From d8774122b7b72087c85881e0ff592842912c3aee Mon Sep 17 00:00:00 2001
From: Rajesh Rajendran <rjshrjndrn@users.noreply.github.com>
Date: Fri, 4 Nov 2022 09:52:23 +0000
Subject: [PATCH] chore(helm): initializing vault secrets (#797)

* chore(helm): initializing vault secrets

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): debug message for vault

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): initializing vault

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): return if vault already initialized

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): Updating vault image

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): Update postgres write precedence

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* fix(helm): pgpass variable

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* fix(helm): Use vault local service token

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): vault changing default pg password ttl to 1hr

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

* chore(helm): Make verbose logging in vault

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>
---
 scripts/helmcharts/openreplay/files/vault.sh  | 74 +++++++++++++++++++
 .../helmcharts/openreplay/templates/job.yaml  | 25 +++++++
 2 files changed, 99 insertions(+)
 create mode 100644 scripts/helmcharts/openreplay/files/vault.sh

diff --git a/scripts/helmcharts/openreplay/files/vault.sh b/scripts/helmcharts/openreplay/files/vault.sh
new file mode 100644
index 000000000..8a38a9fab
--- /dev/null
+++ b/scripts/helmcharts/openreplay/files/vault.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+
+# This script will initialize vault
+
+if [ "x$VERBOSE" == "x1" ]; then
+  set -x
+fi
+
+export VAULT_ADDR=http://databases-vault.db.svc.cluster.local:8200
+
+
+# Check vault is already initialized, if so return 
+
+# initialize vault
+vault_output=$(vault operator init) 2> /tmp/err.txt || {
+  err_code=$?
+  (cat /tmp/err.txt | grep -i "vault is already initialized") && {
+    echo "Vault already initialized."
+    err_code=0
+  }
+  echo exit $err_code
+}
+
+# Writting output to a file
+echo $vault_output > /tmp/vault_creds.txt
+
+# Unsealing vault
+for i in 1 2 3; do
+  vault operator unseal `echo $vault_output | grep -Eio "unseal key $i: \S+" | awk '{print $4}'`
+done
+
+# Logging in to vault
+vault login  `echo $vault_output | grep -Eio "initial root token: \S+" | awk '{print $4}'`
+
+# Confguration
+
+vault secrets enable database
+
+vault write database/roles/db-app \
+  db_name=postgres \
+  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+      GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+  revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
+  default_ttl="1h" \
+  max_ttl="1d"
+
+vault write database/config/postgres \
+    plugin_name=postgresql-database-plugin \
+    allowed_roles="*" \
+    connection_url="postgresql://{{username}}:{{password}}@$PGHOST:$PGPORT/$PGDATABASE" \
+    username="${PGUSER}" \
+    password="${PGPASSWORD}"
+
+vault auth enable kubernetes
+
+vault write auth/kubernetes/config \
+       kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+       kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+
+# Allow apps to create credentials for the policy db-app
+cat <<EOF >/tmp/pgaccess-policy.hcl
+path "database/creds/db-app" {
+  capabilities = ["read"]
+}
+EOF
+
+vault policy write pgaccess /tmp/pgaccess-policy.hcl
+
+vault write auth/kubernetes/role/pgaccess \
+    bound_service_account_names="*-openreplay" \
+    bound_service_account_namespaces=app \
+    policies=pgaccess \
+    ttl=1h
diff --git a/scripts/helmcharts/openreplay/templates/job.yaml b/scripts/helmcharts/openreplay/templates/job.yaml
index c0d7f0a45..b0ee31d01 100644
--- a/scripts/helmcharts/openreplay/templates/job.yaml
+++ b/scripts/helmcharts/openreplay/templates/job.yaml
@@ -132,6 +132,31 @@ spec:
       {{- end}}
       {{- if .Values.global.enterpriseEditionLicense }}
       # Enterprise migration
+      {{- if .Values.vault.enabled }}
+      - name: vault
+        env:
+          - name: FORCE_MIGRATION
+            value: "{{ .Values.forceMigration }}"
+          - name: PGHOST
+            value: "{{ .Values.global.postgresql.postgresqlHost }}"
+          - name: PGPORT
+            value: "{{ .Values.global.postgresql.postgresqlPort }}"
+          - name: PGDATABASE
+            value: "{{ .Values.global.postgresql.postgresqlDatabase }}"
+          - name: PGUSER
+            value: "{{ .Values.global.postgresql.postgresqlUser }}"
+          - name: PGPASSWORD
+            value: "{{ .Values.global.postgresql.postgresqlPassword }}"
+        image: hashicorp/vault:1.12.0
+        command: 
+        - /bin/sh
+        - /opt/migrations/vault.sh
+        volumeMounts:
+        - name: shared
+          mountPath: /opt/openreplay
+        - name: dbmigrationscript
+          mountPath: /opt/migrations/
+      {{- end }}
       - name: clickhouse
         image: yandex/clickhouse-client:21.9.4.35
         env: