From a8d348766402877532441a947546d71d730cded7 Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Tue, 20 Mar 2018 10:19:41 -0700 Subject: [PATCH 01/10] adding in a config for Hashicorp Vault --- templates/vault/0/docker-compose.yml.tpl | 36 +++++++++++++ templates/vault/0/rancher-compose.yml | 69 ++++++++++++++++++++++++ templates/vault/catalogIcon-entry.svg | 1 + templates/vault/config.yml | 8 +++ 4 files changed, 114 insertions(+) create mode 100755 templates/vault/0/docker-compose.yml.tpl create mode 100755 templates/vault/0/rancher-compose.yml create mode 100644 templates/vault/catalogIcon-entry.svg create mode 100644 templates/vault/config.yml diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl new file mode 100755 index 0000000..2bb41c8 --- /dev/null +++ b/templates/vault/0/docker-compose.yml.tpl @@ -0,0 +1,36 @@ +version: '2' +volumes: + vault-config: + driver: ${volumeDriver} + vault-file: + driver: ${volumeDriver} +services: + vault-lb: + image: rancher/lb-service-haproxy:v0.7.15 + ports: + - 8200:8200/tcp + - 8201:8201/tcp + labels: + io.rancher.scheduler.affinity:host_label: lbhost=true + io.rancher.container.agent.role: environmentAdmin,agent + io.rancher.container.agent_service.drain_provider: 'true' + io.rancher.container.create_agent: 'true' + vault: + cap_add: + - IPC_LOCK + image: vault + environment: + VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} +{{- if eq .Values.useConsul "true"}} + external_links: + - ${consulService}:consul +{{- end}} + volumes: + - vault-file:/vault/file + - vault-config:/vault/config + logging: + driver: journald + command: + - server + labels: + io.rancher.container.pull_image: always diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml new file mode 100755 index 0000000..bac2cbc --- /dev/null +++ b/templates/vault/0/rancher-compose.yml @@ -0,0 +1,69 @@ +version: '2' +catalog: + name: Vault + version: 1.0-test-rancher1 + description: | + Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster + uuid: vault-rac-0 + questions: + - variable: VAULT_LOCAL_CONFIG + label: Provide a default config? + description: | + This is the embedded JSON format config file that vault will use at startup + type: multiline + default: | + '{"backend":{"consul":{"address":"http://:", + "advertise_addr":"http://","path":""}}, + "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}}' + - variable: useConsul + label: Would you like to back Vault with Consul? + description: | + Selecting yes or no allows you to back your vault repoository with a pre-installed + Consul cluster/server + default: false + type: boolean + - variable: consulService + label: Specify the Consul service to connect to + description: | + The pre-installed Consul server to back to + default: "select" + type: service + - variable: volumeDriver + label: Driver for volumes + description: | + How/Where to store your vault config and logs + default: local + type: enum + options: + - local + - rancher-nfs + - rancher-efs + - rancher-ebs +services: + vault-lb: + scale: 1 + start_on_create: true + lb_config: + certs: [] + port_rules: + - priority: 1 + protocol: tcp + service: vault + source_port: 8200 + target_port: 8200 + - priority: 2 + protocol: tcp + service: vault + source_port: 8201 + target_port: 8201 + health_check: + response_timeout: 2000 + healthy_threshold: 2 + port: 42 + unhealthy_threshold: 3 + initializing_timeout: 60000 + interval: 2000 + reinitializing_timeout: 60000 + vault: + scale: 1 + start_on_create: true diff --git a/templates/vault/catalogIcon-entry.svg b/templates/vault/catalogIcon-entry.svg new file mode 100644 index 0000000..880ebf3 --- /dev/null +++ b/templates/vault/catalogIcon-entry.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/templates/vault/config.yml b/templates/vault/config.yml new file mode 100644 index 0000000..58b1095 --- /dev/null +++ b/templates/vault/config.yml @@ -0,0 +1,8 @@ +name: Vault +description: | + This template installs a Vault server with optional configuration items, including backing store +version: 1.0-test-rancher1 +category: Platform +maintainer: Randal Cobb +license: +projectURL: http://www.nordstrom.com/tech/givingBack From dc7c9c36bd32ef8a8aba1a04414bbda36acdae7f Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Tue, 20 Mar 2018 10:24:39 -0700 Subject: [PATCH 02/10] Removing single quotes around the default vault config; was causing an error in rancher --- templates/vault/0/rancher-compose.