Merge branch '1158-vault-use-passthrough-ingressgateway' into 'master'

SKIP UPGRADE: Resolve "Vault Use Passthrough IngressGateway in BigBang" Closes #1158 See merge request platform-one/big-bang/bigbang!1629

Merge branch '1158-vault-use-passthrough-ingressgateway' into 'master'
43bd9ab5 · Ryan Garcia · 61e75502 · 797979e3 · 43bd9ab5 · 43bd9ab5
Commit 43bd9ab5 authored 2 years ago by Ryan Garcia
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,3 +2,4 @@ include:
  - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
    ref: master
    file: '/pipelines/bigbang.yaml'
+
--- a/chart/templates/vault/values.yaml
+++ b/chart/templates/vault/values.yaml
@@ -5,7 +5,6 @@
 {{- define "bigbang.defaults.vault" -}}
 # hostname is deprecated and replaced with domain. But if hostname exists then use it.
 {{- $domainName := default .Values.domain .Values.hostname }}
-hostname: {{ $domainName }}
 domain: {{ $domainName }}

 openshift: {{ .Values.openshift }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1343,7 +1343,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git
      path: "./chart"
-      tag: "0.19.0-bb.9"
+      tag: "0.20.0-bb.1"

    # -- Flux reconciliation overrides specifically for the Vault Package
    flux: {}

--- a/docs/example_configs/vault-production-values.yaml
+++ b/docs/example_configs/vault-production-values.yaml
+istio:
+  enabled: true
+
+  ingressGateways:
+    passthrough-ingressgateway:
+      type: "LoadBalancer"
+      # nodePortBase: 30200
+
+  gateways:
+    passthrough:
+      ingressGateway: "passthrough-ingressgateway"
+      hosts:
+      - "*.{{ .Values.domain }}"
+      tls:
+        mode: "PASSTHROUGH"
+
+addons:
+  vault:
+    enabled: true
+    ingress:
+      gateway: "passthrough"
+      # provide the Vault TLS cert and key. BigBang will create the secret and volumemount for you
+      # Leave blank to create your own secret and provide values for your own volume and volumemount
+      key: |
+        -----BEGIN PRIVATE KEY-----
+        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+        -----END PRIVATE KEY-----
+      cert: |
+        -----BEGIN CERTIFICATE-----
+        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+        -----END CERTIFICATE-----
+
+    values:
+      # disable autoInit. It should not be used for operations.
+      autoInit:
+        enabled: false
+
+      global:
+        # this is a double negative. Put "false" to enable TLS for passthrough ingress
+        tlsDisable: false
+
+      injector:
+        extraEnvironmentVars:
+          AGENT_INJECT_VAULT_ADDR: "https://vault.bigbang.dev"
+
+      server:
+        # Increase default resources
+        resources:
+          requests:
+            memory: 8Gi
+            cpu: 2000m
+          limits:
+            memory: 8Gi
+            cpu: 2000m
+
+        # disable the Vault provided ingress so that Istio ingress can be used.
+        ingress:
+          enabled: false
+
+        # Extra environment variable to support high availability
+        extraEnvironmentVars:
+          # the istio gateway domain
+          VAULT_API_ADDR: https://vault.bigbang.dev
+          VAULT_SKIP_VERIFY: "true"
+          VAULT_LOG_FORMAT: "json"
+          VAULT_LICENSE: "your-license-key-goes-here"
+
+        ha:
+          # enable high availability.
+          enabled: true
+          replicas: 3
+
+          # raft is the license free most simple solution for a distributed filesystem
+          raft:
+            enabled: true
+            setNodeId: true
+
+            # these values should be encrypted to prevent the kms_key_id from being revealed 
+            config: |
+              ui = true
+
+              listener "tcp" {
+                tls_disable = 0
+                address = "[::]:8200"
+                cluster_address = "[::]:8201"
+                tls_cert_file = "/vault/tls/tls.crt"
+                tls_key_file  = "/vault/tls/tls.key"
+              }
+
+              storage "raft" {
+                path = "/vault/data"
+
+                retry_join {
+                  leader_api_addr = "https://vault-vault-0.vault-vault-internal:8200"
+                  leader_client_cert_file = "/vault/tls/tls.crt"
+                  leader_client_key_file = "/vault/tls/tls.key"
+                  leader_tls_servername = "vault.bigbang.dev"
+                }
+        
+                retry_join {
+                  leader_api_addr = "https://vault-vault-1.vault-vault-internal:8200"
+                  leader_client_cert_file = "/vault/tls/tls.crt"
+                  leader_client_key_file = "/vault/tls/tls.key"
+                  leader_tls_servername = "vault.bigbang.dev"
+                }
+        
+                retry_join {
+                  leader_api_addr = "https://vault-vault-2.vault-vault-internal:8200"
+                  leader_client_cert_file = "/vault/tls/tls.crt"
+                  leader_client_key_file = "/vault/tls/tls.key"
+                  leader_tls_servername = "vault.bigbang.dev"
+                }
+              }
+
+              seal "awskms" {
+                region     = "us-gov-west-1"
+                kms_key_id = "your-kms-key-goes-here"
+                endpoint   = "https://kms.us-gov-west-1.amazonaws.com"
+              }
+
+              telemetry {
+                prometheus_retention_time = "24h"
+                disable_hostname = true
+                unauthenticated_metrics_access = true
+              }
+
+              service_registration "kubernetes" {}
\ No newline at end of file
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -160,6 +160,7 @@ gatekeeper:
          - keycloak/keycloak-cypress-test
          - jaeger/jaeger-operator-cypress-test
          - monitoring/kube-prometheus-stack-cypress-test
+          - vault/vault-cypress-test
          # Allow kyverno test vectors for Helm test
          - default/restrict-host-path-mount-.?
          - default/restrict-host-path-write-.?
@@ -253,6 +254,7 @@ gatekeeper:
          - keycloak/keycloak-cypress-test
          - jaeger/jaeger-operator-cypress-test
          - monitoring/kube-prometheus-stack-cypress-test
+          - vault/vault-cypress-test
          # Allow kyverno test vectors for Helm test
          - default/restrict-host-path-mount-.?
          - default/restrict-host-path-write-.?
@@ -359,6 +361,7 @@ kyvernopolicies:
              - keycloak
              - jaeger
              - monitoring
+              - vault
              names:
              - "*-cypress-test*"
        parameters:
@@ -377,6 +380,7 @@ kyvernopolicies:
              - keycloak
              - jaeger
              - monitoring
+              - vault
              names:
              - "*-cypress-test*"
        parameters:
@@ -410,6 +414,7 @@ kyvernopolicies:
              - keycloak
              - jaeger
              - monitoring
+              - vault
              names:
              - "*-cypress-test*"
      update-image-pull-policy:
@@ -1278,17 +1283,23 @@ addons:

  vault:
    enabled: false
+    ingress:
+      gateway: "passthrough"
+      key: "" # Gets added via chart/ingress-certs.yaml
+      cert: "" # Gets added via chart/ingress-certs.yaml
    sso:
      enabled: false
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_vault
    values:
-      server:
-        dataStorage:
-          enabled: true
-          size: 256Mi
-        auditStorage:
-          size: 256Mi
+      autoInit:
+        enabled: true
+      global:
+        tlsDisable: false
      injector:
+        extraEnvironmentVars:
+          VAULT_API_ADDR: https://vault.bigbang.dev
+        certs:
+          secretName: vault-tls
        affinity: |
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
@@ -1300,6 +1311,58 @@ addons:
                      app.kubernetes.io/instance: "{{ .Release.Name }}"
                      component: webhook
                  topologyKey: kubernetes.io/hostname
+      server:
+        extraEnvironmentVars:
+          VAULT_API_ADDR: https://vault.bigbang.dev  #istio GW
+          VAULT_SKIP_VERIFY: "true"
+          VAULT_LOG_FORMAT: "json"
+        dataStorage:
+          enabled: true
+          size: 256Mi
+        auditStorage:
+          size: 256Mi
+        ha:
+          enabled: true
+          replicas: 1
+
+          raft:
+            enabled: true
+            config: |
+              ui = true
+
+              listener "tcp" {
+                tls_disable = 0
+                address = "[::]:8200"
+                cluster_address = "[::]:8201"
+                tls_cert_file = "/vault/tls/tls.crt"
+                tls_key_file  = "/vault/tls/tls.key"
+              }
+
+              storage "raft" {
+                path = "/vault/data"
+
+                retry_join {
+                  leader_api_addr = "https://vault-vault-0.vault-vault-internal:8200"
+                  leader_client_cert_file = "/vault/tls/tls.crt"
+                  leader_client_key_file = "/vault/tls/tls.key"
+                  leader_tls_servername = "vault.bigbang.dev"
+                }
+              }
+
+              seal "awskms" {
+                region     = "us-gov-west-1"
+                kms_key_id = "17c01cdf-2bf9-4f58-9a54-c1c4e4b145be"
+                endpoint   = "https://kms.us-gov-west-1.amazonaws.com"
+              }
+
+              telemetry {
+                prometheus_retention_time = "24h"
+                disable_hostname = true
+                unauthenticated_metrics_access = true
+              }
+
+              service_registration "kubernetes" {}
+
      bbtests:
        enabled: true
        cypress: