-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6 from lonelyCZ/pr-add-cm-vault
Add initial cert-manager and Vault installation scripts
- Loading branch information
Showing
15 changed files
with
430 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
.vscode/ | ||
|
||
# Local .terraform directories | ||
**/.terraform/* | ||
|
||
# .tfstate files | ||
*.tfstate | ||
*.tfstate.* | ||
|
||
# Exclude all .tfvars files, which are likely to contain sentitive data, such as | ||
# password, private keys, and other secrets. These should not be part of version | ||
# control as they are data points which are potentially sensitive and subject | ||
# to change depending on the environment. | ||
# | ||
*.tfvars | ||
|
||
# Ignore override files as they are usually used to override resources locally and so | ||
# are not checked in | ||
override.tf | ||
override.tf.json | ||
*_override.tf | ||
*_override.tf.json | ||
|
||
# misc | ||
*.terraform.lock.hcl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# Deploy and Setup Cert-manager and Vault | ||
|
||
## Goals | ||
|
||
This Terragrunt workflow deploys and configures cert-manager, Hashicorp Vault and a cert-manager Vault `ClusterIssuer` to an existing Kubernetes cluster. | ||
|
||
Vault will be deployed in the insecure dev mode with a [PKI Secrets Engine](https://www.vaultproject.io/docs/secrets/pki) configured for issuing certs for `cert-manager.io` subdomains. | ||
|
||
A `ClusterIssuer` named `vault-issuer` will be created that can issue certs from this PKI using Vault's dev root token. | ||
|
||
A `Certificate` named `demo-app-vault-cert` will be created that issued by `vault-issuer`. | ||
|
||
> Note: The allowed DNS names are restricted to subdomains of `cert-manager.io`. | ||
## Dependencies Graph | ||
|
||
Terragrunt is used to ensure the correct order of dependency installation, i.e that cert-manager `ClusterIssuer` is not created before installing cert-manager. See dependency graph below: | ||
|
||
![image](graph.svg) | ||
|
||
### cm-install | ||
|
||
To use [Helm Provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) to install Cert-Manager into Kubernetes, you need to set `kubeconfig_path` that default is `~/.kube/config`. | ||
|
||
### vault-install | ||
|
||
To use Helm Provider to install Vault into Kubernetes. By default, it is a single unsealed Vault server in the insecure dev mode with a memory storage backend. | ||
|
||
### vault-config | ||
|
||
To use Vault Provider to configure Vault. By default, it setup a [PKI Secrets Engine](https://www.vaultproject.io/docs/secrets/pki) configured for issuing certs for `cert-manager.io` subdomains. | ||
|
||
### cm-config | ||
|
||
To use Kubernetes Provider to configure Cert-Manager. By default, it create a `ClusterIssuer` named `vault-issuer` that can issue certs from this PKI using Vault's dev root token and a `Certificate` named `demo-app-vault-cert` that issued by `vault-issuer`. | ||
|
||
|
||
## Usage Steps | ||
|
||
Execute `terragrunt run-all init` to init providers of all modules. | ||
|
||
Execute `terragrunt run-all apply` to deploy all modules. | ||
|
||
Execute `terragrunt run-all destroy` to clean test environment. | ||
|
||
### Note | ||
If you want to run it in [Kind](https://kind.sigs.k8s.io/) cluster, you need to [create extra port mappings](https://kind.sigs.k8s.io/docs/user/configuration/#extra-port-mappings) to `vault-install` module to port forward. | ||
|
||
To use this config, place the contents in a file `config.yaml` and then run `kind create cluster --config=config.yaml` from the same directory. | ||
|
||
``` | ||
apiVersion: kind.x-k8s.io/v1alpha4 | ||
kind: Cluster | ||
nodes: | ||
- role: control-plane | ||
extraPortMappings: | ||
- containerPort: 30200 | ||
hostPort: 30200 | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
terraform { | ||
required_providers { | ||
kubernetes = { | ||
source = "hashicorp/kubernetes" | ||
version = "~> 2.11.0" | ||
} | ||
} | ||
} | ||
|
||
provider "kubernetes" { | ||
config_path = var.kubeconfig_path | ||
} | ||
|
||
// vault-token is used to connect vault | ||
resource "kubernetes_secret_v1" "vault-token" { | ||
metadata { | ||
name = "vault-token" | ||
namespace = "cert-manager" | ||
} | ||
data = { | ||
token = "root" | ||
} | ||
type = "opaque" | ||
} | ||
|
||
resource "kubernetes_manifest" "vault-issuer" { | ||
manifest = { | ||
"apiVersion" = "cert-manager.io/v1" | ||
"kind" = "ClusterIssuer" | ||
"metadata" = { | ||
"name" = "vault-issuer" | ||
} | ||
"spec" = { | ||
"vault" = { | ||
"auth" = { | ||
"tokenSecretRef" = { | ||
"key" = "token" | ||
"name" = "${kubernetes_secret_v1.vault-token.metadata[0].name}" | ||
} | ||
} | ||
"path" = "pki/sign/cert-manager-io" | ||
"server" = "http://vault.vault.svc:8200" | ||
} | ||
} | ||
} | ||
} | ||
|
||
resource "kubernetes_manifest" "demo-app-vault-cert" { | ||
manifest = { | ||
"apiVersion" = "cert-manager.io/v1" | ||
"kind" = "Certificate" | ||
metadata = { | ||
"name" = "demo-app-vault-cert" | ||
"namespace" = "default" | ||
} | ||
"spec" = { | ||
"commonName" = "demo-app.cert-manager.io" | ||
"secretName" = "demo-app-tls" | ||
"dnsNames" = ["demo-app.cert-manager.io"] | ||
"issuerRef" = { | ||
"name" = kubernetes_manifest.vault-issuer.manifest.metadata.name | ||
"kind" = kubernetes_manifest.vault-issuer.manifest.kind | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
dependency "vault-install" { | ||
config_path = "../vault-install" | ||
|
||
skip_outputs = "true" | ||
} | ||
|
||
dependency "cm-install" { | ||
config_path = "../cm-install" | ||
|
||
skip_outputs = "true" | ||
} | ||
|
||
|
||
dependency "vault-config" { | ||
config_path = "../vault-config" | ||
|
||
skip_outputs = "true" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
variable "kubeconfig_path" { | ||
type = string | ||
default = "~/.kube/config" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
terraform { | ||
required_providers { | ||
helm = { | ||
source = "hashicorp/helm" | ||
version = "~> 2.5.1" | ||
} | ||
} | ||
} | ||
|
||
provider "helm" { | ||
kubernetes { | ||
config_path = var.kubeconfig_path | ||
} | ||
} | ||
|
||
# deploy cert-manager | ||
resource "helm_release" "cert-manager" { | ||
name = "cert-manager" | ||
repository = "https://charts.jetstack.io" | ||
chart = "cert-manager" | ||
namespace = "cert-manager" | ||
create_namespace = true | ||
version = "v1.8.0" | ||
|
||
set { | ||
name = "installCRDs" | ||
value = "true" | ||
} | ||
} |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
variable "kubeconfig_path" { | ||
type = string | ||
default = "~/.kube/config" | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
terraform { | ||
required_providers { | ||
vault = { | ||
source = "hashicorp/vault" | ||
version = "~> 3.5.0" | ||
} | ||
} | ||
} | ||
|
||
provider "vault" { | ||
address = "http://127.0.0.1:30200" | ||
token = "root" | ||
} | ||
|
||
resource "vault_mount" "pki" { | ||
path = "pki" | ||
type = "pki" | ||
max_lease_ttl_seconds = 31536000 # 1 year | ||
} | ||
|
||
resource "vault_pki_secret_backend_role" "role" { | ||
backend = vault_mount.pki.path | ||
name = "cert-manager-io" | ||
ttl = 31536000 # 1 year | ||
allow_ip_sans = true | ||
key_type = "rsa" | ||
key_bits = 2048 | ||
allowed_domains = ["cert-manager.io"] | ||
allow_subdomains = true | ||
} | ||
|
||
resource "vault_pki_secret_backend_root_cert" "ca" { | ||
depends_on = [vault_mount.pki] | ||
backend = vault_mount.pki.path | ||
type = "internal" | ||
common_name = "cert-manager.io" | ||
ttl = "31536000" # 1 year | ||
format = "pem" | ||
private_key_format = "der" | ||
key_type = "rsa" | ||
key_bits = 2048 | ||
exclude_cn_from_sans = true | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
dependency "vault-install" { | ||
config_path = "../vault-install" | ||
|
||
skip_outputs = "true" | ||
} |
Oops, something went wrong.