From 49ce68ab9510b45cd8395121a1579fabe06c71e1 Mon Sep 17 00:00:00 2001
From: Rohith <gambol99@gmail.com>
Date: Tue, 31 Jan 2017 12:25:49 +0000
Subject: [PATCH] Vault User

- changing the user runs as to vault
- changing the base image to alpine:3.5
- updating the examples
- changing the golang version to 1.7.5
---
 .travis.yml                                   |  4 +-
 Dockerfile                                    |  6 +-
 examples/deployment.yaml                      | 81 +++++++++++++++++++
 services/demo-svc.yml => examples/service.yml |  1 -
 main.go                                       |  2 +-
 services/demo-ns.yml                          |  7 --
 services/demo-rc.yaml                         | 58 -------------
 services/demo-secrets.yml                     | 15 ----
 8 files changed, 89 insertions(+), 85 deletions(-)
 create mode 100644 examples/deployment.yaml
 rename services/demo-svc.yml => examples/service.yml (97%)
 delete mode 100644 services/demo-ns.yml
 delete mode 100644 services/demo-rc.yaml
 delete mode 100644 services/demo-secrets.yml

diff --git a/.travis.yml b/.travis.yml
index f2c7d5b..1716d8b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,7 +9,7 @@ services:
 - docker
 language: go
 go:
-- 1.7.1
+- 1.7.5
 install:
 - make test
 - if ([[ ${TRAVIS_BRANCH} == "master" ]] && [[ ${TRAVIS_PULL_REQUEST} != "true" ]]) || [[ -n ${TRAVIS_TAG} ]]; then
@@ -25,7 +25,7 @@ deploy:
   provider: releases
   skip_cleanup: true
   on:
-    go: 1.7.1
+    go: 1.7.5
     repo: UKHomeOffice/vault-sidekick
     tags: true
   api_key:
diff --git a/Dockerfile b/Dockerfile
index b2b28bb..a94ea61 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,13 @@
-FROM alpine:3.4
+FROM alpine:3.5
 MAINTAINER Rohith <gambol99@gmail.com>
 
 RUN apk update && \
     apk add ca-certificates bash
 
+RUN adduser -D vault
+
 ADD bin/vault-sidekick /vault-sidekick
 
+USER vault
+
 ENTRYPOINT [ "/vault-sidekick" ]
diff --git a/examples/deployment.yaml b/examples/deployment.yaml
new file mode 100644
index 0000000..75c3899
--- /dev/null
+++ b/examples/deployment.yaml
@@ -0,0 +1,81 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: vault-demo
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: vault-demo
+      annotations:
+        repository: https://github.com/UKHomeOffice/vault-sidekick
+    spec:
+      containers:
+      - name: sidekick
+        image: quay.io/ukhomeofficedigital/vault-sidekick:v0.3.0
+        resources:
+          limits:
+            cpu: 100m
+            memory: 50Mi
+        args:
+          - -tls-skip-verify=true
+          - -cn=pki:services/${NAMESPACE}/pki/issue/default:fmt=bundle,common_name=demo.${NAMESPACE}.svc.cluster.local,file=platform
+          - -logtostderr=true
+          - -v=3
+        env:
+        - name: VAULT_ADDR
+          value: https://vault.vault.svc.cluster.local:8200
+        - name: VAULT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: store-token
+              key: token
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/secrets
+      - name: nginx
+        image: quay.io/ukhomeofficedigital/nginx-proxy:v1.5.1
+        resources:
+          limits:
+            cpu: 400m
+            memory: 256Mi
+        ports:
+        - name: http
+          containerPort: 80
+        - name: https
+          containerPort: 443
+        env:
+        - name: LOAD_BALANCER_CIDR
+          value: 10.0.0.0/8
+        - name: PROXY_SERVICE_HOST
+          value: 127.0.0.1
+        - name: PROXY_SERVICE_PORT
+          value: "8080"
+        - name: SERVER_CERT
+          value: /etc/secrets/platform.pem
+        - name: SERVER_KEY
+          value: /etc/secrets/platform-key.pem
+        - name: SSL_CIPHERS
+          value: ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:!aNULL
+        - name: ENABLE_UUID_PARAM
+          value: "FALSE"
+        - name: NAXSI_USE_DEFAULT_RULES
+          value: "FALSE"
+        - name: PORT_IN_HOST_HEADER
+          value: "FALSE"
+        - name: ERROR_REDIRECT_CODES
+          value: "599"
+        - name: ADD_NGINX_LOCATION_CFG
+          value: "add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains\";"
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/secrets
+      volumes:
+      - name: secrets
+        emptyDir: {}
diff --git a/services/demo-svc.yml b/examples/service.yml
similarity index 97%
rename from services/demo-svc.yml
rename to examples/service.yml
index 98233f0..fd9608b 100644
--- a/services/demo-svc.yml
+++ b/examples/service.yml
@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/main.go b/main.go
index a910d15..99d21da 100644
--- a/main.go
+++ b/main.go
@@ -26,7 +26,7 @@ import (
 
 const (
 	Prog    = "vault-sidekick"
-	Version = "v0.2.1"
+	Version = "v0.3.0"
 )
 
 func main() {
diff --git a/services/demo-ns.yml b/services/demo-ns.yml
deleted file mode 100644
index 92305e7..0000000
--- a/services/demo-ns.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: demo
-  labels:
-    name: demo
diff --git a/services/demo-rc.yaml b/services/demo-rc.yaml
deleted file mode 100644
index 6e69c33..0000000
--- a/services/demo-rc.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-apiVersion: v1
-kind: ReplicationController
-metadata:
-  namespace: demo
-  name: vault-demo
-spec:
-  replicas: 1
-  selector:
-    name: vault-demo
-  template:
-    metadata:
-      labels:
-        name: vault-demo
-    spec:
-      containers:
-      - name: vault-sidekick
-        image: gambol99/vault-sidekick:0.0.1
-        imagePullPolicy: Always
-        args:
-          - -logtostderr=true
-          - -v=4
-          - -tls-skip-verify=true
-          - -auth=/etc/token/vault-token.yml
-          - -output=/etc/secrets
-          - -cn=secret:db:update=3h,revoke=true
-          - -cn=pki:example-dot-com:cn=demo.example.com,fmt=cert,file=demo.example.com
-          - -vault=https://vault.services.cluster.local:8200
-        volumeMounts:
-          - name: secrets
-            mountPath: /etc/secrets
-          - name: token
-            mountPath: /etc/token
-      - name: nginx-tls-sidekick
-        image: quay.io/ukhomeofficedigital/nginx-tls-sidekick
-        imagePullPolicy: Always
-        args:
-          - ./run.sh
-          - -p
-          - 443:127.0.0.1:80:demo.example.com
-        ports:
-          - containerPort: 443
-        volumeMounts:
-          - name: secrets
-            mountPath: /etc/secrets
-      - name: apache
-        image: fedora/apache
-        ports:
-        - containerPort: 80
-        volumeMounts:
-          - name: secrets
-            mountPath: /etc/secrets
-      volumes:
-        - name: secrets
-          emptyDir: {}
-        - name: token
-          secret:
-            secretName: vault-token
diff --git a/services/demo-secrets.yml b/services/demo-secrets.yml
deleted file mode 100644
index 154e8fa..0000000
--- a/services/demo-secrets.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  namespace: demo
-  name: vault-token
-data:
-  #
-  # vault auth-enable userpass
-  # vault write auth/userpass/users/demo password=SOME_PASSWORD policies=root
-  #
-  vault-token.yml: |
-    method: userpass
-    username: demo
-    password: SOME_PASSWORD