Merge branch 'dev'

Merging Vault integration

.dockerignore

@@ -16,4 +16,7 @@ shellen.txt
 sapper/.sessions
 sapper/__sapper__
 sapper/node_modules
-sapper/src/node_modules
+sapper/src/node_modules
+vault/logs/
+vault/data/
+vault/keys.txt

.gitignore

@@ -109,4 +109,7 @@ Temporary Items
 /web/sapper/cypress/screenshots/
 /web/sapper/__sapper__/
 /web/sapper/.sessions/
-/vendor/
+/vendor/
+/vault/logs/
+/vault/data/
+/vault/keys.txt

Makefile

@@ -59,6 +59,9 @@ microK8sdown:
 	kubectl apply -f cicd/K8s/web -n micro
  kdelete:
 	kubectl delete -f $FOLDER -n micro
+## Port froward to access micro running in K8s
+kmicroportfwd:
+	kubectl port-forward svc/proxy -n micro 8081:443
 
 # -------------------------------------------------------------------------------------
 
@@ -204,3 +207,74 @@ authviaapigateway:
 	--data-raw '{"pwd":"1234","email":"[email protected]"}'
 
 
+# -------------------------------------------------------------------------------------
+
+# Run Micro in K8s with Vault for service secret management
+
+# ---- Setup Vault ------
+
+# init secrets and K8s auth in Vault
+vkubinit:
+	kubectl cp vault/scripts vault-0:/vault/file/
+	kubectl exec vault-0 -- /vault/file/scripts/setup.sh $$VAULT_TOKEN
+
+# Populate secrets, create roles and policies
+vkubsetup:
+	kubectl cp vault/policies vault-0:/vault/file/
+	kubectl cp vault/scripts vault-0:/vault/file/
+	kubectl exec vault-0 -- /vault/file/scripts/allServices.sh  $$VAULT_TOKEN
+
+# ---- Integrate Vault with App ------
+
+# Apply patches to the services' deployments so they are visible to the Vault Agent
+# This is done after the pods are already deployed
+vkubpatchdeploy:
+	kubectl apply -f cicd/K8s/vault/serviceAccount -n micro
+	kubectl patch deployment audit-latest -n micro --patch "$$(cat cicd/K8s/vault/patch/auditsrv-deployment-patch.yaml)"
+	kubectl patch deployment customer-latest -n micro --patch "$$(cat cicd/K8s/vault/patch/customersrv-deployment-patch.yaml)"
+	kubectl patch deployment product-latest -n micro --patch "$$(cat cicd/K8s/vault/patch/productsrv-deployment-patch.yaml)"
+	kubectl patch deployment user-latest -n micro --patch "$$(cat cicd/K8s/vault/patch/usersrv-deployment-patch.yaml)"
+	kubectl patch deployment promotion-latest -n micro --patch "$$(cat cicd/K8s/vault/patch/promotionsrv-deployment-patch.yaml)"
+
+# Remove service accounts used to integrate with Vault
+# This is done after application is brought down
+vkubdelserviceaccounts:
+	kubectl delete -f cicd/K8s/vault/serviceAccount -n micro
+
+# ------ Remove setup from Vault -------
+
+# Remove secrets, create roles and policies
+vkubteardown:
+	kubectl cp vault/scripts vault-0:/vault/file/
+	kubectl exec vault-0 -- /vault/file/scripts/deleteAllSrv.sh $$VAULT_TOKEN
+	make vkubcleancontainer
+
+# Remove secret engine and K8s auth in Vault
+vkubsetupdelete:
+	kubectl cp vault/scripts vault-0:/vault/file/
+	kubectl exec vault-0 -- /vault/file/scripts/deleteSetup.sh  $$VAULT_TOKEN
+	make vkubcleancontainer
+
+
+# ---- Vault Misc --------
+
+# Unseal Vault on startup
+vkubunseal:
+	kubectl exec -ti vault-0 -- vault operator unseal $$KEY
+# Enable Vault UI port
+vkubui:
+	kubectl port-forward vault-0 8100:8200
+
+
+# Commands to test services with Vault secrets and no connections in env vars
+vtestnosecrets:
+	micro run --env_vars 'MICRO_BROKER=nats,DISABLE_AUDIT_RECORDS=false' --name user  user/server
+	micro run --env_vars 'MICRO_BROKER=nats' --name audit audit/server
+	micro run --env_vars 'MICRO_BROKER=nats,DISABLE_AUDIT_RECORDS=false' --name product product/server
+	micro run --env_vars 'MICRO_BROKER=nats,DISABLE_AUDIT_RECORDS=false' --name customer customer/server
+	micro run --env_vars 'MICRO_BROKER=nats,DISABLE_AUDIT_RECORDS=false,MICRO_STORE=redis' --name promotion  promotion/server
+
+# Clean scripts and policies in Vault container
+vkubcleancontainer:
+	kubectl exec vault-0 -- rm -rf /vault/file/scripts/
+	kubectl exec vault-0 -- rm -rf /vault/file/policies/

