Local development and guide (#55)

* Local development and guide

* Decrease cache size of local dev

* Add option to check values in ETCD in local dev docs

.gitignore

@@ -1,2 +1,3 @@
 bin
-tests/e2e/generated_manifests
+tests/e2e/generated_manifests
+vaultkms.socket

Taskfile.yml

@@ -7,7 +7,7 @@ vars:
   HELM_VERSION: 3.6.3
   VAULT_VERSION: 1.8.1
   KUBECTL_VERSION: 1.21.1
-  SCRIPT: scripts/templates/testing
+  SCRIPT: scripts/hcvault/archives/testing
 silent: true
 tasks:
   default:
@@ -126,11 +126,10 @@ tasks:
   docker:build:
     desc: build docker image
     cmds:
-      - docker build -t $DOCKER_REGISTRY/$IMAGE_NAME:latest .
+      - docker build -t $DOCKER_REGISTRY/$IMAGE_NAME:$IMAGE_VERSION .
   docker:push:
     desc: push docker image
     cmds:
-      - docker tag $DOCKER_REGISTRY/$IMAGE_NAME:latest $DOCKER_REGISTRY/$IMAGE_NAME:$IMAGE_VERSION
       - docker push $DOCKER_REGISTRY/$IMAGE_NAME:$IMAGE_VERSION
   go:unit-tests:
     cmds:

localdev.md

@@ -0,0 +1,72 @@
+# Local development
+
+This document describes how to develop Trousseau on your local machine.
+
+Requirements:
+
+* install and set up Docker
+* install taskfile https://taskfile.dev/#/installation
+* `vault.loc` hostname needs to be resolved to your local machine, or alternatively tou have to change `scripts/hcvault/archives/localdev/config.yaml` to point to a working Vault instance
+
+## Fetch dependencies
+
+Trousseau development environment has some binary dependencies. To download them all please execute the task below:
+
+```bash
+task fetch:all
+```
+
+## Create Vault in developer mode
+
+To spin up a Vault localy please execute the following command:
+
+```bash
+docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=vault-kms-demo' -p 8200:8200 -d --name=dev-vault vault
+```
+
+You can validate your Vault instance by performing a login:
+
+```bash
+docker exec -it dev-vault vault login -address=http://localhost:8200      
+Token (will be hidden): vault-kms-demo
+```
+
+## Run Trousseau
+
+Use command line or our favorite IDE to start Trousseau on your machine:
+
+```bash
+go run cmd/kubernetes-kms-vault/main.go --config-file-path scripts/hcvault/archives/localdev/config.yaml --listen-addr unix://vaultkms.socket --log-format-json=false
+```
+
+## Start cluster with encryption support
+
+For local testing we suggest to use Kind to create a cluster. Everything is configured for you so please run the command below:
+
+```bash
+task cluster:create SCRIPT=scripts/hcvault/archives/localdev
+```
+
+You are ready for create secrets!
+
+### Verify secret encryption
+
+To verify encryption please create a secret and check value in ETCD.
+
+```
+kubectl create secret -n default generic trousseau-test --from-literal=FOO=bar
+docker exec kms-vault-control-plane bash -c 'apt update && apt install -y etcd-client' # only once
+docker exec -it -e ETCDCTL_API=3 -e SSL_OPTS='--cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/apiserver-etcd-client.crt --key=/etc/kubernetes/pki/apiserver-etcd-client.key --endpoints=localhost:2379' kms-vault-control-plane \
+bash -c 'etcdctl $SSL_OPTS get --keys-only=false --prefix /registry/secrets/default'
+```
+
+You have to see encrypted data in ETCD dump.
+
+### Cleanup cluster
+
+After you have finished fun on Trousseau you should terminate the cluster with the following command:
+
+```bash
+task cluster:delete
+```
+

scripts/hcvault/archives/localdev/config.yaml

@@ -0,0 +1,7 @@
+---
+provider: vault
+vault:
+  keynames:
+  -  vault-kms-demo
+  address: http://vault.loc:8200
+  token: vault-kms-demo

scripts/hcvault/archives/localdev/encryption-config.yaml

@@ -0,0 +1,12 @@
+---
+kind: EncryptionConfiguration
+apiVersion: apiserver.config.k8s.io/v1
+resources:
+  - resources:
+      - secrets
+    providers:
+      - kms:
+          name: vaultprovider
+          endpoint: unix:///opt/vault-kms/vaultkms.socket
+          cachesize: 1
+      - identity: {}

scripts/hcvault/archives/localdev/kind-cluster.yaml

@@ -0,0 +1,29 @@
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  extraMounts:
+  - containerPath: /etc/kubernetes/encryption-config.yaml
+    hostPath: scripts/hcvault/archives/localdev/encryption-config.yaml
+    readOnly: true
+    propagation: None
+  - containerPath: /opt/vault-kms/vaultkms.socket
+    hostPath: vaultkms.socket
+    readOnly: true
+    propagation: None
+  kubeadmConfigPatches:
+    - |
+      kind: ClusterConfiguration
+      apiServer:
+        extraArgs:
+          encryption-provider-config: "/etc/kubernetes/encryption-config.yaml"
+        extraVolumes:
+        - name: encryption-config
+          hostPath: "/etc/kubernetes/encryption-config.yaml"
+          mountPath: "/etc/kubernetes/encryption-config.yaml"
+          readOnly: true
+          pathType: File
+        - name: sock-path
+          hostPath: "/opt"
+          mountPath: "/opt"

scripts/hcvault/archives/localdev/kms.yaml

@@ -0,0 +1 @@
+# Dummy file

scripts/hcvault/archives/testing/kind-cluster.yaml

@@ -5,7 +5,7 @@ nodes:
 - role: control-plane
   extraMounts:
   - containerPath: /etc/kubernetes/encryption-config.yaml
-    hostPath: scripts/encryption-config.yaml
+    hostPath: scripts/hcvault/archives/testing/encryption-config.yaml
     readOnly: true
     propagation: None
   - containerPath: /etc/kubernetes/vault-kms-provider.yaml