Merge pull request #32 from UKHomeOffice/vault_perms

Vault User
2017-01-31 12:31:53 +00:00 · 2017-01-31 12:31:53 +00:00 · 03357aa59f
parent bbdc7cae49 49ce68ab95
commit 03357aa59f
8 changed files with 89 additions and 85 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -9,7 +9,7 @@ services:
 - docker
 language: go
 go:
- 1.7.1
+- 1.7.5
 install:
 - make test
 - if ([[ ${TRAVIS_BRANCH} == "master" ]] && [[ ${TRAVIS_PULL_REQUEST} != "true" ]]) || [[ -n ${TRAVIS_TAG} ]]; then
@ -25,7 +25,7 @@ deploy:
  provider: releases
  skip_cleanup: true
  on:
-    go: 1.7.1
+    go: 1.7.5
    repo: UKHomeOffice/vault-sidekick
    tags: true
  api_key:
--- a/6
+++ b/6
@ -1,9 +1,13 @@
-FROM alpine:3.4
+FROM alpine:3.5
 MAINTAINER Rohith <gambol99@gmail.com>

 RUN apk update && \
    apk add ca-certificates bash

+RUN adduser -D vault
+
 ADD bin/vault-sidekick /vault-sidekick

+USER vault
+
 ENTRYPOINT [ "/vault-sidekick" ]
--- a/examples/deployment.yaml
+++ b/examples/deployment.yaml
@ -0,0 +1,81 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: vault-demo
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: vault-demo
+      annotations:
+        repository: https://github.com/UKHomeOffice/vault-sidekick
+    spec:
+      containers:
+      - name: sidekick
+        image: quay.io/ukhomeofficedigital/vault-sidekick:v0.3.0
+        resources:
+          limits:
+            cpu: 100m
+            memory: 50Mi
+        args:
+          - -tls-skip-verify=true
+          - -cn=pki:services/${NAMESPACE}/pki/issue/default:fmt=bundle,common_name=demo.${NAMESPACE}.svc.cluster.local,file=platform
+          - -logtostderr=true
+          - -v=3
+        env:
+        - name: VAULT_ADDR
+          value: https://vault.vault.svc.cluster.local:8200
+        - name: VAULT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: store-token
+              key: token
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/secrets
+      - name: nginx
+        image: quay.io/ukhomeofficedigital/nginx-proxy:v1.5.1
+        resources:
+          limits:
+            cpu: 400m
+            memory: 256Mi
+        ports:
+        - name: http
+          containerPort: 80
+        - name: https
+          containerPort: 443
+        env:
+        - name: LOAD_BALANCER_CIDR
+          value: 10.0.0.0/8
+        - name: PROXY_SERVICE_HOST
+          value: 127.0.0.1
+        - name: PROXY_SERVICE_PORT
+          value: "8080"
+        - name: SERVER_CERT
+          value: /etc/secrets/platform.pem
+        - name: SERVER_KEY
+          value: /etc/secrets/platform-key.pem
+        - name: SSL_CIPHERS
+          value: ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:!aNULL
+        - name: ENABLE_UUID_PARAM
+          value: "FALSE"
+        - name: NAXSI_USE_DEFAULT_RULES
+          value: "FALSE"
+        - name: PORT_IN_HOST_HEADER
+          value: "FALSE"
+        - name: ERROR_REDIRECT_CODES
+          value: "599"
+        - name: ADD_NGINX_LOCATION_CFG
+          value: "add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains\";"
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/secrets
+      volumes:
+      - name: secrets
+        emptyDir: {}
--- a/services/demo-svc.yml
+++ b/services/demo-svc.yml
@ -1,4 +1,3 @@
---
 apiVersion: v1
 kind: Service
 metadata:
--- a/main.go
+++ b/main.go
@ -26,7 +26,7 @@ import (

 const (
 	Prog    = "vault-sidekick"
-	Version = "v0.2.1"
+	Version = "v0.3.0"
 )

 func main() {
--- a/services/demo-ns.yml
+++ b/services/demo-ns.yml
@ -1,7 +0,0 @@
---
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: demo
-  labels:
-    name: demo
--- a/services/demo-rc.yaml
+++ b/services/demo-rc.yaml
@ -1,58 +0,0 @@
---
-apiVersion: v1
-kind: ReplicationController
-metadata:
-  namespace: demo
-  name: vault-demo
-spec:
-  replicas: 1
-  selector:
-    name: vault-demo
-  template:
-    metadata:
-      labels:
-        name: vault-demo
-    spec:
-      containers:
-      - name: vault-sidekick
-        image: gambol99/vault-sidekick:0.0.1
-        imagePullPolicy: Always
-        args:
-          - -logtostderr=true
-          - -v=4
-          - -tls-skip-verify=true
-          - -auth=/etc/token/vault-token.yml
-          - -output=/etc/secrets
-          - -cn=secret:db:update=3h,revoke=true
-          - -cn=pki:example-dot-com:cn=demo.example.com,fmt=cert,file=demo.example.com
-          - -vault=https://vault.services.cluster.local:8200
-        volumeMounts:
-          - name: secrets
-            mountPath: /etc/secrets
-          - name: token
-            mountPath: /etc/token
-      - name: nginx-tls-sidekick
-        image: quay.io/ukhomeofficedigital/nginx-tls-sidekick
-        imagePullPolicy: Always
-        args:
-          - ./run.sh
-          - -p
-          - 443:127.0.0.1:80:demo.example.com
-        ports:
-          - containerPort: 443
-        volumeMounts:
-          - name: secrets
-            mountPath: /etc/secrets
-      - name: apache
-        image: fedora/apache
-        ports:
-        - containerPort: 80
-        volumeMounts:
-          - name: secrets
-            mountPath: /etc/secrets
-      volumes:
-        - name: secrets
-          emptyDir: {}
-        - name: token
-          secret:
-            secretName: vault-token
--- a/services/demo-secrets.yml
+++ b/services/demo-secrets.yml
@ -1,15 +0,0 @@
---
-apiVersion: v1
-kind: Secret
-metadata:
-  namespace: demo
-  name: vault-token
-data:
-  #
-  # vault auth-enable userpass
-  # vault write auth/userpass/users/demo password=SOME_PASSWORD policies=root
-  #
-  vault-token.yml: |
-    method: userpass
-    username: demo
-    password: SOME_PASSWORD