README.md

@@ -17,6 +17,7 @@ In it current incarnation (this is wip), this mono-repo uses the following stack
 - `TimescaleDB` time series DB used for historical audit data storage
 - `ArangoDB`is a multi-model database used for master data storage
 - `Redis` is used to cache data and reduce number of data requests to other services
+- `Vault` for credentials management when running in Kubernetes
 - `Docker` for creating application images
 - `Docker-compose` to run the application
 - `Minikube` to run the application in Kubernetes
@@ -31,7 +32,7 @@ In terms of the web front end, the stack is as follows:
 
 Below is a diagram that displays the overall setup of the application:
 
-![Diagram showing goTempM components](diagramsforDocs/goTempM_Diagram-micro-v1.png)
+![Diagram showing goTempM components](diagramsforDocs/goTempM_Diagram-micro-v2.png)
 
 In a nutshell. the application functionality is as follows in the backend:
 
@@ -170,11 +171,31 @@ Finally, access app:
      minikube service web -n micro
 ```
 
-Stop the application:
+
+
+##### Vault integration
+
+The microservices can be integrated with Vault when running in K8s to manage their credentials.
+To enable this integration, please first **refer to the README in the** `./vault` **directory** to setup Vault and all the microservices secrets.
+Once that is configured, and the application is running, just execute :
+
+```bash
+    make vkubpatchdeploy
+```
+
+Once that completes, the microservices' credentials to the different dependencies (DBs, brokers,etc ...) can be managed in Vault.
+
+##### Stopping the application
+
+to stop the application, execute:
+
 ```bash
     make microK8sdown
 ```
-Note: you will need stop the port forwarding as well
+
+Note: The port forwarding to Micro should also be stopped.
+Also, if the Vault Integration is enabled, and the VAULT UI is enabled, then the associated port-forwarding should be stopped as well. 
+
 
 #### Running with Micro locally
 
@@ -229,6 +250,7 @@ Currently, we have the following:
 - `redis`: Volumes mounted on the redis container as well as config files (if any)
 - `timescaleDB`: Volumes mounted to the Timescale DB container as well as data initialization scripts
 - `user`: User and authentication service
+- `Vault`: Scripts & policies needed to run the app in K8s with Vault
 - `web`: application web frontend
 
 Additionally, we have the following files in the root directory as well:

cicd/K8s/vault/patch/auditsrv-deployment-patch.yaml

@@ -0,0 +1,23 @@
+spec:
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "gotempm-auditsrv"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/agent-requests-cpu: "100m"
+        vault.hashicorp.com/agent-inject-secret-timescaledb.txt: "gotempmkv/data/database/timescaledb/auditsrv"
+        vault.hashicorp.com/agent-inject-template-timescaledb.txt: |
+          {{- with secret "gotempmkv/data/database/timescaledb/auditsrv" -}}
+          export DB_CONNECT="postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}/{{ .Data.data.dbname }}?application_name={{ .Data.data.application_name }}"
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-nats.txt: "gotempmkv/data/broker/nats/auditsrv"
+        vault.hashicorp.com/agent-inject-template-nats.txt: |
+          {{- with secret "gotempmkv/data/broker/nats/auditsrv" -}}
+          export MICRO_BROKER_ADDRESS="{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}"
+          {{- end -}}
+    spec:
+      serviceAccountName: gotempm-auditsrv
+      containers:
+        - name: audit
+          command: ['sh', '-c', 'source /vault/secrets/timescaledb.txt && source /vault/secrets/nats.txt && ./loader' ]

cicd/K8s/vault/patch/customersrv-deployment-patch.yaml

@@ -0,0 +1,25 @@
+spec:
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "gotempm-customersrv"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/agent-requests-cpu: "100m"
+        vault.hashicorp.com/agent-inject-secret-arangodb.txt: "gotempmkv/data/database/arangodb/customersrv"
+        vault.hashicorp.com/agent-inject-template-arangodb.txt: |
+          {{- with secret "gotempmkv/data/database/arangodb/customersrv" -}}
+          export DB_USER="{{ .Data.data.username }}"
+          export DB_ADDRESS="{{ .Data.data.server }}"
+          export DB_PASS="{{ .Data.data.password }}"
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-nats.txt: "gotempmkv/data/broker/nats/customersrv"
+        vault.hashicorp.com/agent-inject-template-nats.txt: |
+          {{- with secret "gotempmkv/data/broker/nats/customersrv" -}}
+          export MICRO_BROKER_ADDRESS="{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}"
+          {{- end -}}
+    spec:
+      serviceAccountName: gotempm-customersrv
+      containers:
+        - name: customer
