From ae6f9bb30bafc4396da3a90db81a27bc2addc3a2 Mon Sep 17 00:00:00 2001 From: ace Date: Thu, 10 Apr 2025 00:21:01 +0300 Subject: [PATCH] add autovault helm chart --- autovault/.helmignore | 23 +++++ autovault/Chart.yaml | 24 ++++++ autovault/templates/_helpers.tpl | 62 ++++++++++++++ autovault/templates/configmap.yaml | 68 +++++++++++++++ autovault/templates/cronjob.yaml | 54 ++++++++++++ autovault/templates/pvc.yaml | 26 ++++++ autovault/templates/role.yaml | 26 ++++++ autovault/templates/rolebinging.yaml | 15 ++++ autovault/templates/serviceaccount.yaml | 13 +++ autovault/values.yaml | 107 ++++++++++++++++++++++++ 10 files changed, 418 insertions(+) create mode 100644 autovault/.helmignore create mode 100644 autovault/Chart.yaml create mode 100644 autovault/templates/_helpers.tpl create mode 100644 autovault/templates/configmap.yaml create mode 100644 autovault/templates/cronjob.yaml create mode 100644 autovault/templates/pvc.yaml create mode 100644 autovault/templates/role.yaml create mode 100644 autovault/templates/rolebinging.yaml create mode 100644 autovault/templates/serviceaccount.yaml create mode 100644 autovault/values.yaml diff --git a/autovault/.helmignore b/autovault/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/autovault/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/autovault/Chart.yaml b/autovault/Chart.yaml new file mode 100644 index 0000000..71e87be --- /dev/null +++ b/autovault/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: autovault +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/autovault/templates/_helpers.tpl b/autovault/templates/_helpers.tpl new file mode 100644 index 0000000..a1cedbb --- /dev/null +++ b/autovault/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "autovault.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "autovault.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "autovault.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "autovault.labels" -}} +helm.sh/chart: {{ include "autovault.chart" . }} +{{ include "autovault.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "autovault.selectorLabels" -}} +app.kubernetes.io/name: {{ include "autovault.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "autovault.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "autovault.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/autovault/templates/configmap.yaml b/autovault/templates/configmap.yaml new file mode 100644 index 0000000..8854eb4 --- /dev/null +++ b/autovault/templates/configmap.yaml @@ -0,0 +1,68 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "autovault.fullname" . }}-scripts + labels: + {{- include "autovault.labels" . | nindent 4 }} +data: + autovault.sh: | + #!/bin/bash + + HOME=/vault/data + while [[ "$(curl -L -s -o /dev/null -w ''%{http_code}'' {{ .Values.vaultUrl }})" != "200" ]]; do sleep 5; done + + export VAULT_ADDR={{ .Values.vaultUrl }} + + INITIALIZED=$(vault status -format=json | jq -r '.initialized') + + SEALED=$(vault status -format=json | jq -r '.sealed') + + if [[ "$INITIALIZED" == "false" ]] ; then + vault operator init -key-threshold=1 -key-shares=1 -format=json > /vault/data/keys.json + fi + + if [[ "$SEALED" == "true" ]] ; then + KEY=$(cat /vault/data/keys.json | jq -r '.unseal_keys_b64[0]') + vault operator unseal $KEY + fi + + export VAULT_TOKEN=$(cat /vault/data/keys.json | jq -r '.root_token') + + KV_ENABLED=$(vault secrets list | grep -i kv) + if [[ -z "$KV_ENABLED" ]] ; then + vault secrets enable -version=2 kv + fi + + USERPASS_ENABLED=$(vault auth list | grep -i userpass) + if [[ -z "$USERPASS_ENABLED" ]] ; then + vault auth enable userpass + fi + + APPROLE_ENABLED=$(vault auth list | grep -i approle) + if [[ -z "$APPROLE_ENABLED" ]] ; then + vault auth enable approle + fi + + echo + echo "----------------------------------------------------------------" + echo + echo "Vault root token: ${VAULT_TOKEN}" + echo + echo "----------------------------------------------------------------" + echo + + for APPROLE in {{ join " " .Values.autovaultGenSecretsApps }}; do + APPROLE_CREATED=$(vault read auth/approle/role/"$APPROLE"/role-id) + if [[ -z "$APPROLE_CREATED" ]] ; then + vault write -f auth/approle/role/"$APPROLE" + fi + kubectl get secret vault-secret-"$APPROLE" || \ + { APPROLE_ROLE_ID=$(vault read auth/approle/role/"$APPROLE"/role-id | grep "role_id\s" | awk '{print $2}') ; \ + APPROLE_SECRET_ID=$(vault write -f auth/approle/role/"$APPROLE"/secret-id | grep "secret_id\s" | awk '{print $2}') ; \ + kubectl create secret generic vault-secret-"$APPROLE" --from-literal=rootToken="$VAULT_TOKEN" --from-literal=roleId="$APPROLE_ROLE_ID" --from-literal=secretId="$APPROLE_SECRET_ID" ; + echo "$APPROLE role-id = $APPROLE_ROLE_ID" ; } + done + + vault auth list + diff --git a/autovault/templates/cronjob.yaml b/autovault/templates/cronjob.yaml new file mode 100644 index 0000000..77e10ce --- /dev/null +++ b/autovault/templates/cronjob.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "autovault.fullname" . }} + labels: + {{- include "autovault.labels" . | nindent 4 }} +spec: + concurrencyPolicy: Forbid + schedule: {{ .Values.autovaultSchedule | quote }} + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + backoffLimit: 2 + activeDeadlineSeconds: 300 + template: + spec: + serviceAccountName: {{ include "autovault.fullname" . }} + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: autovault + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: {{ include "autovault.fullname" . }}-data + mountPath: /vault/data + - name: {{ include "autovault.fullname" . }}-scripts + mountPath: /vault/scripts + command: [ "/bin/bash", "-c", "/vault/scripts/autovault.sh" ] + volumes: + - name: {{ include "autovault.fullname" . }}-data + persistentVolumeClaim: + claimName: {{ include "autovault.fullname" . }}-data + - name: {{ include "autovault.fullname" . }}-scripts + configMap: + name: {{ include "autovault.fullname" . }}-scripts + defaultMode: 0777 + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/autovault/templates/pvc.yaml b/autovault/templates/pvc.yaml new file mode 100644 index 0000000..4d302ce --- /dev/null +++ b/autovault/templates/pvc.yaml @@ -0,0 +1,26 @@ +--- +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "autovault.fullname" . }}-data + labels: + {{- include "autovault.labels" . | nindent 4 }} +{{- if .Values.persistence.annotations }} + annotations: +{{ toYaml .Values.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/autovault/templates/role.yaml b/autovault/templates/role.yaml new file mode 100644 index 0000000..072d69b --- /dev/null +++ b/autovault/templates/role.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "autovault.fullname" . }} + labels: + {{- include "autovault.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["list", "get", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods/attach"] + verbs: ["list", "get", "create", "delete", "update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "get", "create", "delete", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "get", "create", "delete", "update"] diff --git a/autovault/templates/rolebinging.yaml b/autovault/templates/rolebinging.yaml new file mode 100644 index 0000000..d55f3e4 --- /dev/null +++ b/autovault/templates/rolebinging.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "autovault.fullname" . }} + labels: + {{- include "autovault.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + name: {{ include "autovault.fullname" . }} + kind: Role +subjects: +- kind: ServiceAccount + name: {{ include "autovault.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/autovault/templates/serviceaccount.yaml b/autovault/templates/serviceaccount.yaml new file mode 100644 index 0000000..e8206f4 --- /dev/null +++ b/autovault/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "autovault.serviceAccountName" . }} + labels: + {{- include "autovault.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/autovault/values.yaml b/autovault/values.yaml new file mode 100644 index 0000000..f3feb09 --- /dev/null +++ b/autovault/values.yaml @@ -0,0 +1,107 @@ +# Default values for autovault. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ +image: + repository: gitea.geekhome.org/ghp/autovault + # This sets the pull policy for images. + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "0.1.0-1" + +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +vaultUrl: "http://vault:8200" +autovaultGenSecretsApps: + - approle1 + +autovaultSchedule: "0/5 * * * *" + +# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +persistence: + enabled: true + annotations: {} + ## PeerTube data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + accessMode: ReadWriteOnce + size: 1Mi + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {}