From 1ac73821a7f061bfff4e8a48b7a8acfa5c29dd28 Mon Sep 17 00:00:00 2001 From: Ken Keller Date: Fri, 29 Jul 2022 13:02:31 -0500 Subject: [PATCH 1/8] updates namspaces --- .../configure-vault/auth.tf | 4 +- .../configure-vault/main.tf | 43 ++++++------------- .../configure-vault/policies.tf | 26 +++++------ .../configure-vault/secrets.tf | 10 ++--- 4 files changed, 32 insertions(+), 51 deletions(-) diff --git a/cloud/terraform-hcp-vault/configure-vault/auth.tf b/cloud/terraform-hcp-vault/configure-vault/auth.tf index 83b05250..73e2f5c8 100644 --- a/cloud/terraform-hcp-vault/configure-vault/auth.tf +++ b/cloud/terraform-hcp-vault/configure-vault/auth.tf @@ -3,7 +3,7 @@ #------------------------------------------------------------ resource "vault_auth_backend" "userpass" { depends_on = [vault_namespace.test] - provider = vault.test + namespace = vault_namespace.test.path type = "userpass" } @@ -12,8 +12,8 @@ resource "vault_auth_backend" "userpass" { #----------------------------------------------------------- resource "vault_generic_endpoint" "student" { depends_on = [vault_auth_backend.userpass] - provider = vault.test path = "auth/userpass/users/student" + namespace = vault_namespace.test.path ignore_absent_fields = true data_json = < Date: Sun, 21 Aug 2022 18:33:32 -0500 Subject: [PATCH 2/8] files reuired for k8s-secrets-engine lab --- secrets/kubernetes/bindings.yaml | 40 +++++++++++++++++++++ secrets/kubernetes/roles.yaml | 47 +++++++++++++++++++++++++ secrets/kubernetes/serviceAccounts.yaml | 5 +++ secrets/kubernetes/values.yaml | 11 ++++++ 4 files changed, 103 insertions(+) create mode 100644 secrets/kubernetes/bindings.yaml create mode 100644 secrets/kubernetes/roles.yaml create mode 100644 secrets/kubernetes/serviceAccounts.yaml create mode 100644 secrets/kubernetes/values.yaml diff --git a/secrets/kubernetes/bindings.yaml b/secrets/kubernetes/bindings.yaml new file mode 100644 index 00000000..88c0caf7 --- /dev/null +++ b/secrets/kubernetes/bindings.yaml @@ -0,0 +1,40 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k8s-secrets-abilities-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k8s-secrets-abilities +subjects: +- kind: ServiceAccount + name: vault + namespace: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: demo-clusterrole-abilities +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: demo-cluster-role-list-pods +subjects: +- kind: ServiceAccount + name: vault + namespace: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: demo-role-abilities + namespace: demo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: demo-role-list-pods +subjects: +- kind: ServiceAccount + name: sample-app + namespace: demo diff --git a/secrets/kubernetes/roles.yaml b/secrets/kubernetes/roles.yaml new file mode 100644 index 00000000..a0822938 --- /dev/null +++ b/secrets/kubernetes/roles.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: k8s-secrets-abilities +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: [""] + resources: + - serviceaccounts + verbs: + - create + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: demo-role-list-pods + namespace: demo +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: demo-cluster-role-list-pods +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] + \ No newline at end of file diff --git a/secrets/kubernetes/serviceAccounts.yaml b/secrets/kubernetes/serviceAccounts.yaml new file mode 100644 index 00000000..9ce46e56 --- /dev/null +++ b/secrets/kubernetes/serviceAccounts.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sample-app + namespace: demo diff --git a/secrets/kubernetes/values.yaml b/secrets/kubernetes/values.yaml new file mode 100644 index 00000000..de18faad --- /dev/null +++ b/secrets/kubernetes/values.yaml @@ -0,0 +1,11 @@ +global: + enabled: false + +server: + enabled: true + image: + repository: hashicorp/vault + tag: 1.11.0-rc1 + dev: + enabled: true + logLevel: debug From be26ffa0ee8cd29221261e860e17f86ffe05950f Mon Sep 17 00:00:00 2001 From: Ken Keller Date: Fri, 26 Aug 2022 11:20:26 -0500 Subject: [PATCH 3/8] needed for later parts of kse tutorial --- secrets/kubernetes/roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets/kubernetes/roles.yaml b/secrets/kubernetes/roles.yaml index a0822938..30c00814 100644 --- a/secrets/kubernetes/roles.yaml +++ b/secrets/kubernetes/roles.yaml @@ -43,5 +43,5 @@ metadata: rules: - apiGroups: [""] resources: ["pods"] - verbs: ["list"] + verbs: ["list","get","delete"] \ No newline at end of file From ff77ee9494eca95fdefadeb4b47167c21003e7c3 