🎉 initial commit

2022-04-06 15:33:57 +02:00
commit 968716ec76
29 changed files with 846 additions and 0 deletions
--- a/vault/helm-vault-server.yaml
+++ b/vault/helm-vault-server.yaml
@@ -0,0 +1,15 @@
+# see https://rancher.com/docs/k3s/latest/en/helm/
+# see https://github.com/hashicorp/vault-helm
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: vault
+  namespace: default
+spec:
+  repo: https://helm.releases.hashicorp.com
+  chart: vault
+  version: 0.17.1
+  targetNamespace: default
+  valuesContent: |-
+    injector:
+      enabled: false
--- a/vault/ingress-vault.yaml
+++ b/vault/ingress-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vault-internal
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`vault.dev.localhost`)
+      kind: Rule
+      services:
+        - name: vault-internal
+          port: 8200
--- a/vault/init-vault.sh
+++ b/vault/init-vault.sh
@@ -0,0 +1,2 @@
+kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > init-keys.json
+./unseal-vault.sh
--- a/vault/issuer-vault.yaml
+++ b/vault/issuer-vault.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: default
+spec:
+  vault:
+    server: http://vault.default:8200
+    path: pki/sign/dev-dot-localhost
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/kubernetes
+        role: issuer
+        secretRef:
+          name: issuer-token-sh68l
+          key: token
--- a/vault/unseal-vault.sh
+++ b/vault/unseal-vault.sh
@@ -0,0 +1,8 @@
+cat init-keys.json | jq -r ".unseal_keys_b64[]"
+VAULT_UNSEAL_KEY=$(cat init-keys.json | jq -r ".unseal_keys_b64[]")
+kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
+kubectl get pods
+cat init-keys.json | jq -r ".root_token"
+VAULT_ROOT_TOKEN=$(cat init-keys.json | jq -r ".root_token")
+kubectl exec vault-0 -- vault login $VAULT_ROOT_TOKEN
+
--- a/vault/vault-issuer.yaml
+++ b/vault/vault-issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1 
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: default
+spec:
+  vault:
+    server: http://vault.default:8200
+    path: pki/role/dev-dot-localhost
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/kubernetes
+        role: issuer
+        secretRef:
+          name: issuer-token-xhgk8
+          key: token