From d86bd6c84ce7946fb5534a204c72c23b5fc8736f Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Fri, 21 May 2021 13:30:25 -0400
Subject: [PATCH] add external vault config

---
 README.md                             | 63 ++++++++++++++++++++++++++-
 pi-values.yaml => helm/pi-values.yaml | 24 +++++++++-
 values.yaml => helm/values.yaml       |  0
 k8s/pi-certificate.yaml               | 12 +++++
 4 files changed, 96 insertions(+), 3 deletions(-)
 rename pi-values.yaml => helm/pi-values.yaml (50%)
 rename values.yaml => helm/values.yaml (100%)
 create mode 100644 k8s/pi-certificate.yaml

diff --git a/README.md b/README.md
index af01aea..09dac08 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ kubectl apply -f k8s/certificate.yaml
 
 helm repo add hashicorp https://helm.releases.hashicorp.com
 helm search repo hashicorp/vault
-helm upgrade --install vault hashicorp/vault --values values.yaml
+helm upgrade --install vault hashicorp/vault --values helm/values.yaml
 
 mkdir ~/.vault-keys
 kubectl exec -ti vault-0 -- vault operator init -key-shares=5 -key-threshold=3 -format=json > ~/.vault-keys/cluster-keys.json
@@ -30,7 +30,7 @@ kubectl apply -f k8s/certificate.yaml
 
 helm repo add hashicorp https://helm.releases.hashicorp.com
 helm search repo hashicorp/vault
-helm upgrade --install vault hashicorp/vault --values values.yaml
+helm upgrade --install vault hashicorp/vault --values helm/values.yaml
 
 mkdir ~/.vault-keys
 kubectl exec -ti vault-0 -- vault operator init -key-shares=5 -key-threshold=3 -format=json > ~/.vault-keys/cluster-keys.json
@@ -343,3 +343,62 @@ spec:
   dnsNames:
   - test.dnet
 ```
+
+## Kubernetes External Vault Auth
+
+<https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault?in=vault/kubernetes>
+
+### Connect to external vault
+
+```bash
+helm install vault hashicorp/vault \
+    --set "injector.externalVaultAddr=https://vault.ducoterra.net"
+
+VAULT_HELM_SECRET_NAME=$(kubectl get secrets --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
+TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME --output='go-template={{ .data.token }}' | base64 --decode)
+KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
+KUBE_HOST="https://3.14.3.104:6443"
+```
+
+```bash
+vault auth enable -path=pikube kubernetes
+
+vault write auth/pikube/config \
+    token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
+    kubernetes_host="https://3.14.3.104:6443" \
+    kubernetes_ca_cert="$KUBE_CA_CERT"
+
+vault write auth/pikube/role/issuer \
+    bound_service_account_names=issuer \
+    bound_service_account_namespaces=cert-manager \
+    policies=pki_dnet \
+    ttl=20m
+```
+
+### Install cert-manager
+
+```bash
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
+kubectl -n cert-manager create serviceaccount issuer
+ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
+
+cat > cert-manager/pikube-vault-clusterissuer.yaml <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: vault-issuer
+spec:
+  vault:
+    server: https://vault.ducoterra.net
+    path: pki_dnet_int/sign/dnet
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/pikube
+        role: issuer
+        secretRef:
+          name: $ISSUER_SECRET_REF
+          key: token
+EOF
+
+kubectl apply -f cert-manager/pikube-vault-clusterissuer.yaml
+```
diff --git a/pi-values.yaml b/helm/pi-values.yaml
similarity index 50%
rename from pi-values.yaml
rename to helm/pi-values.yaml
index cc14eda..a865d64 100644
--- a/pi-values.yaml
+++ b/helm/pi-values.yaml
@@ -1,11 +1,17 @@
 global:
   enabled: true
 
+injector:
+  enabled: false
+
 server:
+  authDelegator:
+    enabled: false
 
   standalone:
     enabled: true
     config: |
+      ui = true
 
       listener "tcp" {
         tls_disable = 1
@@ -22,5 +28,21 @@ server:
       storageClass: null
       accessMode: ReadWriteOnce
 
+
+  ingress:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: vault-issuer
+    hosts:
+      - host: pivault.dnet
+        paths:
+          - /
+
+    tls:
+    - hosts:
+      - pivault.dnet
+      secretName: pivault-dnet-cert
+
 ui:
-  serviceType: LoadBalancer
+  enabled: true
+  serviceType: ClusterIP
diff --git a/values.yaml b/helm/values.yaml
similarity index 100%
rename from values.yaml
rename to helm/values.yaml
diff --git a/k8s/pi-certificate.yaml b/k8s/pi-certificate.yaml
new file mode 100644
index 0000000..a4309ba
--- /dev/null
+++ b/k8s/pi-certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: pivault-dnet
+spec:
+  secretName: pivault-dnet-cert
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: pivault.dnet
+  dnsNames:
+  - pivault.dnet