updated the catalog for the secrets-bridge v1.2.0 release

2016-12-01 09:55:14 -08:00 · 2016-12-01 09:55:14 -08:00 · ee01de0379
commit ee01de0379
parent 85ffaf7566
10 changed files with 137 additions and 2 deletions
--- a/templates/secrets-bridge-agents/0/rancher-compose.yml
+++ b/templates/secrets-bridge-agents/0/rancher-compose.yml
@ -1,6 +1,7 @@
 .catalog:
    name: "Secrets Bridge Agent"
    version: 0.0.1-rancher1
+    maximum_rancher_version: v1.2.0-pre3
    description: |
       Agent side of secrets bridge between Rancher and Vault
    questions:
--- a/templates/secrets-bridge-agents/1/README.md
+++ b/templates/secrets-bridge-agents/1/README.md
@ -0,0 +1,20 @@
+## Secrets Bridge Agents (Experimental)
+---
+###Status: Experimental POC (Read: Do NOT use for production) 
+Only works with Hashicorp Vault server in dev mode currently.
+
+---
+#### Description: 
+  This is the agent component for the Vault secrets bridge with Rancher. This service will be deployed in the environment running applications that need secrets. This service does not have direct access to Vault, it communicates with the Secrets Bridge server.
+ 
+#### Setup
+
+See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md)
+  
+#### Pre-reqs:
+
+An instance of Secrets Bridge server running.
+
+#### Running this app
+As services come up, this service will send events to the Secrets Bridge based on Docker start events. The server will (Not currently enforced) verify the signed token with Rancher server and get the launching containers Rancher environment, stack, service and Docker ID. With that information the Secrets Bridge server will check with Vault in the `configPath/environment/stack/service/container_name` for a key called policies. It checks from most specific and recursively looks down to the environment key. It uses the most specific match. 
+
--- a/templates/secrets-bridge-agents/1/docker-compose.yml
+++ b/templates/secrets-bridge-agents/1/docker-compose.yml
@ -0,0 +1,10 @@
+secrets-bridge:
+    image: rancher/secrets-bridge:v0.2.0
+    command: agent --bridge-url ${BRIDGE_URL}
+    volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+    privileged: true
+    labels:
+        io.rancher.container.create_agent: true
+        io.rancher.container.agent.role: agent
+        io.rancher.scheduler.global: true
--- a/templates/secrets-bridge-agents/1/rancher-compose.yml
+++ b/templates/secrets-bridge-agents/1/rancher-compose.yml
@ -0,0 +1,12 @@
+.catalog:
+    name: "Secrets Bridge Agent"
+    minimum_rancher_version: v1.2.0
+    version: 0.1.0-rancher1
+    description: |
+       Agent side of secrets bridge between Rancher and Vault
+    questions:
+        - variable: BRIDGE_URL
+          type: string
+          label: "Secrets Bridge URL"
+          required: true
+          description: "Should be the http(s)://address:port version of the url"
--- a/templates/secrets-bridge-agents/config.yml
+++ b/templates/secrets-bridge-agents/config.yml
@ -1,4 +1,4 @@
 name: "Secrets Bridge Agents"
 description: "Agent side of bridge between Vault and Rancher"
-version: "0.0.1-rancher1"
+version: "0.1.0-rancher1"
 category: Security
--- a/templates/secrets-bridge-server/0/rancher-compose.yml
+++ b/templates/secrets-bridge-server/0/rancher-compose.yml
@ -1,6 +1,7 @@
 .catalog:
    name: "Secrets Bridge Server"
    version: 0.0.1-rancher1
+    maximum_rancher_version: v1.2.0-pre3
    description: |
       Server side secrets bridge between Rancher and Vault
    questions:
--- a/templates/secrets-bridge-server/1/README.md
+++ b/templates/secrets-bridge-server/1/README.md
@ -0,0 +1,15 @@
+## Secrets Bridge Server (Beta)
+---
+#### Upgrade NOTICE
+
+When upgrading this service keep in mind that if you use a new issuing token, tokens issued by the previous version will expire. This means running apps will no longer be able to access Vault using those tokens. If you need to keep those tokens fresh, then reuse the original PERM_TOKEN.
