diff --git a/.gitignore b/.gitignore index 1e0d9f9b..986d1c81 100644 --- a/.gitignore +++ b/.gitignore @@ -17,4 +17,7 @@ # Output directory for binaries built in CircleCI /pkg -/dist/ \ No newline at end of file +/dist/ + +# make deploy output +ca.crt \ No newline at end of file diff --git a/Makefile b/Makefile index 5ec46c57..1b2652ae 100644 --- a/Makefile +++ b/Makefile @@ -21,12 +21,7 @@ VAULT_HELM_FLAGS?=--repo https://helm.releases.hashicorp.com --version=$(VAULT_H --values=test/vault/dev.values.yaml \ --set 'injector.image.tag=$(VERSION)' -ifeq ($(VAULT_TLS), true) - VAULT_HELM_FLAGS += --values=test/vault/vault-tls-dev.values.yaml \ - --set "injector.extraEnvironmentVars.AGENT_INJECT_VAULT_CACERT_BYTES=$(shell kubectl get secret vault-cert -o=jsonpath="{.data.ca\.crt}")" -endif - -.PHONY: all test build image clean version deploy deploy-tls exercise teardown install-cert-manager +.PHONY: all test build image clean version deploy exercise teardown all: build version: @@ -41,16 +36,26 @@ build: image: build docker build --build-arg VERSION=$(VERSION) --no-cache -t $(IMAGE_TAG) . +.PHONY: secret +secret: + kubectl exec vault-0 -- cat /tmp/vault-ca.pem + kubectl get secret vault-ca -o=jsonpath="{.data.ca\.crt}" | base64 -d + kubectl get pod -l "app.kubernetes.io/name=vault-agent-injector" -o=jsonpath='{.items[0].spec.containers[0].env[?(@.name == "AGENT_INJECT_VAULT_CACERT_BYTES")].value}' | base64 -d + # Deploys Vault dev server and a locally built Agent Injector. # Run multiple times to deploy new builds of the injector. -deploy: image +deploy: kind load docker-image hashicorp/vault-k8s:$(VERSION) - helm upgrade --install vault vault $(VAULT_HELM_FLAGS) + helm upgrade --install vault vault $(VAULT_HELM_FLAGS) \ + --set "injector.enabled=false" kubectl delete pod -l "app.kubernetes.io/instance=vault" kubectl wait --for=condition=Ready --timeout=5m pod -l "app.kubernetes.io/instance=vault" - -deploy-tls: install-cert-manager - VAULT_TLS=true make deploy + kubectl delete secret --ignore-not-found vault-ca + kubectl exec vault-0 -- cat /tmp/vault-ca.pem > test/vault/ca.crt + kubectl create secret generic vault-ca --from-file=test/vault/ca.crt + helm upgrade --install vault vault $(VAULT_HELM_FLAGS) \ + --set "injector.enabled=true" \ + --set "injector.extraEnvironmentVars.AGENT_INJECT_VAULT_CACERT_BYTES=$$(kubectl get secret vault-ca -o=jsonpath="{.data.ca\.crt}")" # Populates the Vault dev server with a secret, configures kubernetes auth, and # deploys an nginx pod with annotations to have the secret injected. @@ -74,19 +79,12 @@ exercise: kubectl wait --for=condition=Ready --timeout=5m pod nginx kubectl exec nginx -c nginx -- cat /vault/secrets/secret.txt -install-cert-manager: - helm upgrade --install cert-manager cert-manager --repo https://charts.jetstack.io \ - --set installCRDs=true \ - --wait=true --timeout=5m - kubectl apply -f 'test/cert-manager/*' - kubectl wait --for=condition=Ready --timeout=5m certificate vault-certificate - # Teardown any resources created in deploy and exercise targets. teardown: helm uninstall vault || true - helm uninstall cert-manager || true kubectl delete --ignore-not-found serviceaccount test-app-sa kubectl delete --ignore-not-found pod nginx + kubectl delete --ignore-not-found secret vault-ca clean: -rm -rf $(BUILD_DIR) diff --git a/test/cert-manager/ca.yaml b/test/cert-manager/ca.yaml deleted file mode 100644 index 4900a151..00000000 --- a/test/cert-manager/ca.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: vault-ca -spec: - isCA: true - commonName: Vault CA - secretName: vault-ca - duration: 87660h # 10 years - privateKey: - algorithm: ECDSA - size: 256 - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: vault-ca-issuer -spec: - ca: - secretName: vault-ca \ No newline at end of file diff --git a/test/cert-manager/vault-cert.yaml b/test/cert-manager/vault-cert.yaml deleted file mode 100644 index d116de27..00000000 --- a/test/cert-manager/vault-cert.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: vault-certificate -spec: - secretName: vault-cert - duration: 24h - renewBefore: 144m # roughly 10% of 24h - dnsNames: - - vault - - vault.default - - vault.default.svc - - vault-internal - - vault-internal.default - - vault-internal.default.svc - ipAddresses: - - "127.0.0.1" - issuerRef: - name: vault-ca-issuer - commonName: Vault Server \ No newline at end of file diff --git a/test/vault/dev.values.yaml b/test/vault/dev.values.yaml index e4598989..6679deda 100644 --- a/test/vault/dev.values.yaml +++ b/test/vault/dev.values.yaml @@ -1,3 +1,5 @@ +global: + tlsDisable: false injector: image: pullPolicy: Never @@ -6,3 +8,6 @@ server: dev: enabled: true logLevel: debug + extraArgs: "-dev-tls -dev-tls-cert-dir=/tmp" + extraEnvironmentVars: + VAULT_CACERT: /tmp/vault-ca.pem diff --git a/test/vault/vault-tls-dev.values.yaml b/test/vault/vault-tls-dev.values.yaml deleted file mode 100644 index cfb282bb..00000000 --- a/test/vault/vault-tls-dev.values.yaml +++ /dev/null @@ -1,39 +0,0 @@ -global: - tlsDisable: false -server: - # Move the default TLS-disabled dev listener out of the way so we can add our - # own listener on 8200 that does use TLS. - extraArgs: "-dev-listen-address=127.0.0.1:8202 -config=/etc/config/listener.hcl" - extraEnvironmentVars: - VAULT_CACERT: /etc/tls/ca.crt - volumeMounts: - - name: cert - mountPath: /etc/tls - readOnly: true - - name: config - mountPath: /etc/config - readOnly: true - volumes: - - name: cert - secret: - secretName: vault-cert - - name: config - emptyDir: {} - extraInitContainers: - - name: write-config - image: "alpine" - command: [sh, -c] - args: - - | - cat < /etc/config/listener.hcl - listener "tcp" { - address = "[::]:8200" - tls_cert_file = "/etc/tls/tls.crt" - tls_key_file = "/etc/tls/tls.key" - proxy_protocol_behavior = "allow_authorized" - proxy_protocol_authorized_addrs = "[::]:8200" - } - EOF - volumeMounts: - - name: config - mountPath: /etc/config