# HashiCorp Vault configuration for minikube # This is not part of ceph-csi project, used only # for e2e testing of integration with such KMS --- apiVersion: v1 kind: Service metadata: name: vault labels: app: vault-api spec: ports: - name: vault-api port: 8200 clusterIP: None selector: app: vault role: server --- apiVersion: apps/v1 kind: Deployment metadata: name: vault labels: app: vault role: server spec: replicas: 1 selector: matchLabels: app: vault role: server template: metadata: labels: app: vault role: server spec: containers: - name: vault image: docker.io/library/vault:latest imagePullPolicy: "IfNotPresent" securityContext: runAsUser: 100 env: - name: VAULT_DEV_ROOT_TOKEN_ID value: sample_root_token_id - name: SKIP_SETCAP value: any - name: HOME value: /home livenessProbe: exec: command: - pidof - vault initialDelaySeconds: 5 timeoutSeconds: 2 ports: - containerPort: 8200 name: vault-api volumeMounts: - name: home mountPath: /home - name: monitor image: docker.io/library/vault:latest imagePullPolicy: "IfNotPresent" securityContext: runAsUser: 100 env: - name: VAULT_ADDR value: http://localhost:8200 - name: HOME value: /home command: - vault - monitor volumeMounts: - name: home mountPath: /home volumes: - name: home emptyDir: {} --- apiVersion: v1 kind: ConfigMap metadata: name: init-scripts data: init-vault.sh: | set -x -e timeout 300 sh -c 'until vault status; do sleep 5; done' # login into vault to retrieve token vault login ${VAULT_DEV_ROOT_TOKEN_ID} # enable kubernetes auth method under specific path: vault auth enable -path="/${CLUSTER_IDENTIFIER}" kubernetes # write configuration to use your cluster vault write auth/${CLUSTER_IDENTIFIER}/config \ token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \ kubernetes_host="${K8S_HOST}" \ kubernetes_ca_cert=@${SERVICE_ACCOUNT_TOKEN_PATH}/ca.crt # create policy to use keys related to the cluster vault policy write "${CLUSTER_IDENTIFIER}" - << EOS path "secret/data/ceph-csi/*" { capabilities = ["create", "update", "delete", "read", "list"] } path "secret/metadata/ceph-csi/*" { capabilities = ["read", "delete", "list"] } path "sys/mounts" { capabilities = ["read"] } EOS # create a role vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \ bound_service_account_names="${SERVICE_ACCOUNTS}" \ bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \ policies="${CLUSTER_IDENTIFIER}" # disable iss validation # from: external-secrets/kubernetes-external-secrets#721 vault write auth/${CLUSTER_IDENTIFIER}/config \ token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \ kubernetes_host="${K8S_HOST}" \ disable_iss_validation=true --- apiVersion: batch/v1 kind: Job metadata: name: vault-init-job spec: parallelism: 1 completions: 1 template: metadata: name: vault-init-job spec: serviceAccountName: rbd-csi-vault-token-review volumes: - name: init-scripts-volume configMap: name: init-scripts containers: - name: vault-init-job image: docker.io/library/vault:latest securityContext: runAsUser: 100 volumeMounts: - mountPath: /init-scripts name: init-scripts-volume env: - name: HOME value: /tmp - name: CLUSTER_IDENTIFIER value: kubernetes - name: SERVICE_ACCOUNT_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount - name: K8S_HOST value: https://kubernetes.default.svc.cluster.local - name: PLUGIN_ROLE value: csi-kubernetes - name: SERVICE_ACCOUNTS value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner - name: SERVICE_ACCOUNTS_NAMESPACE value: default - name: VAULT_ADDR value: http://vault.default.svc.cluster.local:8200/ - name: VAULT_DEV_ROOT_TOKEN_ID value: sample_root_token_id command: - /bin/sh - /init-scripts/init-vault.sh imagePullPolicy: "IfNotPresent" restartPolicy: Never