+
+#### Description: 
+  This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher.
+  
+  The reason this uses a temporary Cubbyhole token to start the service is that ENV variables do show up in the Rancher API and Docker inspect commands. That said, if this service fails, the issuing token will expire and all app tokens will also expire.
+  
+#### Setup
+
+See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md)
+  
--- a/templates/secrets-bridge-server/1/docker-compose.yml
+++ b/templates/secrets-bridge-server/1/docker-compose.yml
@ -0,0 +1,24 @@
+secrets-bridge:
+    image: rancher/secrets-bridge:v0.2.0
+    environment:
+        CATTLE_ACCESS_KEY: ${CATTLE_ACCESS_KEY}
+        CATTLE_SECRET_KEY: ${CATTLE_SECRET_KEY}
+        CATTLE_URL: ${CATTLE_URL}
+        VAULT_TOKEN: ${VAULT_TOKEN}
+        VAULT_CUBBYPATH: ${VAULT_CUBBYPATH}
+    command: 
+        - server
+        - --vault-url
+        - ${VAULT_URL}
+        - --rancher-url
+        - $CATTLE_URL
+        - --rancher-secret
+        - ${CATTLE_SECRET_KEY}
+        - --rancher-access
+        - ${CATTLE_ACCESS_KEY}
+secrets-bridge-lb:
+    ports:
+        - "${LBPORT}:8181"
+    image: rancher/load-balancer-service
+    links:
+        - secrets-bridge:secrets-bridge
--- a/templates/secrets-bridge-server/1/rancher-compose.yml
+++ b/templates/secrets-bridge-server/1/rancher-compose.yml
@ -0,0 +1,52 @@
+.catalog:
+    name: "Secrets Bridge Server"
+    version: 0.1.0-rancher1
+    minimum_rancher_version: v1.2.0
+    description: |
+       Server side secrets bridge between Rancher and Vault
+    questions:
+        - variable: CATTLE_URL
+          type: string
+          label: "Cattle URL"
+          required: true
+          description: "URL to the Cattle Project this service is managing"
+        - variable: CATTLE_ACCESS_KEY
+          type: string
+          label: "Cattle Access Key"
+          required: true
+          description: "Cattle Access API Key"
+        - variable: CATTLE_SECRET_KEY
+          type: password
+          label: "Cattle Secret Key"
+          required: true
+          description: "Cattle Secret API Key"
+        - variable: VAULT_TOKEN
+          type: password
+          label: "Vault Temp Token"
+          required: true
+          description: "Temporary Token to Access Vault Cubbyhole"
+        - variable: VAULT_URL
+          type: string
+          label: "URL to Vault server"
+          required: true
+          description: "URL to the Vault server"
+        - variable: VAULT_CUBBYPATH
+          type: string
+          label: "Vault Cubbyhole Path"
+          required: true
+          description: "Path to get the permenant API key"
+        - variable: LBPORT
+          description: "Port for Secrets Bridge LB to listen on"
+          label: "LB Port"
+          type: string
+          required: true
+secrets-bridge-lb:
+  scale: 1
+  load_balancer_config:
+    haproxy_config: {}
+  health_check:
+    port: 42
+    interval: 2000
+    unhealthy_threshold: 3
+    healthy_threshold: 2
+    response_timeout: 2000
--- a/templates/secrets-bridge-server/config.yml
+++ b/templates/secrets-bridge-server/config.yml
@ -1,4 +1,4 @@
 name: "Secrets Bridge"
 description: "Server side of bridge between Vault and Rancher"
-version: "0.0.1-rancher1"
+version: "0.1.0-rancher1"
 category: Security