Environment Setup

openlab-red · Oct 22, 2021 · 0dedcf0 · 0dedcf0
1 parent 0452294
commit 0dedcf0
Show file tree

Hide file tree

Showing 16 changed files with 395 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -348,3 +348,9 @@ MigrationBackup/
 
 # Ionide (cross platform F# VS Code tools) working folder
 .ionide/
+
+
+.DS_Store
+.history/
+.settings/
+.project
diff --git a/README.md b/README.md
@@ -1,2 +1,5 @@
-# emea-unconf2021-demo
-EMEA Unconference 2021 - Cloud Native Certificate Management with JetStack
+# EMEA Unconference 2021 - Cloud Native Certificate Management with JetStack
+
+# Environment Setup
+
+Follow the [environment setup](env/README.md) instruction.
diff --git a/env/README.md b/env/README.md
@@ -0,0 +1,107 @@
+# Environment Setup
+
+## Prerequisites
+
+>
+> Requires Helm v3 installed > https://helm.sh/docs/intro/install/
+>
+
+>
+> Requires vault > https://www.vaultproject.io/downloads
+>
+
+## Cert Manager Installation
+
+1. Create OpenShift Project.
+
+    `oc new-project cert-manager`
+
+2. Add jetstack helm repository.
+
+    ```bash
+    helm repo add jetstack https://charts.jetstack.io
+    helm repo update
+    ```
+3. Launch the helm installation
+
+    ```bash
+    helm upgrade --install \
+        cert-manager jetstack/cert-manager \
+        --namespace cert-manager \
+        --version v1.5.4 \
+        --set installCRDs=true
+    ```
+4. Test the installation
+
+    ```
+    oc apply -f test/test-resource.yaml -n cert-manager
+    ```
+
+## Hashicorp Vault Installation
+
+1. Configure Helm Repository
+
+    ```
+    helm repo add hashicorp https://helm.releases.hashicorp.com
+    helm search repo hashicorp/vault
+    ```
+
+2. Install Vault
+
+    ```
+    oc new-project hashicorp
+    helm install vault hashicorp/vault -f vault/standalone.yaml
+    ```
+
+3. Init Vault and Unseal
+
+    ```
+    oc rsh vault-0
+    vault operator init -key-shares=1 -key-threshold=1
+
+    Unseal Key 1: xxx
+    Initial Root Token: xxx
+
+    export KEYS=xxx
+    export VAULT_TOKEN=xxx
+
+    vault operator unseal $KEYS
+    ```
+
+## Cert Manager and Vault PKI Integration
+
+![Cert Manager Vault Integration!](images/architecture.png "Cert Manager Vault Integration")
+
+1. Setup PKI engine for each environment
+
+    >
+    > Unseal Vault before!!
+    >
+
+    ```
+    export VAULT_ADDR=https://$(oc get route vault --no-headers -o custom-columns=HOST:.spec.host -n hashicorp)
+    export VAULT_TOKEN=xxx
+
+    export PROJECT=app-dev
+    export WILDCARD=vault.apps.cluster-7bcd.7bcd.sandbox334.opentlc.com
+
+    sh vault/pki/setup.sh ${PROJECT} ${WILDCARD}
+    ```
+
+2. Configure SA issuer on the target project.
+
+   ```
+   helm upgrade --install ${PROJECT} vault/issuer -n ${PROJECT}
+   ```
+ 
+3. Install Issuer
+
+    ```
+    helm upgrade --install ${PROJECT} issuer -n ${PROJECT} --set issuer.create=true
+    ```
+
+4. Verify Dummy Certificate Secret is created
+
+    ```
+    oc get secret vault-issuer-dummy-cert -n ${PROJECT}
+    ```
diff --git a/env/images/architecture.png b/env/images/architecture.png
diff --git a/env/tests/cert-resource.yaml b/env/tests/cert-resource.yaml
diff --git a/env/vault/issuer/.helmignore b/env/vault/issuer/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/env/vault/issuer/Chart.yaml b/env/vault/issuer/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: issuer
+description: Bootstrap Cert Manager Issuer Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.0.0"
diff --git a/env/vault/issuer/templates/NOTES.txt b/env/vault/issuer/templates/NOTES.txt
@@ -0,0 +1,9 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get all {{ .Release.Name }}
+  $ helm test {{ .Release.Name }}
diff --git a/env/vault/issuer/templates/_helpers.tpl b/env/vault/issuer/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "issuer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "issuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "issuer.labels" -}}
+helm.sh/chart: {{ include "issuer.chart" . }}
+{{ include "issuer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "issuer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "issuer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "issuer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/env/vault/issuer/templates/certificate.yaml b/env/vault/issuer/templates/certificate.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.issuer.create -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "issuer.fullname" . }}-dummy
