From 15b67972c4e58b297a26024e506431c56706a7a8 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 11 Sep 2024 00:16:07 -0500 Subject: [PATCH] add auto unseal, replicas 3 --- .../security/vault/app/externalsecret.yaml | 27 +++++++++++++++++++ .../apps/security/vault/app/helmrelease.yaml | 18 +++++++++---- .../security/vault/app/kustomization.yaml | 1 + 3 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 kubernetes/apps/security/vault/app/externalsecret.yaml diff --git a/kubernetes/apps/security/vault/app/externalsecret.yaml b/kubernetes/apps/security/vault/app/externalsecret.yaml new file mode 100644 index 0000000..8307628 --- /dev/null +++ b/kubernetes/apps/security/vault/app/externalsecret.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault + namespace: security +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: vault-secret + creationPolicy: Owner + data: + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: vault + property: AWS_SECRET_ACCESS_KEY + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: vault + property: AWS_ACCESS_KEY_ID + - secretKey: VAULT_AWSKMS_SEAL_KEY_ID + remoteRef: + key: vault + property: VAULT_AWSKMS_SEAL_KEY_ID diff --git a/kubernetes/apps/security/vault/app/helmrelease.yaml b/kubernetes/apps/security/vault/app/helmrelease.yaml index a253985..0358555 100644 --- a/kubernetes/apps/security/vault/app/helmrelease.yaml +++ b/kubernetes/apps/security/vault/app/helmrelease.yaml @@ -53,6 +53,16 @@ spec: VAULT_ADDR: "http://127.0.0.1:8200" VAULT_API_ADDR: "http://$(POD_IP):8200" VAULT_CLUSTER_ADDR: "http://$(POD_IP):8201" + extraSecretEnvironmentVars: + - envName: AWS_SECRET_ACCESS_KEY + secretName: vault-secret + secretKey: AWS_SECRET_ACCESS_KEY + - envName: AWS_ACCESS_KEY_ID + secretName: vault-secret + secretKey: AWS_ACCESS_KEY_ID + - envName: VAULT_AWSKMS_SEAL_KEY_ID + secretName: vault-secret + secretKey: VAULT_AWSKMS_SEAL_KEY_ID # These are defaults but explicitly set here for clarity. dataStorage: size: 4Gi @@ -71,7 +81,7 @@ spec: enabled: true # maxUnavailable will default to (n/2)-1 where n is the number of replicas # so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically. - replicas: 6 + replicas: 3 # clusterAddr: "https://vault-active.security.svc.cluster.local:8201" config: "" raft: @@ -97,10 +107,8 @@ spec: } } - seal "kubernetes" { - secret_name = "vault-unseal-keys" - secret_namespace = "security" - key_names = ["key1", "key2", "key3"] + seal "awskms" { + region = "us-east-2" } service_registration "kubernetes" {} diff --git a/kubernetes/apps/security/vault/app/kustomization.yaml b/kubernetes/apps/security/vault/app/kustomization.yaml index 5a7bd4d..ebf6823 100644 --- a/kubernetes/apps/security/vault/app/kustomization.yaml +++ b/kubernetes/apps/security/vault/app/kustomization.yaml @@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: security resources: + - ./externalsecret.yaml - ./helmrelease.yaml