From 578b2ae184d133ba755d300ef3424465653c184a Mon Sep 17 00:00:00 2001 From: Bin Ju Date: Mon, 2 Dec 2019 17:47:40 -0500 Subject: [PATCH] enable postgres as the backend of `vault` - terraform: add a cloudsql/postgres - chart: use postgres as the backend - to-do: the password should be kept as a k8s secret Signed-off-by: Bin Ju --- .../vault/templates/vault-tls-secret.yml | 2 ++ deployments/with-creds/vault/values.yaml | 4 +-- terraform/main.tf | 36 +++++++++++++++++++ terraform/outputs.tf | 25 +++++++++++++ 4 files changed, 65 insertions(+), 2 deletions(-) diff --git a/deployments/with-creds/vault/templates/vault-tls-secret.yml b/deployments/with-creds/vault/templates/vault-tls-secret.yml index a13778c..42e789f 100644 --- a/deployments/with-creds/vault/templates/vault-tls-secret.yml +++ b/deployments/with-creds/vault/templates/vault-tls-secret.yml @@ -9,3 +9,5 @@ data: vault.crt: {{ default "" .Values.vault.crt | b64enc | quote }} vault.key: {{ default "" .Values.vault.key | b64enc | quote }} {{- end }} + vault.ip: {{ default "" .Values.vault.ip | b64enc | quote }} + vault.secret: {{ default "" .Values.vault.secret | b64enc | quote }} diff --git a/deployments/with-creds/vault/values.yaml b/deployments/with-creds/vault/values.yaml index 02d0ba1..de4960e 100644 --- a/deployments/with-creds/vault/values.yaml +++ b/deployments/with-creds/vault/values.yaml @@ -17,6 +17,6 @@ vault: tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca" } - storage "file" { - path = "/vault/data" + storage "postgresql" { + connection_url = "host=%VAULT_IP% port=5432 user=atc password=%VAULT_SECRET% sslkey=/home/vault/vault-server-tls/vault.key sslcert=/home/vault/vault-server-tls/vault.crt sslrootcert=/home/vault/vault-server-tls/vault.ca dbname=vault" } diff --git a/terraform/main.tf b/terraform/main.tf index 67bdbc6..122912c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -139,3 +139,39 @@ module "ci-database" { zone = "${var.zone}" max_connections = "100" } + +# Creates the CloudSQL Postgres database to be used by the `vault` +# Concourse deployment. +# + module "vault-database" { + source = "./database" + + name = "vault" + cpus = "4" + disk_size_gb = "10" + memory_mb = "5120" + region = "${var.region}" + zone = "${var.zone}" + max_connections = "100" +} + +# gkms key for vault unseal +# Concourse deployment. +# +resource "google_kms_key_ring" "keyring" { + name = "vault-helm-unseal-kr" + location = "global" +} + +# crypto key for vault unseal +# Concourse deployment. +# +resource "google_kms_crypto_key" "vault-helm-unseal-key" { + name = "vault-helm-unseal-key" + key_ring = "${google_kms_key_ring.keyring.self_link}" + + lifecycle { + prevent_destroy = true + } +} + diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 4774002..bf9ee60 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -48,6 +48,31 @@ output "ci-database-private-key" { value = "${module.ci-database.private-key}" } +# vault database outputs +output "vault-database-ip" { + value = "${module.vault-database.ip}" +} + +output "vault-database-ca-cert" { + sensitive = true + value = "${module.vault-database.ca-cert}" +} + +output "vault-database-password" { + sensitive = true + value = "${module.vault-database.password}" +} + +output "vault-database-cert" { + sensitive = true + value = "${module.vault-database.cert}" +} + +output "vault-database-private-key" { + sensitive = true + value = "${module.vault-database.private-key}" +} + output "hush-house-address" { value = "${google_compute_address.hush-house.address}" }