+  labels:
+    {{- include "issuer.labels" . | nindent 4 }}
+spec:
+  commonName: dummy.{{ .Release.Namespace }}.{{ .Values.baseDomain }} 
+  dnsNames:
+    - dummy.{{ .Release.Namespace }}.{{ .Values.baseDomain }} 
+  secretName: {{ include "issuer.fullname" . }}-dummy-cert
+  issuerRef:
+    name: {{ include "issuer.fullname" . }}-vault
+{{- end }}
diff --git a/env/vault/issuer/templates/configmap.yaml b/env/vault/issuer/templates/configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca-bundle
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  labels:
+    {{- include "issuer.labels" . | nindent 4 }}
+data: {}
diff --git a/env/vault/issuer/templates/issuer.yaml b/env/vault/issuer/templates/issuer.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.issuer.create -}}
+{{- $sa := (lookup "v1" "ServiceAccount" .Release.Namespace "issuer") -}}
+{{- $bundle := (lookup "v1" "ConfigMap" .Release.Namespace "ca-bundle") -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "issuer.fullname" . }}-vault
+  labels:
+    {{- include "issuer.labels" . | nindent 4 }}
+spec:
+  vault:
+    path: {{ .Release.Namespace }}-pki/sign/{{ .Values.baseDomain }} 
+    server: {{ .Values.issuer.server }}
+    caBundle: {{ get $bundle.data "service-ca.crt" | b64enc }}
+    auth:
+      kubernetes:
+        role: {{ .Release.Namespace }}-{{ .Values.baseDomain }}
+        mountPath: /v1/auth/kubernetes
+        secretRef:
+          key: token
+          {{- range $sa.secrets }}
+          {{- if contains  "token" .name }}
+          name: {{ .name }}
+          {{- end -}}
+          {{- end }}
+{{- end }}
diff --git a/env/vault/issuer/templates/serviceaccount.yaml b/env/vault/issuer/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "issuer.serviceAccountName" . }}
+  labels:
+    {{- include "issuer.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/env/vault/issuer/values.yaml b/env/vault/issuer/values.yaml
@@ -0,0 +1,14 @@
+# Default values for issuer.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+baseDomain: unconf.io
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: "issuer"
+
+issuer:
+  create: false
+  server: https://vault-internal.hashicorp.svc.cluster.local:8200
diff --git a/env/vault/pki/setup.sh b/env/vault/pki/setup.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+if [ "$#" -ne 1 ]; then
+    echo "Missing Projects"
+fi
+
+export BASE_DOMAIN=${2:-unconf.io}
+export PROJECT=$1
+export PKI=${PROJECT}-pki
+export DOMAIN=${PROJECT}.$BASE_DOMAIN
+export ROLE=${PROJECT}-$BASE_DOMAIN
+export SERVICE_ACCOUNT=issuer
+export WILDCARD_DOMAIN=$2
+
+echo "Setup on ${PROJECT}"
+
+echo "Enable PKI Engine ${PKI}"
+
+vault secrets enable -tls-skip-verify --path=${PKI} pki
+# 1 Year
+vault secrets tune -tls-skip-verify -max-lease-ttl=8760h ${PKI}
+
+vault write -tls-skip-verify ${PKI}/root/generate/internal \
+    common_name=${DOMAIN} \
+    ttl=8760h
+
+echo "CRL Configuration"
+
+vault write -tls-skip-verify ${PKI}/config/urls \
+    issuing_certificates="$VAULT_ADDR/v1/${PKI}/ca" \
+    crl_distribution_points="$VAULT_ADDR/v1/${PKI}/crl"
+
+echo "$VAULT_ADDR/v1/${PKI}/ca"
+echo "$VAULT_ADDR/v1/${PKI}/crl"
+
+echo "Configure Role for domain: ${DOMAIN}"
+
+vault write -tls-skip-verify ${PKI}/roles/${BASE_DOMAIN} \
+    allowed_domains=${DOMAIN},${PROJECT}.svc,${WILDCARD_DOMAIN} \
+    allow_subdomains=true \
+    allowed_other_sans="*" \
+    allow_glob_domains=true \
+    allowed_uri_sans=*-${PROJECT}.${WILDCARD_DOMAIN} \
+    max_ttl="31536000"
+
+echo "Create PKI Policy pki-${ROLE}-policy"
+
+vault policy write --tls-skip-verify pki-${ROLE}-policy - <<EOF
+path "${PKI}*"                               { capabilities = ["read", "list"] }
+path "${PKI}/roles/${BASE_DOMAIN}"   { capabilities = ["create", "update"] }
+path "${PKI}/sign/${BASE_DOMAIN}"    { capabilities = ["create", "update"] }
+path "${PKI}/issue/${BASE_DOMAIN}"   { capabilities = ["create"] }
+EOF
+
+echo "Authorize ServiceAccount issuer on ${PROJECT}"
+
+vault write --tls-skip-verify auth/kubernetes/role/${ROLE} \
+  bound_service_account_names=${SERVICE_ACCOUNT} bound_service_account_namespaces="${PROJECT}" \
+  policies=pki-${ROLE}-policy \
+  ttl=2h