | Security context policies to add to the operator pod. | `{}` | | `securityContext`: | Security context policies to add to the containers. | `{}` | -| `podLabels` | Additional labels for the vault-gcr-secrets pod(s). | `{}` | -| `testPodAnnotations` | Annotations for vault-gcr-secrets-test-connection pod. | `{}` | -| `testPodLabels` | Additional labels for the vault-gcr-secrets-test-connection pod. | `{}` | +| `podLabels` | Additional labels for the vault-gcp-secrets pod(s). | `{}` | +| `testPodAnnotations` | Annotations for vault-gcp-secrets-test-connection pod. | `{}` | +| `testPodLabels` | Additional labels for the vault-gcp-secrets-test-connection pod. | `{}` | | `resources` | Set resources for the operator. | `{}` | | `volumes` | Provide additional volumns for the container. | `[]` | | `nodeSelector` | Set a node selector. | `{}` | diff --git a/charts/vault-gcr-secrets/templates/NOTES.txt b/charts/vault-gcp-secrets/templates/NOTES.txt similarity index 67% rename from charts/vault-gcr-secrets/templates/NOTES.txt rename to charts/vault-gcp-secrets/templates/NOTES.txt index ebab9b6..4c5898d 100644 --- a/charts/vault-gcr-secrets/templates/NOTES.txt +++ b/charts/vault-gcp-secrets/templates/NOTES.txt @@ -1,8 +1,8 @@ 1. Check the pod by running these commands: - kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vault-gcr-secrets.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" + kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vault-gcp-secrets.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" {{ if contains "kubernetes" .Values.vault.authMethod }} -2. Configure Vault using the "{{ template "vault-gcr-secrets.serviceAccountName" . }}" ServiceAccount. +2. Configure Vault using the "{{ template "vault-gcp-secrets.serviceAccountName" . }}" ServiceAccount. {{ end }} diff --git a/charts/vault-gcr-secrets/templates/_helpers.tpl b/charts/vault-gcp-secrets/templates/_helpers.tpl similarity index 72% rename from charts/vault-gcr-secrets/templates/_helpers.tpl rename to charts/vault-gcp-secrets/templates/_helpers.tpl index eab101f..9bf950f 100644 --- a/charts/vault-gcr-secrets/templates/_helpers.tpl +++ b/charts/vault-gcp-secrets/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "vault-gcr-secrets.name" -}} +{{- define "vault-gcp-secrets.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -11,7 +11,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "vault-gcr-secrets.fullname" -}} +{{- define "vault-gcp-secrets.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -27,16 +27,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "vault-gcr-secrets.chart" -}} +{{- define "vault-gcp-secrets.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Common labels */}} -{{- define "vault-gcr-secrets.labels" -}} -app.kubernetes.io/name: {{ include "vault-gcr-secrets.name" . }} -helm.sh/chart: {{ include "vault-gcr-secrets.chart" . }} +{{- define "vault-gcp-secrets.labels" -}} +app.kubernetes.io/name: {{ include "vault-gcp-secrets.name" . }} +helm.sh/chart: {{ include "vault-gcp-secrets.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Values.podLabels }} @@ -47,15 +47,15 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* matchLabels */}} -{{- define "vault-gcr-secrets.matchLabels" -}} -app.kubernetes.io/name: {{ include "vault-gcr-secrets.name" . }} +{{- define "vault-gcp-secrets.matchLabels" -}} +app.kubernetes.io/name: {{ include "vault-gcp-secrets.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{/* Additional pod annotations */}} -{{- define "vault-gcr-secrets.annotations" -}} +{{- define "vault-gcp-secrets.annotations" -}} {{- if .Values.podAnnotations }} {{- toYaml .Values.podAnnotations }} {{- end }} @@ -64,7 +64,7 @@ Additional pod annotations {{/* Additional test-connection pod annotations */}} -{{- define "vault-gcr-secrets.testPodAnnotations" -}} +{{- define "vault-gcp-secrets.testPodAnnotations" -}} {{- if .Values.testPodAnnotations }} {{- toYaml .Values.testPodAnnotations }} {{- end }} @@ -73,7 +73,7 @@ Additional test-connection pod annotations {{/* Additional test-connection pod labels */}} -{{- define "vault-gcr-secrets.testPodLabels" -}} +{{- define "vault-gcp-secrets.testPodLabels" -}} {{- if .Values.testPodLabels }} {{- toYaml .Values.testPodLabels }} {{- end }} @@ -82,9 +82,9 @@ Additional test-connection pod labels {{/* Create the name of the service account to use. */}} -{{- define "vault-gcr-secrets.serviceAccountName" -}} +{{- define "vault-gcp-secrets.serviceAccountName" -}} {{- if .Values.serviceAccount.create -}} - {{ default (include "vault-gcr-secrets.fullname" .) .Values.serviceAccount.name }} + {{ default (include "vault-gcp-secrets.fullname" .) .Values.serviceAccount.name }} {{- else -}} {{ default "default" .Values.serviceAccount.name }} {{- end -}} @@ -93,5 +93,5 @@ Create the name of the service account to use. {{/* Additional containers to add to the deployment */}} -{{- define "vault-gcr-secrets.additionalContainers" -}} +{{- define "vault-gcp-secrets.additionalContainers" -}} {{- end -}} diff --git a/charts/vault-gcr-secrets/templates/configmap.yaml b/charts/vault-gcp-secrets/templates/configmap.yaml similarity index 93% rename from charts/vault-gcr-secrets/templates/configmap.yaml rename to charts/vault-gcp-secrets/templates/configmap.yaml index 97aa51b..d152148 100644 --- a/charts/vault-gcr-secrets/templates/configmap.yaml +++ b/charts/vault-gcp-secrets/templates/configmap.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "vault-gcr-secrets.fullname" . }}-config + name: {{ template "vault-gcp-secrets.fullname" . }}-config namespace: {{ .Release.Namespace }} labels: -{{ include "vault-gcr-secrets.labels" . | indent 4 }} +{{ include "vault-gcp-secrets.labels" . | indent 4 }} {{- if .Values.podAnnotations }} annotations: -{{ include "vault-gcr-secrets.annotations" . | indent 4 }} +{{ include "vault-gcp-secrets.annotations" . | indent 4 }} {{- end }} data: agent.hcl: | diff --git a/charts/vault-gcr-secrets/templates/deployment.yaml b/charts/vault-gcp-secrets/templates/deployment.yaml similarity index 86% rename from charts/vault-gcr-secrets/templates/deployment.yaml rename to charts/vault-gcp-secrets/templates/deployment.yaml index 17b41c5..474337b 100644 --- a/charts/vault-gcr-secrets/templates/deployment.yaml +++ b/charts/vault-gcp-secrets/templates/deployment.yaml @@ -1,14 +1,14 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "vault-gcr-secrets.fullname" . }} + name: {{ include "vault-gcp-secrets.fullname" . }} namespace: {{ .Release.Namespace }} labels: -{{ include "vault-gcr-secrets.labels" . | indent 4 }} +{{ include "vault-gcp-secrets.labels" . | indent 4 }} annotations: checksum/config-map: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} -{{ include "vault-gcr-secrets.annotations" . | indent 4 }} +{{ include "vault-gcp-secrets.annotations" . | indent 4 }} {{- end }} spec: replicas: {{ .Values.replicaCount }} @@ -18,22 +18,22 @@ spec: {{- end }} selector: matchLabels: -{{ include "vault-gcr-secrets.matchLabels" . | indent 6 }} +{{ include "vault-gcp-secrets.matchLabels" . | indent 6 }} template: metadata: labels: -{{ include "vault-gcr-secrets.labels" . | indent 8 }} +{{ include "vault-gcp-secrets.labels" . | indent 8 }} annotations: checksum/config-map: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} -{{ include "vault-gcr-secrets.annotations" . | indent 8 }} +{{ include "vault-gcp-secrets.annotations" . | indent 8 }} {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ template "vault-gcr-secrets.serviceAccountName" . }} + serviceAccountName: {{ template "vault-gcp-secrets.