Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
enable postgres as the backend of vault
Browse files Browse the repository at this point in the history
- terraform: add a cloudsql/postgres
- chart: use postgres as the backend

Signed-off-by: Bin Ju <bju@pivotal.io>
pivotal-bin-ju authored and kcmannem committed Jan 8, 2020
1 parent 53801c0 commit 7ce778a
Showing 5 changed files with 93 additions and 5 deletions.
28 changes: 27 additions & 1 deletion deployments/with-creds/vault/README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,29 @@
# Setup

1. Clone [vault-helm](https://github.com/hashicorp/vault-helm) into charts/vault-helm and checkout the version referenced in `requirements.yaml`
1. ~Clone [vault-helm](https://github.com/hashicorp/vault-helm) into charts/vault-helm and checkout the version referenced in `requirements.yaml`~
1. We have a forked version of [vault-helm](https://github.com/concourse/vault-helm). Which has something special for the postgres backend. Please keep using this version until it gets merged back to `vault-helm` chart.
1. `vault-nci` and `vault` are alive at the same time so far. `vault` may decommission in the future after `vault-nci` is all set.
1. How to deploy `vault-nci`
1.1 `git clone https://github.com/concourse/vault-helm` to the `charts` (hush-house/deployments/with-creds/vault/charts) directory.
1.1 `ln -s vault vault-nci`
1.1 `make creds-vault-nci`
1.1 `make deploy-vault-nci`. If you get the error `app-name has no deployed releases`, delete the deployment with the command `helm delete --purge vault-nci --tls`, then try again.
1. Verify
1.1 You should be able to login in to the container with the command `kubectl exec -it -n vault-nci vault-nci-0 /bin/sh`
1.1 `export VAULT_SKIP_VERIFY=true`
1.1 `vault status`.
```
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.2.4
Cluster Name vault-cluster-1c5d79f5
Cluster ID 2d6904b1-04ff-xxxx-xxxx-01fc92f15795
HA Enabled false
```
1.1 `vault list /concourse/main`. You should see those credentials.

2 changes: 2 additions & 0 deletions deployments/with-creds/vault/templates/vault-tls-secret.yml
Original file line number Diff line number Diff line change
@@ -9,3 +9,5 @@ data:
vault.crt: {{ default "" .Values.vault.crt | b64enc | quote }}
vault.key: {{ default "" .Values.vault.key | b64enc | quote }}
{{- end }}
vault.ip: {{ default "" .Values.vault.ip | b64enc | quote }}
vault.secret: {{ default "" .Values.vault.secret | b64enc | quote }}
8 changes: 4 additions & 4 deletions deployments/with-creds/vault/values.yaml
Original file line number Diff line number Diff line change
@@ -23,11 +23,11 @@ vault:
tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
}
storage "file" {
path = "/vault/data"
storage "postgresql" {
connection_url = "host=%VAULT_IP% port=5432 user=atc password=%VAULT_SECRET% sslkey=/home/vault/vault-server-tls/vault.key sslcert=/home/vault/vault-server-tls/vault.crt sslrootcert=/home/vault/vault-server-tls/vault.ca dbname=vault"
}
seal "gcpckms" {
key_ring = "vault-helm-unseal-kr"
crypto_key = "vault-helm-unseal-key"
key_ring = "vault-helm-unseal-kr-nci"
crypto_key = "vault-helm-unseal-key-nci"
}
35 changes: 35 additions & 0 deletions terraform/main.tf
Original file line number Diff line number Diff line change
@@ -174,3 +174,38 @@ resource "google_kms_crypto_key" "vault-helm-unseal-key" {
prevent_destroy = true
}
}

# gkms key for vault-nci unseal
# Concourse deployment.
#
resource "google_kms_key_ring" "keyring-nci" {
name = "vault-helm-unseal-kr-nci"
location = "global"
}

# crypto key for vault-nci unseal
# Concourse deployment.
#
resource "google_kms_crypto_key" "vault-helm-unseal-key-nci" {
name = "vault-helm-unseal-key-nci"
key_ring = google_kms_key_ring.keyring-nci.self_link

lifecycle {
prevent_destroy = true
}
}

# Creates the CloudSQL Postgres database to be used by the `vault`
# Concourse deployment.
#
module "vault-database" {
source = "./database"

name = "vault"
cpus = "4"
disk_size_gb = "10"
memory_mb = "5120"
region = "${var.region}"
zone = "${var.zone}"
max_connections = "100"
}
25 changes: 25 additions & 0 deletions terraform/outputs.tf
Original file line number Diff line number Diff line change
@@ -48,6 +48,31 @@ output "ci-database-private-key" {
value = "${module.ci-database.private-key}"
}

# vault database outputs
output "vault-database-ip" {
value = "${module.vault-database.ip}"
}

output "vault-database-ca-cert" {
sensitive = true
value = "${module.vault-database.ca-cert}"
}

output "vault-database-password" {
sensitive = true
value = "${module.vault-database.password}"
}

output "vault-database-cert" {
sensitive = true
value = "${module.vault-database.cert}"
}

output "vault-database-private-key" {
sensitive = true
value = "${module.vault-database.private-key}"
}

output "hush-house-address" {
value = "${google_compute_address.hush-house.address}"
}

0 comments on commit 7ce778a

Please sign in to comment.