Mon Sep 17 00:00:00 2001 From: mister-ken <104874953+mister-ken@users.noreply.github.com> Date: Fri, 26 Aug 2022 11:23:31 -0500 Subject: [PATCH 4/8] Delete auth.tf --- .../configure-vault/auth.tf | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 cloud/terraform-hcp-vault/configure-vault/auth.tf diff --git a/cloud/terraform-hcp-vault/configure-vault/auth.tf b/cloud/terraform-hcp-vault/configure-vault/auth.tf deleted file mode 100644 index 73e2f5c8..00000000 --- a/cloud/terraform-hcp-vault/configure-vault/auth.tf +++ /dev/null @@ -1,25 +0,0 @@ -#------------------------------------------------------------ -# Enable userpass auth method in the 'admin/test' namespace -#------------------------------------------------------------ -resource "vault_auth_backend" "userpass" { - depends_on = [vault_namespace.test] - namespace = vault_namespace.test.path - type = "userpass" -} - -#----------------------------------------------------------- -# Create a user named 'student' with password, 'changeme' -#----------------------------------------------------------- -resource "vault_generic_endpoint" "student" { - depends_on = [vault_auth_backend.userpass] - path = "auth/userpass/users/student" - namespace = vault_namespace.test.path - ignore_absent_fields = true - - data_json = < Date: Fri, 26 Aug 2022 11:23:38 -0500 Subject: [PATCH 5/8] Delete main.tf --- .../configure-vault/main.tf | 63 ------------------- 1 file changed, 63 deletions(-) delete mode 100644 cloud/terraform-hcp-vault/configure-vault/main.tf diff --git a/cloud/terraform-hcp-vault/configure-vault/main.tf b/cloud/terraform-hcp-vault/configure-vault/main.tf deleted file mode 100644 index 95bcef6e..00000000 --- a/cloud/terraform-hcp-vault/configure-vault/main.tf +++ /dev/null @@ -1,63 +0,0 @@ -#------------------------------------------------------------------------------ -# The best practice is to use remote state file and encrypt it since your -# state files may contains sensitive data (secrets). -#------------------------------------------------------------------------------ -# terraform { -# backend "s3" { -# bucket = "remote-terraform-state-dev" -# encrypt = true -# key = "terraform.tfstate" -# region = "us-east-1" -# } -# } - - -#------------------------------------------------------------------------------ -# To leverage more than one namespace, define a vault provider per namespace -# -# admin -# ├── education -# │ └── training -# │ └── boundary -# └── test -#------------------------------------------------------------------------------ -terraform { - required_providers { - vault = "~> 3.8.0" - } -} - - -provider "vault" {} - -#-------------------------------------- -# Create 'admin/education' namespace -#-------------------------------------- -resource "vault_namespace" "education" { - path = "education" -} - -#--------------------------------------------------- -# Create 'admin/education/training' namespace -#--------------------------------------------------- -resource "vault_namespace" "training" { - depends_on = [vault_namespace.education] - namespace = vault_namespace.education.path - path = "training" -} - -#----------------------------------------------------------- -# Create 'admin/education/training/boundary' namespace -#----------------------------------------------------------- -resource "vault_namespace" "boundary" { - depends_on = [vault_namespace.training] - namespace = vault_namespace.training.path_fq - path = "boundary" -} - -# #-------------------------------------- -# # Create 'admin/test' namespace -# #-------------------------------------- -resource "vault_namespace" "test" { - path = "test" -} \ No newline at end of file From 8ef548ef248acf2822bd66ddcdf129ed74ce5006 Mon Sep 17 00:00:00 2001 From: mister-ken <104874953+mister-ken@users.noreply.github.com> Date: Fri, 26 Aug 2022 11:23:49 -0500 Subject: [PATCH 6/8] Delete policies.tf --- .../configure-vault/policies.tf | 54 ------------------- 1 file changed, 54 deletions(-) delete mode 100644 cloud/terraform-hcp-vault/configure-vault/policies.tf diff --git a/cloud/terraform-hcp-vault/configure-vault/policies.tf b/cloud/terraform-hcp-vault/configure-vault/policies.tf deleted file mode 100644 index 91ccbe0d..00000000 --- a/cloud/terraform-hcp-vault/configure-vault/policies.tf +++ /dev/null @@ -1,54 +0,0 @@ -# Create an admins policy in the admin namespace -resource "vault_policy" "admin_policy" { - namespace = vault_namespace.test.path - name = "admins" - policy = file("policies/admin-policy.hcl") -} - -# # Create