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: @@ -85,11 +85,11 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "vault-gcr-secrets.additionalContainers" . | nindent 8 }} + {{- include "vault-gcp-secrets.additionalContainers" . | nindent 8 }} volumes: - name: vault-agent-config configMap: - name: {{ template "vault-gcr-secrets.fullname" . }}-config + name: {{ template "vault-gcp-secrets.fullname" . }}-config {{- if .Values.vault.credentialSecretName }} - name: vault-credentials secret: diff --git a/charts/vault-gcr-secrets/templates/role-binding.yaml b/charts/vault-gcp-secrets/templates/role-binding.yaml similarity index 61% rename from charts/vault-gcr-secrets/templates/role-binding.yaml rename to charts/vault-gcp-secrets/templates/role-binding.yaml index e052d7e..3dc836c 100644 --- a/charts/vault-gcr-secrets/templates/role-binding.yaml +++ b/charts/vault-gcp-secrets/templates/role-binding.yaml @@ -2,17 +2,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "vault-gcr-secrets.fullname" . }} + name: {{ template "vault-gcp-secrets.fullname" . }} namespace: {{ .Release.Namespace }} labels: -{{ include "vault-gcr-secrets.labels" . | indent 4 }} +{{ include "vault-gcp-secrets.labels" . | indent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: vault-gcr-secrets + name: vault-gcp-secrets subjects: - apiGroup: "" kind: ServiceAccount - name: {{ template "vault-gcr-secrets.serviceAccountName" . }} + name: {{ template "vault-gcp-secrets.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{ end }} diff --git a/charts/vault-gcr-secrets/templates/role.yaml b/charts/vault-gcp-secrets/templates/role.yaml similarity index 77% rename from charts/vault-gcr-secrets/templates/role.yaml rename to charts/vault-gcp-secrets/templates/role.yaml index c482c87..c9c7167 100644 --- a/charts/vault-gcr-secrets/templates/role.yaml +++ b/charts/vault-gcp-secrets/templates/role.yaml @@ -2,10 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "vault-gcr-secrets.fullname" . }} + name: {{ template "vault-gcp-secrets.fullname" . }} namespace: {{ .Release.Namespace }} labels: -{{ include "vault-gcr-secrets.labels" . | indent 4 }} +{{ include "vault-gcp-secrets.labels" . | indent 4 }} rules: - apiGroups: - "" diff --git a/charts/vault-gcr-secrets/templates/secret.yaml b/charts/vault-gcp-secrets/templates/secret.yaml similarity index 86% rename from charts/vault-gcr-secrets/templates/secret.yaml rename to charts/vault-gcp-secrets/templates/secret.yaml index 4e47f7b..107cfb9 100644 --- a/charts/vault-gcr-secrets/templates/secret.yaml +++ b/charts/vault-gcp-secrets/templates/secret.yaml @@ -6,5 +6,5 @@ metadata: name: {{ .Values.secret.name | quote }} namespace: {{ .Release.Namespace }} labels: -{{ include "vault-gcr-secrets.labels" . | indent 4 }} +{{ include "vault-gcp-secrets.labels" . | indent 4 }} type: {{ .Values.secret.type | quote }} diff --git a/charts/vault-gcr-secrets/templates/service-account.yaml b/charts/vault-gcp-secrets/templates/service-account.yaml similarity index 54% rename from charts/vault-gcr-secrets/templates/service-account.yaml rename to charts/vault-gcp-secrets/templates/service-account.yaml index 517b4ee..6b83f6f 100644 --- a/charts/vault-gcr-secrets/templates/service-account.yaml +++ b/charts/vault-gcp-secrets/templates/service-account.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "vault-gcr-secrets.serviceAccountName" . }} + name: {{ template "vault-gcp-secrets.serviceAccountName" . }} namespace: {{ .Release.Namespace }} labels: -{{ include "vault-gcr-secrets.labels" . | indent 4 }} +{{ include "vault-gcp-secrets.labels" . | indent 4 }} {{ end }} diff --git a/charts/vault-gcp-secrets/values.yaml b/charts/vault-gcp-secrets/values.yaml new file mode 100644 index 0000000..668ea35 --- /dev/null +++ b/charts/vault-gcp-secrets/values.yaml @@ -0,0 +1,125 @@ +# Values for vault-gcp-secrets + +replicaCount: 1 +deploymentStrategy: {} + +image: + repository: quay.io/tommydavita/vault-gcp-secrets + tag: v0.3.0 + pullPolicy: IfNotPresent + volumeMounts: [] + # - name: ca + # mountPath: "/etc/vault-gcp-secrets" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +environmentVars: [] + + +# Set the address for vault (by default we assume you are running a dev +# instance of vault in the same namespace as the operator) and specify the +# authentication method for the operator. Possible values are: +# 'kubernetes', or 'approle'. + +# If the authentication method is 'kubernetes': +# * You must provide the 'kubernetesRole' which should be used for the authentication. +# The default authentication path for the Kubernets Auth method is 'auth/kubernetes', +# if you enabled it under another path you must change the 'authMountPath' value. +# +# If the auth method is 'approle': +# * You must provide `credentialSecretName` pointing to a secret with the keys +# `role_id` and `secret_id` set. +# The default authentication path for 'approle' auth is 'auth/approle', +# if you enabled it under another path you must change the 'authMountPath' value. +# +vault: + ## Vault Address, eg: http://localhost:8200 + address: "http://vault:8200" + + ## number of retries before exiting in error (this helps prevent running out of leases) + numRetries: 3 + + ## Vault authMethod (currently supported values are `appRole` or `kubernetes`) + authMethod: kubernetes + # If null, VAULT defaults to `auth/authMethod` + authMountPath: ~ + + credentialSecretName: ~ + kubernetesRole: vault-gcp-secrets + gcpSecretPath: gcp/my-role + +## K8s Destination Secret +secret: + # Resulting name of the kubernetes secret + name: gcp-secret + + # Key is the name of the secret key under data (for Opaque) + key: key.json + + # Secret Type + type: kubernetes.io/dockerconfigjson + + ## what values to pull from the vault secret (inside with secret ) + template: base64Decode .Data.private_key_data + + ## Set a custom template command. The template output will be written to /dev/shm/key.json + # customTemplateCommand: | + # kubectl create secret {{ .Values.secret.type }} "{{ .Values.secret.name }}" --from-file={{ .Values.secret.key }}=/dev/shm/key.json --dry-run=client -o yaml | kubectl apply -f - + # kubectl describe secret {{ .Values.secret.name }} + + ## For docker-registry secret.type, these parameters will be used + dockerServer: gcr.io + dockerUsername: _json_key + dockerEmail: not.used@example.com + +rbac: + create: true + createrole: true + +serviceAccount: + create: true + name: vault-gcp-secrets + +# Annotations for vault-gcp-secrets pod(s). +podAnnotations: {} + +# Additional labels for the vault-gcp-secrets pod(s). +podLabels: {} + +podSecurityContext: {} + +securityContext: {} + +# Annotations for the vault-gcp-secrets-test-connection pod +testPodAnnotations: {} + +# Additional labels for the vault-gcp-secrets-test-connection pod +testPodLabels: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +volumes: [] + # - name: ca + # secret: + # secretName: vault-gcp-secrets-ca + # items: + # - key: ca.pem + # path: ca.pem + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/vault-gcr-secrets/Chart.yaml b/charts/vault-gcr-secrets/Chart.yaml index 5400c09..9c48a45 100644 --- a/charts/vault-gcr-secrets/Chart.yaml +++ b/charts/vault-gcr-secrets/Chart.yaml @@ -1,9 +1,8 @@ apiVersion: v1 name: vault-gcr-secrets -description: Create Kubernetes Docker-Registry secrets from Vault GCP Secrets Engine to access GCR. +description: '[DEPRECATED] See https://github.com/TJM/vault-gcp-secrets' home: https://github.com/TJM/vault-gcr-secrets # icon: https://raw.githubusercontent.com/TJM/vault-gcr-secrets/master/assets/logo.png -maintainers: - - name: TJM # Tommy McNeely -version: 0.3.1 -appVersion: 0.3.1 +deprecated: true +version: 0.3.2 +appVersion: 0.3.2 diff --git a/charts/vault-gcr-secrets/templates/deprecated.yaml b/charts/vault-gcr-secrets/templates/deprecated.yaml new file mode 100644 index 0000000..3a047b5 --- /dev/null +++ b/charts/vault-gcr-secrets/templates/deprecated.yaml @@ -0,0 +1,4 @@ +{{- define "common.errors.deprecated" -}} + {{- printf "\n DEPRECATION ERROR: This chart is deprecated - see https://github.com/TJM/vault-gcp-secrets for the replacement." | fail -}} +{{- end -}} +{{ include "common.errors.deprecated" . }} diff --git a/charts/vault-gcr-secrets/values.yaml b/charts/vault-gcr-secrets/values.yaml index 6cc23b8..89d443a 100644 --- a/charts/vault-gcr-secrets/values.yaml +++ b/charts/vault-gcr-secrets/values.yaml @@ -1,125 +1,2 @@ -# Values for vault-gcr-secrets - -replicaCount: 1 -deploymentStrategy: {} - -image: - repository: quay.io/tommydavita/vault-gcr-secrets - tag: v0.3.0 - pullPolicy: IfNotPresent - volumeMounts: [] - # - name: ca - # mountPath: "/etc/vault-gcr-secrets" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -environmentVars: [] - - -# Set the address for vault (by default we assume you are running a dev -# instance of vault in the same namespace as the operator) and specify the -# authentication method for the operator. Possible values are: -# 'kubernetes', or 'approle'. - -# If the authentication method is 'kubernetes': -# * You must provide the 'kubernetesRole' which should be used for the authentication. -# The default authentication path for the Kubernets Auth method is 'auth/kubernetes', -# if you enabled it under another path you must change the 'authMountPath' value. -# -# If the auth method is 'approle': -# * You must provide `credentialSecretName` pointing to a secret with the keys -# `role_id` and `secret_id` set. -# The default authentication path for 'approle' auth is 'auth/approle', -# if you enabled it under another path you must change the 'authMountPath' value. -# -vault: - ## Vault Address, eg: http://localhost:8200 - address: "http://vault:8200" - - ## number of retries before exiting in error (this helps prevent running out of leases) - numRetries: 3 - - ## Vault authMethod (currently supported values are `appRole` or `kubernetes`) - authMethod: kubernetes - # If null, VAULT defaults to `auth/authMethod` - authMountPath: ~ - - credentialSecretName: ~ - kubernetesRole: vault-gcr-secrets - gcpSecretPath: gcp/gcr-role - -## K8s Destination Secret -secret: - # Resulting name of the kubernetes secret - name: gcr-secret - - # Key is the name of the secret key under data (for Opaque) - key: key.json - - # Secret Type - type: kubernetes.io/dockerconfigjson - - ## what values to pull from the vault secret (inside with secret ) - template: base64Decode .Data.private_key_data - - ## Set a custom template command. The template output will be written to /dev/shm/key.json - # customTemplateCommand: | - # kubectl create secret {{ .Values.secret.type }} "{{ .Values.secret.name }}" --from-file={{ .Values.secret.key }}=/dev/shm/key.json --dry-run=client -o yaml | kubectl apply -f - - # kubectl describe secret {{ .Values.secret.name }} - - ## For docker-registry secret.type, these parameters will be used - dockerServer: gcr.io - dockerUsername: _json_key - dockerEmail: not.used@example.com - -rbac: - create: true - createrole: true - -serviceAccount: - create: true - name: vault-gcr-secrets - -# Annotations for vault-gcr-secrets pod(s). -podAnnotations: {} - -# Additional labels for the vault-gcr-secrets pod(s). -podLabels: {} - -podSecurityContext: {} - -securityContext: {} - -# Annotations for the vault-gcr-secrets-test-connection pod -testPodAnnotations: {} - -# Additional labels for the vault-gcr-secrets-test-connection pod -testPodLabels: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -volumes: [] - # - name: ca - # secret: - # secretName: vault-gcr-secrets-ca - # items: - # - key: ca.pem - # path: ca.pem - -nodeSelector: {} - -tolerations: [] - -affinity: {} +### README: This chart is deprecated - Please switch over to `vault-gcp-secrets` +deprecated: true diff --git a/test/scripts/README.md b/test/scripts/README.md index fd2127a..9589354 100644 --- a/test/scripts/README.md +++ b/test/scripts/README.md @@ -7,8 +7,8 @@ They can be run directly as well for testing, but require some environment varia * Google Cloud Account - _(create a free gmail account if you don't have one)_ * You *do* have to setup billing, but none of the tests create any resources that have cost (just service accounts). - * RECOMMENDED: Create a "Zero Cost" [budget](https://console.cloud.google.com/billing/014EF7-3D361E-0A6AA5/budgets) ($0.00) and assign it to this project. This ensures that even if something is compromised they can't create resources. - * Enable the [IAM Service Account Credentials API](https://console.cloud.google.com/apis/library/iamcredentials.googleapis.com) + * RECOMMENDED: Create a "Zero Cost" [budget](https://console.cloud.google.com/billing/budgets) ($0.00) and assign it to this project. This ensures that even if something is compromised they can't create resources. + * Enable the [IAM Service Account Credentials API](https://console.developers.google.com/apis/api/iam.googleapis.com/overview) * Create a [Google Service Account](https://console.cloud.google.com/iam-admin/serviceaccounts/create) with the following roles * Service Account Admin * Service Account Key Admin @@ -24,7 +24,7 @@ They can be run directly as well for testing, but require some environment varia ```bash export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_AUTH_NAMESPACE='kube-system' -export TARGET_NAMESPACE='gcr-secrets' +export TARGET_NAMESPACE='gcp-secrets' export KIND_REGISTRY='' ``` diff --git a/test/scripts/end-cleanup.sh b/test/scripts/end-cleanup.sh index 4e18dad..ecbc42e 100755 --- a/test/scripts/end-cleanup.sh +++ b/test/scripts/end-cleanup.sh @@ -5,6 +5,6 @@ set -o pipefail set -x IFS=$'\n\t' -helm delete vault-gcr-secrets --namespace "$TARGET_NAMESPACE" -vault delete gcp/roleset/vault-gcr-secrets +helm delete vault-gcp-secrets --namespace "$TARGET_NAMESPACE" +vault delete gcp/roleset/vault-gcp-secrets sleep 15 # Give vault time to cleanup diff --git a/test/scripts/end-collect-data.sh b/test/scripts/end-collect-data.sh index 676528b..3e80336 100755 --- a/test/scripts/end-collect-data.sh +++ b/test/scripts/end-collect-data.sh @@ -14,7 +14,7 @@ kubectl get pods --namespace $TARGET_NAMESPACE echo -e '\n****************************************\n' kubectl describe pods --namespace $TARGET_NAMESPACE echo -e '\n****************************************\n' -kubectl logs --namespace=$TARGET_NAMESPACE -l app.kubernetes.io/instance=vault-gcr-secrets +kubectl logs --namespace=$TARGET_NAMESPACE -l app.kubernetes.io/instance=vault-gcp-secrets echo -e '\n****************************************\n' kubectl describe configmap --namespace=$TARGET_NAMESPACE echo -e '\n****************************************\n' diff --git a/test/scripts/install-chart.sh b/test/scripts/install-chart.sh index 2553224..7dfa80c 100755 --- a/test/scripts/install-chart.sh +++ b/test/scripts/install-chart.sh @@ -11,7 +11,7 @@ HELM_OPTIONS=( --namespace "${TARGET_NAMESPACE}" --set "vault.address=http://vault.vault.svc.cluster.local:8200" --set "vault.authMethod=${AUTH_METHOD}" - --set "vault.gcpSecretPath=gcp/key/vault-gcr-secrets" + --set "vault.gcpSecretPath=gcp/key/vault-gcp-secrets" ) ## Set SECRET_TYPE from simple 'docker' @@ -23,7 +23,7 @@ fi ## Set AUTH Options if [ "${AUTH_METHOD}" = 'kubernetes' ]; then - HELM_OPTIONS+=(--set 'vault.kubernetesRole=vault-gcr-secrets') + HELM_OPTIONS+=(--set 'vault.kubernetesRole=vault-gcp-secrets') elif [ "${AUTH_METHOD}" = 'approle' ]; then HELM_OPTIONS+=(--set 'vault.credentialSecretName=vault-creds') else @@ -34,12 +34,12 @@ fi ## Set Image options echo "KIND_REGISTRY=\'${KIND_REGISTRY}\'" if [ -n "$KIND_REGISTRY" ]; then - HELM_OPTIONS+=(--set "image.repository=${KIND_REGISTRY}/vault-gcr-secrets" --set 'image.tag=test') + HELM_OPTIONS+=(--set "image.repository=${KIND_REGISTRY}/vault-gcp-secrets" --set 'image.tag=test') fi -helm upgrade --install vault-gcr-secrets ./charts/vault-gcr-secrets "${HELM_OPTIONS[@]}" +helm upgrade --install vault-gcp-secrets ./charts/vault-gcp-secrets "${HELM_OPTIONS[@]}" -kubectl wait pod -l app.kubernetes.io/instance=vault-gcr-secrets \ +kubectl wait pod -l app.kubernetes.io/instance=vault-gcp-secrets \ --namespace=$TARGET_NAMESPACE \ --for=condition=Ready \ --timeout=30s @@ -48,6 +48,6 @@ sleep 10 kubectl get pods --namespace $TARGET_NAMESPACE -kubectl logs --namespace=$TARGET_NAMESPACE -l app.kubernetes.io/instance=vault-gcr-secrets +kubectl logs --namespace=$TARGET_NAMESPACE -l app.kubernetes.io/instance=vault-gcp-secrets -kubectl describe secret gcr-secret --namespace=$TARGET_NAMESPACE +kubectl describe secret gcp-secret --namespace=$TARGET_NAMESPACE diff --git a/test/scripts/vault-gcp-secrets.sh b/test/scripts/vault-gcp-secrets.sh index 2cedcfd..836d2b6 100755 --- a/test/scripts/vault-gcp-secrets.sh +++ b/test/scripts/vault-gcp-secrets.sh @@ -12,20 +12,23 @@ vault write gcp/config \ ttl=300 \ max_ttl=1800 -vault write gcp/roleset/vault-gcr-secrets \ - project="vault-gcr-secrets-6969" \ +PROJECT_ID=$(echo "${GCP_CREDENTIALS}" | jq -r '.project_id') +echo "::set-output name=project_id::${PROJECT_ID}" + +vault write gcp/roleset/vault-gcp-secrets \ + project="${PROJECT_ID}" \ secret_type="service_account_key" \ bindings=-<