+          command: ['sh', '-c', 'source /vault/secrets/arangodb.txt && source /vault/secrets/nats.txt && ./loader' ]

cicd/K8s/vault/patch/productsrv-deployment-patch.yaml

@@ -0,0 +1,25 @@
+spec:
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "gotempm-productsrv"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/agent-requests-cpu: "100m"
+        vault.hashicorp.com/agent-inject-secret-arangodb.txt: "gotempmkv/data/database/arangodb/productsrv"
+        vault.hashicorp.com/agent-inject-template-arangodb.txt: |
+          {{- with secret "gotempmkv/data/database/arangodb/productsrv" -}}
+          export DB_USER="{{ .Data.data.username }}"
+          export DB_ADDRESS="{{ .Data.data.server }}"
+          export DB_PASS="{{ .Data.data.password }}"
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-nats.txt: "gotempmkv/data/broker/nats/productsrv"
+        vault.hashicorp.com/agent-inject-template-nats.txt: |
+          {{- with secret "gotempmkv/data/broker/nats/productsrv" -}}
+          export MICRO_BROKER_ADDRESS="{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}"
+          {{- end -}}
+    spec:
+      serviceAccountName: gotempm-productsrv
+      containers:
+        - name: product
+          command: ['sh', '-c', 'source /vault/secrets/arangodb.txt && source /vault/secrets/nats.txt && ./loader' ]

cicd/K8s/vault/patch/promotionsrv-deployment-patch.yaml

@@ -0,0 +1,28 @@
+spec:
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "gotempm-promotionsrv"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/agent-requests-cpu: "100m"
+        vault.hashicorp.com/agent-inject-secret-postgresql.txt: "gotempmkv/data/database/postgresql/promotionsrv"
+        vault.hashicorp.com/agent-inject-template-postgresql.txt: |
+          {{- with secret "gotempmkv/data/database/postgresql/promotionsrv" -}}
+          export POSTGRES_CONNECT="postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}/{{ .Data.data.dbname }}?application_name={{ .Data.data.application_name }}"
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-nats.txt: "gotempmkv/data/broker/nats/promotionsrv"
+        vault.hashicorp.com/agent-inject-template-nats.txt: |
+          {{- with secret "gotempmkv/data/broker/nats/promotionsrv" -}}
+          export MICRO_BROKER_ADDRESS="{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}"
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-redis.txt: "gotempmkv/data/database/redis/promotionsrv"
+        vault.hashicorp.com/agent-inject-template-redis.txt: |
+          {{- with secret "gotempmkv/data/database/redis/promotionsrv" -}}
+          export MICRO_STORE_ADDRESS="redis://:{{ .Data.data.password }}@{{ .Data.data.server }}:6379"
+          {{- end -}}
+    spec:
+      serviceAccountName: gotempm-promotionsrv
+      containers:
+        - name: promotion
+          command: ['sh', '-c', 'source /vault/secrets/postgresql.txt && source /vault/secrets/nats.txt && source /vault/secrets/redis.txt && ./loader' ]

cicd/K8s/vault/patch/usersrv-deployment-patch.yaml

@@ -0,0 +1,23 @@
+spec:
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "gotempm-usersrv"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/agent-requests-cpu: "100m"
+        vault.hashicorp.com/agent-inject-secret-postgresql.txt: "gotempmkv/data/database/postgresql/usersrv"
+        vault.hashicorp.com/agent-inject-template-postgresql.txt: |
+          {{- with secret "gotempmkv/data/database/postgresql/usersrv" -}}
+          export POSTGRES_CONNECT="postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}/{{ .Data.data.dbname }}?application_name={{ .Data.data.application_name }}"
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-nats.txt: "gotempmkv/data/broker/nats/usersrv"
+        vault.hashicorp.com/agent-inject-template-nats.txt: |
+          {{- with secret "gotempmkv/data/broker/nats/usersrv" -}}
+          export MICRO_BROKER_ADDRESS="{{ .Data.data.username }}:{{ .Data.data.password }}@{{ .Data.data.server }}"
+          {{- end -}}
+    spec:
+      serviceAccountName: gotempm-usersrv
+      containers:
+      - name: user
+        command: ['sh', '-c', 'source /vault/secrets/postgresql.txt && source /vault/secrets/nats.txt && ./loader' ]

cicd/K8s/vault/serviceAccount/auditsrv-serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gotempm-auditsrv

cicd/K8s/vault/serviceAccount/customersrv-serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gotempm-customersrv

cicd/K8s/vault/serviceAccount/productsrv-serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gotempm-productsrv

cicd/K8s/vault/serviceAccount/promotionsrv-serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gotempm-promotionsrv

cicd/K8s/vault/serviceAccount/usersrv-serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gotempm-usersrv