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index bac2cbc..83c84c0 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -12,9 +12,7 @@ catalog: This is the embedded JSON format config file that vault will use at startup type: multiline default: | - '{"backend":{"consul":{"address":"http://:", - "advertise_addr":"http://","path":""}}, - "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}}' + {"backend":{"consul":{"address":"http://:", "advertise_addr":"http://","path":""}}, "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}} - variable: useConsul label: Would you like to back Vault with Consul? description: | From dc759919a8c764f167a35f59cddf18220cadc20b Mon Sep 17 00:00:00 2001 From: MadOtis Date: Thu, 29 Mar 2018 12:42:39 -0700 Subject: [PATCH 03/10] Fixed target port number to line up with vault's exposed port This vault image listens on port 18200, the LB was pointing to the conventional 8200 port, so was causing problems with the LB functioning properly. --- templates/vault/0/rancher-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 83c84c0..0998ac2 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -48,7 +48,7 @@ services: protocol: tcp service: vault source_port: 8200 - target_port: 8200 + target_port: 18200 - priority: 2 protocol: tcp service: vault From 34f243dd6f78c7db0af15bbd2b9c0d5567a81c66 Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Mon, 9 Apr 2018 14:43:15 -0700 Subject: [PATCH 04/10] Several refactorings of ports, and more after pull-request recommendations were suggested by rawmind0 --- templates/vault/0/README.md | 21 +++++++ templates/vault/0/docker-compose.yml.tpl | 71 ++++++++++++------------ templates/vault/0/rancher-compose.yml | 26 ++++++--- templates/vault/config.yml | 7 +-- 4 files changed, 78 insertions(+), 47 deletions(-) create mode 100644 templates/vault/0/README.md diff --git a/templates/vault/0/README.md b/templates/vault/0/README.md new file mode 100644 index 0000000..5202f76 --- /dev/null +++ b/templates/vault/0/README.md @@ -0,0 +1,21 @@ +# Vault # + +### Info: + +This template deploys a Hashicorp Vault server along with a Rancher LoadBalancer. Once it is deployed, you will have a working Vault server ready to be scaled up to meet your environment's needs. + +The template is designed to be flexible in how you configure it; you can either statically bind Vault to an existing Consul stack, or ignore Consul all together and paste in your own Vault configuration. + +This catalog item uses these two main containers: +* [Vault](https://www.vaultproject.io) - The official Hashicorp Vault image +* [Rancher LoadBalancer](https://hub.docker.com/r/rancher/lb-service-haproxy/) - Rancher's own official HAProxy load balancer + +## Deployment: +1. Select the catalog item and choose a version from the drop-down box +2. Adjust any values on the page to meet your needs. +3. Make any adjustments to the default config provided, such as: + * A different backend than the Consul server specified. + * Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself. +4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION +5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. +6. Enjoy! diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl index 2bb41c8..a7b5d78 100755 --- a/templates/vault/0/docker-compose.yml.tpl +++ b/templates/vault/0/docker-compose.yml.tpl @@ -1,36 +1,35 @@ -version: '2' -volumes: - vault-config: - driver: ${volumeDriver} - vault-file: - driver: ${volumeDriver} -services: - vault-lb: - image: rancher/lb-service-haproxy:v0.7.15 - ports: - - 8200:8200/tcp - - 8201:8201/tcp - labels: - io.rancher.scheduler.affinity:host_label: lbhost=true - io.rancher.container.agent.role: environmentAdmin,agent - io.rancher.container.agent_service.drain_provider: 'true' - io.rancher.container.create_agent: 'true' - vault: - cap_add: - - IPC_LOCK - image: vault - environment: - VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} -{{- if eq .Values.useConsul "true"}} - external_links: - - ${consulService}:consul -{{- end}} - volumes: - - vault-file:/vault/file - - vault-config:/vault/config - logging: - driver: journald - command: - - server - labels: - io.rancher.container.pull_image: always +version: '2' +volumes: + vault-config: + driver: ${VOLUME_DRIVER} + vault-file: + driver: ${VOLUME_DRIVER} +services: + vault-lb: + image: rancher/lb-service-haproxy:v0.9.1 + ports: + - ${VAULT_LISTEN_PORT}:8200/tcp + - ${VAULT_CLUSTER_PORT}:8201/tcp + labels: + io.rancher.scheduler.affinity:host_label: lbhost=true + io.rancher.container.agent.role: environmentAdmin,agent + io.rancher.container.agent_service.drain_provider: 'true' + io.rancher.container.create_agent: 'true' + vault: + cap_add: + - IPC_LOCK + image: vault:0.9.6 + environment: + VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} + VAULT_REDIRECT_INTERFACE: "eth0" + VAULT_CLUSTER_INTERFACE: "eth0" +{{- if eq .Values.USE_CONSUL "true"}} + external_links: + - ${CONSUL_SERVICE}:consul +{{- end}} + volumes: + - vault-file:/vault/file + - vault-config:/vault/config + command: + - server + diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 83c84c0..8205dc3 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -1,7 +1,7 @@ version: '2' catalog: name: Vault - version: 1.0-test-rancher1 + version: 1.0-rancher1 description: | Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster uuid: vault-rac-0 @@ -12,21 +12,33 @@ catalog: This is the embedded JSON format config file that vault will use at startup type: multiline default: | - {"backend":{"consul":{"address":"http://:", "advertise_addr":"http://","path":""}}, "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}} - - variable: useConsul + {"backend":{"consul":{"address":"consul:8500", "path":"vault"}}, "listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name": "myCluster" } + - variable: VAULT_LISTEN_PORT + label: Vault Listen Port + description: + This is the port number you want Vault to listen on. Actually, Vault ALWAYS listens on port 8200, but it isn't exposed, so you can set the port you want the LoadBalancer to listen on. + default: 8200 + type: int + - variable: VAULT_CLUSTER_PORT + label: Vault Cluster Port + description: + Similar to the Vault Listen Port, this is the VAULT CLUSTER listen port to use. + default: 8201 + type: int + - variable: USE_CONSUL label: Would you like to back Vault with Consul? description: | Selecting yes or no allows you to back your vault repoository with a pre-installed Consul cluster/server default: false type: boolean - - variable: consulService + - variable: CONSUL_SERVICE label: Specify the Consul service to connect to description: | The pre-installed Consul server to back to default: "select" type: service - - variable: volumeDriver + - variable: VOLUME_DRIVER label: Driver for volumes description: | How/Where to store your vault config and logs @@ -47,12 +59,12 @@ services: - priority: 1 protocol: tcp service: vault - source_port: 8200 + source_port: ${VAULT_LISTEN_PORT} target_port: 8200 - priority: 2 protocol: tcp service: vault - source_port: 8201 + source_port: ${VAULT_CLUSTER_PORT} target_port: 8201 health_check: response_timeout: 2000 diff --git a/templates/vault/config.yml b/templates/vault/config.yml index 58b1095..6a48877 100644 --- a/templates/vault/config.yml +++ b/templates/vault/config.yml @@ -1,8 +1,7 @@ name: Vault description: | - This template installs a Vault server with optional configuration items, including backing store -version: 1.0-test-rancher1 + An OFFICIAL Vault server with optional configuration items, including backing store +version: 1.0-rancher1 category: Platform maintainer: Randal Cobb -license: -projectURL: http://www.nordstrom.com/tech/givingBack + From 42bbf67904654ec883e8053b0ac00a3998985082 Mon Sep 17 00:00:00 2001 From: MadOtis Date: Mon, 9 Apr 2018 15:01:09 -0700 Subject: [PATCH 05/10] shouldn't have committed this file... .DS_Store is supposed to be in .gitignore --- templates/vault/0/.DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 templates/vault/0/.DS_Store diff --git a/templates/vault/0/.DS_Store b/templates/vault/0/.DS_Store deleted file mode 100644 index e3e2676be061234d58d3983438a76516bc9b2bef..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKF-`+P3>-s>NHmdXD7T~mi65+@P*C#$NI;^va0o<^?z+5%SHjp{P@)5giUN%# zdv<-E-P{!C7=X=R?=FBDfGOP(TMuLN=k6mrXc;5YdBy|o@r*O9(2uIWPdN9OoLfAS zwaZ`QiKo2q#B*%0Mt9Zqt7X?O$?%{1Mn8QI<4Pt4q<|EV0#ZN<{7wPyy|n33qM{U# z0#e{h0slS}x?^oPB*v$MAw~e=gy}G@W0oKmPY`RvA(0uHC6$;|Ya@mwo%z!0YQrHh z>9Dw&=d_!xO(+((Ghd<{RudJafE3tQ;4rr{@Bf$dALjpkl6F!+3j8YtY_hms%=t>K zw~k)Udu^fL&_9i}QO*#pm>8{?8*jxYJ9Wj^d|n$4i9u&R=tTVya9w0l;4c*T0EdMh ArvLx| From 21ee55b1ef26a1f9dd5886b3ca2c5fe9a7307b8e Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Tue, 10 Apr 2018 08:39:52 -0700 Subject: [PATCH 06/10] Several refactorings of ports, and more after pull-request recommendations were suggested by rawmind0 --- templates/vault/0/README.md | 14 +++++ templates/vault/0/docker-compose.yml.tpl | 13 +++-- templates/vault/0/rancher-compose.yml | 71 ++++++++++++++++++------ 3 files changed, 76 insertions(+), 22 deletions(-) diff --git a/templates/vault/0/README.md b/templates/vault/0/README.md index 5202f76..592a8a1 100644 --- a/templates/vault/0/README.md +++ b/templates/vault/0/README.md @@ -19,3 +19,17 @@ This catalog item uses these two main containers: 4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION 5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. 6. Enjoy! + +## Backend Configuration +This field is for specifying your backend configuration values. You enter them in a name=value pair format with each separate element being on its own line. For example: +``` +address = "http://locahost:2379" +etcd_api = "v3" +``` +would be a valid configuration for Etcd and +``` +access_key = "abcd1234" +secret_key = "defg5678" +bucket = "my-bucket" +``` +would be valid for Amazon S3 buckets. diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl index a7b5d78..0584a06 100755 --- a/templates/vault/0/docker-compose.yml.tpl +++ b/templates/vault/0/docker-compose.yml.tpl @@ -11,7 +11,9 @@ services: - ${VAULT_LISTEN_PORT}:8200/tcp - ${VAULT_CLUSTER_PORT}:8201/tcp labels: - io.rancher.scheduler.affinity:host_label: lbhost=true +{{- if .Values.HOST_LABEL }} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} +{{- end }} io.rancher.container.agent.role: environmentAdmin,agent io.rancher.container.agent_service.drain_provider: 'true' io.rancher.container.create_agent: 'true' @@ -20,13 +22,14 @@ services: - IPC_LOCK image: vault:0.9.6 environment: - VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} VAULT_REDIRECT_INTERFACE: "eth0" VAULT_CLUSTER_INTERFACE: "eth0" -{{- if eq .Values.USE_CONSUL "true"}} + VAULT_LOCAL_CONFIG: | + { "backend": "{{.Values.VAULT_BACKEND}}": { {{.Values.BACKEND_CONFIGURATION}} },"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name":"{{.Values.VAULT_CLUSTER_NAME}}" } +{{- if .Values.VAULT_BACKEND }} external_links: - - ${CONSUL_SERVICE}:consul -{{- end}} + - ${VAULT_BACKEND}:SERVICE +{{- end }} volumes: - vault-file:/vault/file - vault-config:/vault/config diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 8205dc3..272fd41 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -6,38 +6,75 @@ catalog: Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster uuid: vault-rac-0 questions: - - variable: VAULT_LOCAL_CONFIG - label: Provide a default config? + - variable: VAULT_CLUSTER_NAME + label: Vault Cluster Name description: | - This is the embedded JSON format config file that vault will use at startup - type: multiline - default: | - {"backend":{"consul":{"address":"consul:8500", "path":"vault"}}, "listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name": "myCluster" } + Provide a name for this Vault cluster + type: string + default: myCluster + required: true + - variable: VAULT_BACKEND + label: Backend for Vault + description: | + Provide the backend engine for Vault (i.e., Consul, File, etc.) - variable: VAULT_LISTEN_PORT label: Vault Listen Port - description: + description: | This is the port number you want Vault to listen on. Actually, Vault ALWAYS listens on port 8200, but it isn't exposed, so you can set the port you want the LoadBalancer to listen on. default: 8200 type: int + required: true - variable: VAULT_CLUSTER_PORT label: Vault Cluster Port - description: + description: | Similar to the Vault Listen Port, this is the VAULT CLUSTER listen port to use. default: 8201 type: int - - variable: USE_CONSUL - label: Would you like to back Vault with Consul? + required: true + - variable: VAULT_BACKEND + label: Select a backend for Vault description: | - Selecting yes or no allows you to back your vault repoository with a pre-installed - Consul cluster/server - default: false - type: boolean - - variable: CONSUL_SERVICE - label: Specify the Consul service to connect to + Vault supports several different backend storage engines. Please select the one you are interested in using. (NOTE: Must be pre-installed or added to a different stack) + default: Filesystem + type: enum + required: true + options: + - azure + - cockroachdb + - consul + - couchdb + - dynamodb + - etcd + - filesystem + - gcs + - inmem + - manta + - mysql + - postgresql + - spanner + - cassandra + - s3 + - swift + - zookeeper + - variable: BACKEND_SERVICE + label: Specify the Backend service to connect to description: | - The pre-installed Consul server to back to + The pre-installed Backend server to back to. To reference, you can use the memory variable "$SERVICE" in your URLs. For example: "consul://$SERVICE:8500" default: "select" type: service + - variable: BACKEND_CONFIGURATION + label: Specify the backend configuration in name=value format + default: "path=\"/mnt/vault/data\"" + required: true + description: | + Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) put each item on a separate line + type: multiline + - variable: HOST_LABEL + label: Optional Host label to bind LoadBalancer to + description: | + If you wish to bind your LoadBalancer to a specific host node, you can specify the label and value here in name=value pair format + default: "lbhost=true" + type: string - variable: VOLUME_DRIVER label: Driver for volumes description: | From 8a7d4ee09232824d4b85813143b58e2ddaed0336 Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Tue, 10 Apr 2018 11:41:50 -0700 Subject: [PATCH 07/10] Latest pull request changes made: - refactored the config mechanism to use a template - added all supported backend storage engines - added a scale option to spin up an entire cluster at once - various other typo fixes --- templates/vault/0/README.md | 21 ++++++++----------- templates/vault/0/docker-compose.yml.tpl | 18 ++++++++-------- templates/vault/0/rancher-compose.yml | 26 ++++++++++++++---------- 3 files changed, 33 insertions(+), 32 deletions(-) diff --git a/templates/vault/0/README.md b/templates/vault/0/README.md index 592a8a1..4dd28ba 100644 --- a/templates/vault/0/README.md +++ b/templates/vault/0/README.md @@ -13,23 +13,20 @@ This catalog item uses these two main containers: ## Deployment: 1. Select the catalog item and choose a version from the drop-down box 2. Adjust any values on the page to meet your needs. -3. Make any adjustments to the default config provided, such as: - * A different backend than the Consul server specified. - * Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself. -4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION -5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. -6. Enjoy! +3. Select a backend type and specify values specific to that type (i.e.: for Consul: "address":"SERVICE:8500","path":"myNewVault" +4. Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself. +5. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION +6. Specify how many vault servers you want in your cluster (You'll always only get only 1 load balancer) +6. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. +7. Enjoy! ## Backend Configuration -This field is for specifying your backend configuration values. You enter them in a name=value pair format with each separate element being on its own line. For example: +This field is for specifying your backend configuration values. You enter them in a name=value pair format just as you would in a Vault configuration file; with each separate element being on its own line. For example: ``` -address = "http://locahost:2379" -etcd_api = "v3" +"address": "http://locahost:2379","etcd_api": "v3" ``` would be a valid configuration for Etcd and ``` -access_key = "abcd1234" -secret_key = "defg5678" -bucket = "my-bucket" +"access_key": "abcd1234","secret_key": "defg5678","bucket": "my-bucket" ``` would be valid for Amazon S3 buckets. diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl index 0584a06..1febc56 100755 --- a/templates/vault/0/docker-compose.yml.tpl +++ b/templates/vault/0/docker-compose.yml.tpl @@ -11,25 +11,25 @@ services: - ${VAULT_LISTEN_PORT}:8200/tcp - ${VAULT_CLUSTER_PORT}:8201/tcp labels: -{{- if .Values.HOST_LABEL }} - io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} -{{- end }} io.rancher.container.agent.role: environmentAdmin,agent io.rancher.container.agent_service.drain_provider: 'true' io.rancher.container.create_agent: 'true' +{{- if .Values.HOST_LABEL }} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} +{{- end }} vault: + image: vault:0.9.6 cap_add: - IPC_LOCK - image: vault:0.9.6 +{{- if .Values.VAULT_BACKEND }} + external_links: + - ${BACKEND_SERVICE}:SERVICE +{{- end }} environment: VAULT_REDIRECT_INTERFACE: "eth0" VAULT_CLUSTER_INTERFACE: "eth0" VAULT_LOCAL_CONFIG: | - { "backend": "{{.Values.VAULT_BACKEND}}": { {{.Values.BACKEND_CONFIGURATION}} },"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name":"{{.Values.VAULT_CLUSTER_NAME}}" } -{{- if .Values.VAULT_BACKEND }} - external_links: - - ${VAULT_BACKEND}:SERVICE -{{- end }} + { "storage":{"{{.Values.VAULT_BACKEND}}":{ {{.Values.BACKEND_CONFIGURATION}} }},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}},"cluster_name":"{{.Values.VAULT_CLUSTER_NAME}}"} volumes: - vault-file:/vault/file - vault-config:/vault/config diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 272fd41..9168365 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -13,10 +13,6 @@ catalog: type: string default: myCluster required: true - - variable: VAULT_BACKEND - label: Backend for Vault - description: | - Provide the backend engine for Vault (i.e., Consul, File, etc.) - variable: VAULT_LISTEN_PORT label: Vault Listen Port description: | @@ -45,7 +41,7 @@ catalog: - couchdb - dynamodb - etcd - - filesystem + - file - gcs - inmem - manta @@ -59,22 +55,30 @@ catalog: - variable: BACKEND_SERVICE label: Specify the Backend service to connect to description: | - The pre-installed Backend server to back to. To reference, you can use the memory variable "$SERVICE" in your URLs. For example: "consul://$SERVICE:8500" + The pre-installed Backend server to back to. To reference, you can use the memory variable "SERVICE" in your URLs. For example: "consul://SERVICE:8500" default: "select" type: service - variable: BACKEND_CONFIGURATION - label: Specify the backend configuration in name=value format - default: "path=\"/mnt/vault/data\"" + label: Specify the backend configuration in valid JSON format + default: | + "path":"/mnt/vault/data" required: true description: | - Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) put each item on a separate line - type: multiline + Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) in JSON format + type: string - variable: HOST_LABEL label: Optional Host label to bind LoadBalancer to description: | If you wish to bind your LoadBalancer to a specific host node, you can specify the label and value here in name=value pair format default: "lbhost=true" type: string + - variable: CLUSTER_SCALE + label: How many Vault servers do you want in your cluster? + description: | + Select the number of VAULT servers you want to set up in your cluster + default: 1 + type: int + required: true - variable: VOLUME_DRIVER label: Driver for volumes description: | @@ -112,5 +116,5 @@ services: interval: 2000 reinitializing_timeout: 60000 vault: - scale: 1 + scale: ${CLUSTER_SCALE} start_on_create: true From 27a4f2b934de0a7fd3298a572380096a6f135ef5 Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Tue, 10 Apr 2018 15:21:27 -0700 Subject: [PATCH 08/10] Latest pull request changes made: - refactored the config mechanism to use a template - added all supported backend storage engines - added a scale option to spin up an entire cluster at once - various other typo fixes --- templates/vault/0/README.md | 21 +++++++++++---------- templates/vault/0/rancher-compose.yml | 4 ++-- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/templates/vault/0/README.md b/templates/vault/0/README.md index 4dd28ba..89ab0ec 100644 --- a/templates/vault/0/README.md +++ b/templates/vault/0/README.md @@ -13,20 +13,21 @@ This catalog item uses these two main containers: ## Deployment: 1. Select the catalog item and choose a version from the drop-down box 2. Adjust any values on the page to meet your needs. -3. Select a backend type and specify values specific to that type (i.e.: for Consul: "address":"SERVICE:8500","path":"myNewVault" -4. Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself. -5. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION -6. Specify how many vault servers you want in your cluster (You'll always only get only 1 load balancer) -6. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. -7. Enjoy! +3. Make any adjustments to the default config provided, such as: + * A different backend than the Consul server specified. + * Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself. +4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION +5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. +6. Enjoy! ## Backend Configuration -This field is for specifying your backend configuration values. You enter them in a name=value pair format just as you would in a Vault configuration file; with each separate element being on its own line. For example: +This field is for specifying your backend configuration options. You enter them in a JSON key:value pair format just as you would in a JSON Vault configuration file; with each separate element being comma-delimited. For example: ``` -"address": "http://locahost:2379","etcd_api": "v3" +"address":"http://locahost:2379","etcd_api":"v3" ``` would be a valid configuration for Etcd and ``` -"access_key": "abcd1234","secret_key": "defg5678","bucket": "my-bucket" +"access_key":"abcd1234","secret_key":"defg5678","bucket":"my-bucket" ``` -would be valid for Amazon S3 buckets. +would be valid for Amazon S3 buckets.:w + diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 9168365..4fca705 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -31,7 +31,7 @@ catalog: label: Select a backend for Vault description: | Vault supports several different backend storage engines. Please select the one you are interested in using. (NOTE: Must be pre-installed or added to a different stack) - default: Filesystem + default: file type: enum required: true options: @@ -61,7 +61,7 @@ catalog: - variable: BACKEND_CONFIGURATION label: Specify the backend configuration in valid JSON format default: | - "path":"/mnt/vault/data" + "path":"/vault/file" required: true description: | Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) in JSON format From 7c10118a178ac82567324a8184abc95c04d26929 Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Wed, 11 Apr 2018 09:29:00 -0700 Subject: [PATCH 09/10] Latest pull request changes made: - refactored the config mechanism to use a template - added all supported backend storage engines - added a scale option to spin up an entire cluster at once - various other typo fixes --- templates/vault/0/docker-compose.yml.tpl | 8 ++++++-- templates/vault/0/rancher-compose.yml | 1 - 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl index 1febc56..d016622 100755 --- a/templates/vault/0/docker-compose.yml.tpl +++ b/templates/vault/0/docker-compose.yml.tpl @@ -21,7 +21,7 @@ services: image: vault:0.9.6 cap_add: - IPC_LOCK -{{- if .Values.VAULT_BACKEND }} +{{- if .Values.BACKEND_SERVICE }} external_links: - ${BACKEND_SERVICE}:SERVICE {{- end }} @@ -29,7 +29,11 @@ services: VAULT_REDIRECT_INTERFACE: "eth0" VAULT_CLUSTER_INTERFACE: "eth0" VAULT_LOCAL_CONFIG: | - { "storage":{"{{.Values.VAULT_BACKEND}}":{ {{.Values.BACKEND_CONFIGURATION}} }},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}},"cluster_name":"{{.Values.VAULT_CLUSTER_NAME}}"} + { + "storage":{"${VAULT_BACKEND}":{ ${BACKEND_CONFIGURATION} }}, + "listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, + "cluster_name":"${VAULT_CLUSTER_NAME}" + } volumes: - vault-file:/vault/file - vault-config:/vault/config diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 4fca705..6608ba5 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -56,7 +56,6 @@ catalog: label: Specify the Backend service to connect to description: | The pre-installed Backend server to back to. To reference, you can use the memory variable "SERVICE" in your URLs. For example: "consul://SERVICE:8500" - default: "select" type: service - variable: BACKEND_CONFIGURATION label: Specify the backend configuration in valid JSON format From 5bfdc700b2c486b7948ffd5b0f25f57ea81c1fc1 Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Wed, 11 Apr 2018 12:35:57 -0700 Subject: [PATCH 10/10] Latest pull request changes made: - Refactored "default" value from multiline format to single string format to fix the issue with the values not being populated in the template if someone simply selects the catalog item, then clicks submit without making any adjustments. --- templates/vault/0/rancher-compose.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 6608ba5..5688f8b 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -59,8 +59,7 @@ catalog: type: service - variable: BACKEND_CONFIGURATION label: Specify the backend configuration in valid JSON format - default: | - "path":"/vault/file" + default: '"path":"/vault/file"' required: true description: | Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) in JSON format