an admins policy in the admin/education namespace -resource "vault_policy" "admin_policy_education" { - namespace = vault_namespace.education.path - depends_on = [vault_namespace.education] - name = "admins" - policy = file("policies/admin-policy.hcl") -} - -# # Create an admins policy in the admin/education/training namespace -resource "vault_policy" "admin_policy_training" { - namespace = vault_namespace.training.path_fq - depends_on = [vault_namespace.training] - name = "admins" - policy = file("policies/admin-policy.hcl") -} - -# # Create admins policy in the admin/education/training/boundary namespace -resource "vault_policy" "admin_policy_boundary" { - namespace = vault_namespace.boundary.path_fq - depends_on = [vault_namespace.boundary] - name = "admins" - policy = file("policies/admin-policy.hcl") -} - -# # Create an admins policy in the admin/test namespace -resource "vault_policy" "admin_policy_test" { - namespace = vault_namespace.test.path - depends_on = [vault_namespace.test] - name = "admins" - policy = file("policies/admin-policy.hcl") -} - -# # Create a tester policy in the admin/test namespace -resource "vault_policy" "tester_policy" { - namespace = vault_namespace.test.path - depends_on = [vault_namespace.test] - name = "tester" - policy = file("policies/tester.hcl") -} - -# # Create an eaas-client policy in the admin/education namespace -resource "vault_policy" "eaas-client_policy" { - namespace = vault_namespace.education.path - depends_on = [vault_namespace.education] - name = "eaas-client" - policy = file("policies/eaas-client-policy.hcl") -} \ No newline at end of file From dcdc912436cdd4cfbe39429ce04e6165149b5ee8 Mon Sep 17 00:00:00 2001 From: mister-ken <104874953+mister-ken@users.noreply.github.com> Date: Fri, 26 Aug 2022 11:23:57 -0500 Subject: [PATCH 7/8] Delete secrets.tf --- .../configure-vault/secrets.tf | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 cloud/terraform-hcp-vault/configure-vault/secrets.tf diff --git a/cloud/terraform-hcp-vault/configure-vault/secrets.tf b/cloud/terraform-hcp-vault/configure-vault/secrets.tf deleted file mode 100644 index d3d73f06..00000000 --- a/cloud/terraform-hcp-vault/configure-vault/secrets.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Enable kv-v2 secrets engine in the education namespace -resource "vault_mount" "kv-v2" { - depends_on = [vault_namespace.education] - namespace = vault_namespace.education.path - path = "kv-v2" - type = "kv-v2" -} - -# Enable kv-v2 secrets engine in the 'admin/test' namespace at 'secret' path -resource "vault_mount" "secret" { - depends_on = [vault_namespace.test] - namespace = vault_namespace.test.path - path = "secret" - type = "kv-v2" -} - -# Enable Transit secrets engine at 'transit' in the 'admin/education' namespace -resource "vault_mount" "transit" { - depends_on = [vault_namespace.education] - namespace = vault_namespace.education.path - path = "transit" - type = "transit" -} - -# # Creating an encryption key named 'payment' -resource "vault_transit_secret_backend_key" "key" { - depends_on = [vault_mount.transit] - namespace = vault_namespace.education.path - backend = "transit" - name = "payment" - deletion_allowed = true -} From f430aa1d9ba2d6bc16fb2a89c9e45b9f02fe0914 Mon Sep 17 00:00:00 2001 From: Ken Keller Date: Fri, 26 Aug 2022 11:32:41 -0500 Subject: [PATCH 8/8] Revert "updates namspaces" This reverts commit 1ac73821a7f061bfff4e8a48b7a8acfa5c29dd28. --- .../configure-vault/auth.tf | 4 +- .../configure-vault/main.tf | 43 +++++++++++++------ .../configure-vault/policies.tf | 26 +++++------ .../configure-vault/secrets.tf | 10 ++--- 4 files changed, 51 insertions(+), 32 deletions(-) diff --git a/cloud/terraform-hcp-vault/configure-vault/auth.tf b/cloud/terraform-hcp-vault/configure-vault/auth.tf index 73e2f5c8..83b05250 100644 --- a/cloud/terraform-hcp-vault/configure-vault/auth.tf +++ b/cloud/terraform-hcp-vault/configure-vault/auth.tf @@ -3,7 +3,7 @@ #------------------------------------------------------------ resource "vault_auth_backend" "userpass" { depends_on = [vault_namespace.test] - namespace = vault_namespace.test.path + provider = vault.test type = "userpass" } @@ -12,8 +12,8 @@ resource "vault_auth_backend" "userpass" { #----------------------------------------------------------- resource "vault_generic_endpoint" "student" { depends_on = [vault_auth_backend.userpass] + provider = vault.test path = "auth/userpass/users/student" - namespace = vault_namespace.test.path ignore_absent_fields = true data_json = <