chore(helm): initializing vault secrets (#797)

* chore(helm): initializing vault secrets Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): debug message for vault Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): initializing vault Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): return if vault already initialized Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): Updating vault image Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): Update postgres write precedence Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * fix(helm): pgpass variable Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * fix(helm): Use vault local service token Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): vault changing default pg password ttl to 1hr Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(helm): Make verbose logging in vault Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>
2022-11-04 09:52:23 +00:00 · 2022-11-04 09:52:23 +00:00 · d8774122b7
commit d8774122b7
parent 5330b0a89d
2 changed files with 99 additions and 0 deletions
--- a/scripts/helmcharts/openreplay/files/vault.sh
+++ b/scripts/helmcharts/openreplay/files/vault.sh
@ -0,0 +1,74 @@
+#!/bin/sh
+
+# This script will initialize vault
+
+if [ "x$VERBOSE" == "x1" ]; then
+  set -x
+fi
+
+export VAULT_ADDR=http://databases-vault.db.svc.cluster.local:8200
+
+
+# Check vault is already initialized, if so return 
+
+# initialize vault
+vault_output=$(vault operator init) 2> /tmp/err.txt || {
+  err_code=$?
+  (cat /tmp/err.txt | grep -i "vault is already initialized") && {
+    echo "Vault already initialized."
+    err_code=0
+  }
+  echo exit $err_code
+}
+
+# Writting output to a file
+echo $vault_output > /tmp/vault_creds.txt
+
+# Unsealing vault
+for i in 1 2 3; do
+  vault operator unseal `echo $vault_output | grep -Eio "unseal key $i: \S+" | awk '{print $4}'`
+done
+
+# Logging in to vault
+vault login  `echo $vault_output | grep -Eio "initial root token: \S+" | awk '{print $4}'`
+
+# Confguration
+
+vault secrets enable database
+
+vault write database/roles/db-app \
+  db_name=postgres \
+  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+      GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+  revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
+  default_ttl="1h" \
+  max_ttl="1d"
+
+vault write database/config/postgres \
+    plugin_name=postgresql-database-plugin \
+    allowed_roles="*" \
+    connection_url="postgresql://{{username}}:{{password}}@$PGHOST:$PGPORT/$PGDATABASE" \
+    username="${PGUSER}" \
+    password="${PGPASSWORD}"
+
+vault auth enable kubernetes
+
+vault write auth/kubernetes/config \
+       kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+       kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+
+# Allow apps to create credentials for the policy db-app
+cat <<EOF >/tmp/pgaccess-policy.hcl
+path "database/creds/db-app" {
+  capabilities = ["read"]
+}
+EOF
+
+vault policy write pgaccess /tmp/pgaccess-policy.hcl
+
+vault write auth/kubernetes/role/pgaccess \
+    bound_service_account_names="*-openreplay" \
+    bound_service_account_namespaces=app \
+    policies=pgaccess \
+    ttl=1h
--- a/scripts/helmcharts/openreplay/templates/job.yaml
+++ b/scripts/helmcharts/openreplay/templates/job.yaml
@ -132,6 +132,31 @@ spec:
      {{- end}}
      {{- if .Values.global.enterpriseEditionLicense }}
      # Enterprise migration
+      {{- if .Values.vault.enabled }}
+      - name: vault
+        env:
+          - name: FORCE_MIGRATION
+            value: "{{ .Values.forceMigration }}"
+          - name: PGHOST
+            value: "{{ .Values.global.postgresql.postgresqlHost }}"
+          - name: PGPORT
+            value: "{{ .Values.global.postgresql.postgresqlPort }}"
+          - name: PGDATABASE
+            value: "{{ .Values.global.postgresql.postgresqlDatabase }}"
+          - name: PGUSER
+            value: "{{ .Values.global.postgresql.postgresqlUser }}"
+          - name: PGPASSWORD
+            value: "{{ .Values.global.postgresql.postgresqlPassword }}"
+        image: hashicorp/vault:1.12.0
+        command: 
+        - /bin/sh
+        - /opt/migrations/vault.sh
+        volumeMounts:
+        - name: shared
+          mountPath: /opt/openreplay
+        - name: dbmigrationscript
+          mountPath: /opt/migrations/
+      {{- end }}
      - name: clickhouse
        image: yandex/clickhouse-client:21.9.4.35
        env: