├── charts ├── vault │ ├── Chart.yaml │ ├── templates │ │ ├── secret.yaml │ │ ├── _helpers.tpl │ │ ├── service.yaml │ │ ├── NOTES.txt │ │ └── deployment.yaml │ ├── .helmignore │ └── values.yaml └── vault-ui │ ├── Chart.yaml │ ├── .helmignore │ ├── templates │ ├── _helpers.tpl │ ├── service.yaml │ ├── ingress.yaml │ ├── NOTES.txt │ └── deployment.yaml │ └── values.yaml ├── LICENSE └── README.md /charts/vault/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for Kubernetes 3 | name: vault 4 | version: 0.1.0 5 | -------------------------------------------------------------------------------- /charts/vault-ui/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A Helm chart for Kubernetes 3 | name: vault-ui 4 | version: 0.1.0 5 | -------------------------------------------------------------------------------- /charts/vault/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | data: 6 | config.json: c3RvcmFnZSAiczMiIHsKICBhY2Nlc3Nfa2V5ID0gInh4eCIKICBzZWNyZXRfa2V5ID0gInh4eCIKICBidWNrZXQgICAgID0gInZhdWx0LWJ1Y2tldCIKfQoKbGlzdGVuZXIgInRjcCIgewogIGFkZHJlc3MgICAgID0gIjAuMC4wLjA6ODIwMCIKICB0bHNfZGlzYWJsZSA9IDEKfQ== 7 | type: Opaque -------------------------------------------------------------------------------- /charts/vault/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /charts/vault-ui/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /charts/vault/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /charts/vault-ui/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /charts/vault-ui/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | labels: 6 | app: {{ template "name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.externalPort }} 14 | targetPort: {{ .Values.service.internalPort }} 15 | protocol: TCP 16 | name: {{ .Values.service.name }} 17 | selector: 18 | app: {{ template "name" . }} 19 | release: {{ .Release.Name }} 20 | -------------------------------------------------------------------------------- /charts/vault/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | labels: 6 | app: {{ template "name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.externalPort }} 14 | targetPort: {{ .Values.service.internalPort }} 15 | protocol: TCP 16 | name: {{ .Values.service.name }} 17 | selector: 18 | app: {{ template "name" . }} 19 | release: {{ .Release.Name }} 20 | -------------------------------------------------------------------------------- /charts/vault-ui/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $serviceName := include "fullname" . -}} 3 | {{- $servicePort := .Values.service.externalPort -}} 4 | apiVersion: extensions/v1beta1 5 | kind: Ingress 6 | metadata: 7 | name: {{ template "fullname" . }} 8 | labels: 9 | app: {{ template "name" . }} 10 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | annotations: 14 | {{- range $key, $value := .Values.ingress.annotations }} 15 | {{ $key }}: {{ $value | quote }} 16 | {{- end }} 17 | spec: 18 | rules: 19 | {{- range $host := .Values.ingress.hosts }} 20 | - host: {{ $host }} 21 | http: 22 | paths: 23 | - path: / 24 | backend: 25 | serviceName: {{ $serviceName }} 26 | servicePort: {{ $servicePort }} 27 | {{- end -}} 28 | {{- if .Values.ingress.tls }} 29 | tls: 30 | {{ toYaml .Values.ingress.tls | indent 4 }} 31 | {{- end -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Ivan Pedrazas 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /charts/vault/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for vault. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | replicaCount: 1 5 | image: 6 | repository: vault 7 | tag: 0.7.3 8 | pullPolicy: IfNotPresent 9 | service: 10 | name: vault 11 | type: ClusterIP 12 | externalPort: 8200 13 | internalPort: 8200 14 | ingress: 15 | enabled: false 16 | # Used to create Ingress record (should used with service.type: ClusterIP). 17 | hosts: 18 | - chart-example.local 19 | annotations: 20 | # kubernetes.io/ingress.class: nginx 21 | # kubernetes.io/tls-acme: "true" 22 | tls: 23 | # Secrets must be manually created in the namespace. 24 | # - secretName: chart-example-tls 25 | # hosts: 26 | # - chart-example.local 27 | resources: {} 28 | # We usually recommend not to specify default resources and to leave this as a conscious 29 | # choice for the user. This also increases chances charts run on environments with little 30 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 31 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 32 | # limits: 33 | # cpu: 100m 34 | # memory: 128Mi 35 | #requests: 36 | # cpu: 100m 37 | # memory: 128Mi 38 | aws: 39 | region: eu-west-1 40 | 41 | vault: 42 | devmode: false 43 | mode: 44 | dev: true -------------------------------------------------------------------------------- /charts/vault/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.hostname }} 3 | http://{{- .Values.ingress.hostname }} 4 | {{- else if contains "NodePort" .Values.service.type }} 5 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "fullname" . }}) 6 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 7 | echo http://$NODE_IP:$NODE_PORT 8 | {{- else if contains "LoadBalancer" .Values.service.type }} 9 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 10 | You can watch the status of by running 'kubectl get svc -w {{ template "fullname" . }}' 11 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 12 | echo http://$SERVICE_IP:{{ .Values.service.externalPort }} 13 | {{- else if contains "ClusterIP" .Values.service.type }} 14 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 15 | echo "Visit http://127.0.0.1:8080 to use your application" 16 | kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/vault-ui/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.hostname }} 3 | http://{{- .Values.ingress.hostname }} 4 | {{- else if contains "NodePort" .Values.service.type }} 5 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "fullname" . }}) 6 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 7 | echo http://$NODE_IP:$NODE_PORT 8 | {{- else if contains "LoadBalancer" .Values.service.type }} 9 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 10 | You can watch the status of by running 'kubectl get svc -w {{ template "fullname" . }}' 11 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 12 | echo http://$SERVICE_IP:{{ .Values.service.externalPort }} 13 | {{- else if contains "ClusterIP" .Values.service.type }} 14 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 15 | echo "Visit http://127.0.0.1:8080 to use your application" 16 | kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/vault-ui/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for vault-ui. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | replicaCount: 1 5 | image: 6 | repository: djenriquez/vault-ui 7 | tag: latest 8 | pullPolicy: IfNotPresent 9 | service: 10 | name: vault-ui 11 | type: ClusterIP 12 | externalPort: 8000 13 | internalPort: 8000 14 | ingress: 15 | enabled: true 16 | # Used to create Ingress record (should used with service.type: ClusterIP). 17 | hosts: 18 | - vault-ui.example.com 19 | annotations: 20 | # AWS --> redirect http to https 21 | kubernetes.io/ingress.class: nginx 22 | ingress.kubernetes.io/force-ssl-redirect: "true" 23 | tls: 24 | # Secrets must be manually created in the namespace. 25 | # - secretName: chart-example-tls 26 | # hosts: 27 | # - chart-example.local 28 | resources: {} 29 | # We usually recommend not to specify default resources and to leave this as a conscious 30 | # choice for the user. This also increases chances charts run on environments with little 31 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 32 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 33 | # limits: 34 | # cpu: 100m 35 | # memory: 128Mi 36 | #requests: 37 | # cpu: 100m 38 | # memory: 128Mi 39 | 40 | vault: 41 | auth: TOKEN 42 | url: http://vault:8200 43 | -------------------------------------------------------------------------------- /charts/vault-ui/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | labels: 6 | app: {{ template "name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | spec: 11 | replicas: {{ .Values.replicaCount }} 12 | template: 13 | metadata: 14 | labels: 15 | app: {{ template "name" . }} 16 | release: {{ .Release.Name }} 17 | spec: 18 | containers: 19 | - name: {{ .Chart.Name }} 20 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 21 | imagePullPolicy: {{ .Values.image.pullPolicy }} 22 | env: 23 | - name: VAULT_URL_DEFAULT 24 | value: {{ .Values.vault.url }} 25 | - name: VAULT_AUTH_DEFAULT 26 | value: {{ .Values.vault.auth }} 27 | 28 | ports: 29 | - containerPort: {{ .Values.service.internalPort }} 30 | livenessProbe: 31 | httpGet: 32 | path: / 33 | port: {{ .Values.service.internalPort }} 34 | readinessProbe: 35 | httpGet: 36 | path: / 37 | port: {{ .Values.service.internalPort }} 38 | resources: 39 | {{ toYaml .Values.resources | indent 12 }} 40 | {{- if .Values.nodeSelector }} 41 | nodeSelector: 42 | {{ toYaml .Values.nodeSelector | indent 8 }} 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /charts/vault/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | labels: 6 | app: {{ template "name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | spec: 11 | replicas: {{ .Values.replicaCount }} 12 | template: 13 | metadata: 14 | labels: 15 | app: {{ template "name" . }} 16 | release: {{ .Release.Name }} 17 | vault-version: {{ .Values.image.tag }} 18 | devmode: {{ .Values.vault.devmode | quote }} 19 | spec: 20 | volumes: 21 | - name: vault-conf 22 | secret: 23 | secretName: {{ template "name" . }} 24 | containers: 25 | - name: {{ .Chart.Name }} 26 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 27 | imagePullPolicy: {{ .Values.image.pullPolicy }} 28 | {{- if .Values.vault.mode.dev }} 29 | command: ["vault", "server", "-dev"] 30 | {{- else }} 31 | command: ["vault", "server", "-config", "/conf/config.json"] 32 | {{- end }} 33 | volumeMounts: 34 | - name: vault-conf 35 | mountPath: /conf 36 | securityContext: 37 | capabilities: 38 | add: 39 | - IPC_LOCK 40 | ports: 41 | - containerPort: {{ .Values.service.internalPort }} 42 | env: 43 | - name: AWS_DEFAULT_REGION 44 | value: {{ .Values.aws.region }} 45 | - name: VAULT_ADDR 46 | value: "http://{{ template "name" . }}:8200" 47 | resources: 48 | {{ toYaml .Values.resources | indent 12 }} 49 | {{- if .Values.nodeSelector }} 50 | nodeSelector: 51 | {{ toYaml .Values.nodeSelector | indent 8 }} 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Vault charts 2 | 3 | There are 2 charts in this repo: 4 | 5 | * Vault 6 | * Vault-ui 7 | 8 | [Vault](https://www.vaultproject.io) secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. 9 | 10 | ## Running the helm chart 11 | 12 | The easiest way of running vault is using the `dev` mode (please, do not use it in production). 13 | 14 | ``` 15 | helm install charts/vault 16 | ``` 17 | 18 | If you want to use the production mode you have to update the `config.json` key in the secret. Currently it is set up to use AWS S3 as the backend: 19 | 20 | ``` 21 | storage "s3" { 22 | access_key = "xxx" 23 | secret_key = "xxx" 24 | bucket = "vault-bucket" 25 | } 26 | 27 | listener "tcp" { 28 | address = "0.0.0.0:8200" 29 | tls_disable = 1 30 | } 31 | ``` 32 | 33 | 34 | ### Seal/Unseal process 35 | 36 | Unsealing makes the process of automating a Vault install difficult. Automated tools can easily install, configure, and start Vault, but unsealing it is a very manual process. 37 | 38 | This complicates the use of Vault inside of Kubernetes, because if the pod dies, Kubernetes will start the pod again but it will be sealed. 39 | 40 | When Vault starts it has to be initialised: 41 | 42 | ``` 43 | vault init 44 | 45 | Unseal Key 1: YE8GePrAGb2dH0/O/Tzz2JxNuK9PWoEY8wHJ6v 46 | Unseal Key 2: mNlbiZXxvaKwIKMAuAjAnWPeesWJS81i1ACvQ7 47 | Unseal Key 3: tkDd5bCpFaUuF4S9iiBf2CrM//fT+aHYBrcwVc 48 | Unseal Key 4: 1iUerpWSW6jdj3EtXiY9W10S0ngYdonQ8do8KQ 49 | Unseal Key 5: fNNonAC4Fe6XScR/oHlhzPFW9rQeoEj1lL/Ktk 50 | Initial Root Token: cd6edb9a-11f51-b14d-f7568f6e2661 51 | 52 | Vault initialized with 5 keys and a key threshold of 3. Please 53 | securely distribute the above keys. When the vault is re-sealed, 54 | restarted, or stopped, you must provide at least 3 of these keys 55 | to unseal it again. 56 | 57 | Vault does not store the master key. Without at least 3 keys, 58 | your vault will remain permanently sealed. 59 | ``` 60 | 61 | Once the vault has been initialised, it has to be unsealed: 62 | 63 | ``` 64 | vault unseal YE8GePrAGb2dH0/VxLt3ZO/Tzz2JxNuK9PWoEY8wHJ6v 65 | vault unseal mNlbiZXxvaKwIKMAuzUymJxAjAnWPeesWJS81i1ACvQ7 66 | vault unseal tkDd5bCpFaUuF4SLCjLzW9iiBf2CrM//fT+aHYBrcwVc 67 | ``` 68 | 69 | ## Running Vault-ui 70 | 71 | Once the Vault has been unsealed, you can install a UI. This repo contains a chart with the [vault-ui](https://github.com/djenriquez/vault-ui) project by [DJ Eniquez](https://github.com/djenriquez). 72 | 73 | To run this chart you need 2 settings: 74 | 75 | * VAULT_URL_DEFAULT: http://vault-service-name:8200 76 | * VAULT_AUTH_DEFAULT: by default is token, but you can use any of the 4 options provided. 77 | 78 | 79 | ``` 80 | helm install charts/vault-ui --set vault.url=http://MY_RELEASE-vault:8200" 81 | ``` 82 | --------------------------------------------------------------------------------