enable postgres as the backend of vault

- terraform: add a cloudsql/postgres - chart: use postgres as the backend - to-do: the password should be kept as a k8s secret Signed-off-by: Bin Ju <[email protected]>
concourse · Dec 3, 2019 · 7a23baf · 7a23baf
1 parent 5a719ca
commit 7a23baf
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 2 deletions.
diff --git a/deployments/with-creds/vault/templates/vault-tls-secret.yml b/deployments/with-creds/vault/templates/vault-tls-secret.yml
@@ -8,4 +8,6 @@ data:
   vault.ca: {{ default "" .Values.vault.ca  | b64enc | quote }}
   vault.crt: {{ default "" .Values.vault.crt | b64enc | quote }}
   vault.key: {{ default "" .Values.vault.key | b64enc | quote }}
+  vault.ip: {{ default "" .Values.vault.ip | b64enc | quote }}
+  vault.secret: {{ default "" .Values.vault.secret | b64enc | quote }}
   {{- end }}
diff --git a/deployments/with-creds/vault/values.yaml b/deployments/with-creds/vault/values.yaml
@@ -17,6 +17,6 @@ vault:
           tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
         }
 
-        storage "file" {
-          path = "/vault/data"
+        storage "postgresql" {
+          connection_url = "host=%VAULT_IP% port=5432 user=atc password=%VAULT_SECRET% sslkey=/home/vault/vault-server-tls/vault.key sslcert=/home/vault/vault-server-tls/vault.crt sslrootcert=/home/vault/vault-server-tls/vault.ca dbname=vault"
         }
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -139,3 +139,39 @@ module "ci-database" {
   zone            = "${var.zone}"
   max_connections = "100"
 }
+
+# Creates the CloudSQL Postgres database to be used by the `vault`
+# Concourse deployment.
+#
+ module "vault-database" {
+  source = "./database"
+
+  name            = "vault"
+  cpus            = "4"
+  disk_size_gb    = "10"
+  memory_mb       = "5120"
+  region          = "${var.region}"
+  zone            = "${var.zone}"
+  max_connections = "100"
+}
+
+# gkms key for vault unseal
+# Concourse deployment.
+#
+resource "google_kms_key_ring" "keyring" {
+  name     = "vault-helm-unseal-kr"
+  location = "global"
+}
+
+# crypto key for vault unseal
+# Concourse deployment.
+#
+resource "google_kms_crypto_key" "vault-helm-unseal-key" {
+  name            = "vault-helm-unseal-key"
+  key_ring        = "${google_kms_key_ring.keyring.self_link}"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -48,6 +48,31 @@ output "ci-database-private-key" {
   value     = "${module.ci-database.private-key}"
 }
 
+# vault database outputs
+output "vault-database-ip" {
+  value = "${module.vault-database.ip}"
+}
+
+output "vault-database-ca-cert" {
+  sensitive = true
+  value     = "${module.vault-database.ca-cert}"
+}
+
+output "vault-database-password" {
+  sensitive = true
+  value     = "${module.vault-database.password}"
+}
+
+output "vault-database-cert" {
+  sensitive = true
+  value     = "${module.vault-database.cert}"
+}
+
+output "vault-database-private-key" {
+  sensitive = true
+  value     = "${module.vault-database.private-key}"
+}
+
 output "hush-house-address" {
   value = "${google_compute_address.hush-house.address}"
 }