From ee01de0379d9c509a2a766bb0ba48f7fbf249cd5 Mon Sep 17 00:00:00 2001
From: Bill Maxwell <bill@rancher.com>
Date: Thu, 1 Dec 2016 09:55:14 -0800
Subject: [PATCH] updated the catalog for the secrets-bridge v1.2.0 release

---
 .../0/rancher-compose.yml                     |  1 +
 templates/secrets-bridge-agents/1/README.md   | 20 +++++++
 .../1/docker-compose.yml                      | 10 ++++
 .../1/rancher-compose.yml                     | 12 +++++
 templates/secrets-bridge-agents/config.yml    |  2 +-
 .../0/rancher-compose.yml                     |  1 +
 templates/secrets-bridge-server/1/README.md   | 15 ++++++
 .../1/docker-compose.yml                      | 24 +++++++++
 .../1/rancher-compose.yml                     | 52 +++++++++++++++++++
 templates/secrets-bridge-server/config.yml    |  2 +-
 10 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 templates/secrets-bridge-agents/1/README.md
 create mode 100644 templates/secrets-bridge-agents/1/docker-compose.yml
 create mode 100644 templates/secrets-bridge-agents/1/rancher-compose.yml
 create mode 100644 templates/secrets-bridge-server/1/README.md
 create mode 100644 templates/secrets-bridge-server/1/docker-compose.yml
 create mode 100644 templates/secrets-bridge-server/1/rancher-compose.yml

diff --git a/templates/secrets-bridge-agents/0/rancher-compose.yml b/templates/secrets-bridge-agents/0/rancher-compose.yml
index be5c3eb..c252148 100644
--- a/templates/secrets-bridge-agents/0/rancher-compose.yml
+++ b/templates/secrets-bridge-agents/0/rancher-compose.yml
@@ -1,6 +1,7 @@
 .catalog:
     name: "Secrets Bridge Agent"
     version: 0.0.1-rancher1
+    maximum_rancher_version: v1.2.0-pre3
     description: |
        Agent side of secrets bridge between Rancher and Vault
     questions:
diff --git a/templates/secrets-bridge-agents/1/README.md b/templates/secrets-bridge-agents/1/README.md
new file mode 100644
index 0000000..dbd30ec
--- /dev/null
+++ b/templates/secrets-bridge-agents/1/README.md
@@ -0,0 +1,20 @@
+## Secrets Bridge Agents (Experimental)
+---
+###Status: Experimental POC (Read: Do NOT use for production) 
+Only works with Hashicorp Vault server in dev mode currently.
+
+---
+#### Description: 
+  This is the agent component for the Vault secrets bridge with Rancher. This service will be deployed in the environment running applications that need secrets. This service does not have direct access to Vault, it communicates with the Secrets Bridge server.
+ 
+#### Setup
+
+See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md)
+  
+#### Pre-reqs:
+
+An instance of Secrets Bridge server running.
+
+#### Running this app
+As services come up, this service will send events to the Secrets Bridge based on Docker start events. The server will (Not currently enforced) verify the signed token with Rancher server and get the launching containers Rancher environment, stack, service and Docker ID. With that information the Secrets Bridge server will check with Vault in the `configPath/environment/stack/service/container_name` for a key called policies. It checks from most specific and recursively looks down to the environment key. It uses the most specific match. 
+
diff --git a/templates/secrets-bridge-agents/1/docker-compose.yml b/templates/secrets-bridge-agents/1/docker-compose.yml
new file mode 100644
index 0000000..3921cdd
--- /dev/null
+++ b/templates/secrets-bridge-agents/1/docker-compose.yml
@@ -0,0 +1,10 @@
+secrets-bridge:
+    image: rancher/secrets-bridge:v0.2.0
+    command: agent --bridge-url ${BRIDGE_URL}
+    volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+    privileged: true
+    labels:
+        io.rancher.container.create_agent: true
+        io.rancher.container.agent.role: agent
+        io.rancher.scheduler.global: true
diff --git a/templates/secrets-bridge-agents/1/rancher-compose.yml b/templates/secrets-bridge-agents/1/rancher-compose.yml
new file mode 100644
index 0000000..7c70328
--- /dev/null
+++ b/templates/secrets-bridge-agents/1/rancher-compose.yml
@@ -0,0 +1,12 @@
+.catalog:
+    name: "Secrets Bridge Agent"
+    minimum_rancher_version: v1.2.0
+    version: 0.1.0-rancher1
+    description: |
+       Agent side of secrets bridge between Rancher and Vault
+    questions:
+        - variable: BRIDGE_URL
+          type: string
+          label: "Secrets Bridge URL"
+          required: true
+          description: "Should be the http(s)://address:port version of the url"
diff --git a/templates/secrets-bridge-agents/config.yml b/templates/secrets-bridge-agents/config.yml
index 3c30e4d..653c2b9 100644
--- a/templates/secrets-bridge-agents/config.yml
+++ b/templates/secrets-bridge-agents/config.yml
@@ -1,4 +1,4 @@
 name: "Secrets Bridge Agents"
 description: "Agent side of bridge between Vault and Rancher"
-version: "0.0.1-rancher1"
+version: "0.1.0-rancher1"
 category: Security
diff --git a/templates/secrets-bridge-server/0/rancher-compose.yml b/templates/secrets-bridge-server/0/rancher-compose.yml
index e2d06b3..c905120 100644
--- a/templates/secrets-bridge-server/0/rancher-compose.yml
+++ b/templates/secrets-bridge-server/0/rancher-compose.yml
@@ -1,6 +1,7 @@
 .catalog:
     name: "Secrets Bridge Server"
     version: 0.0.1-rancher1
+    maximum_rancher_version: v1.2.0-pre3
     description: |
        Server side secrets bridge between Rancher and Vault
     questions:
diff --git a/templates/secrets-bridge-server/1/README.md b/templates/secrets-bridge-server/1/README.md
new file mode 100644
index 0000000..f53ba16
--- /dev/null
+++ b/templates/secrets-bridge-server/1/README.md
@@ -0,0 +1,15 @@
+## Secrets Bridge Server (Beta)
+---
+#### Upgrade NOTICE
+
+When upgrading this service keep in mind that if you use a new issuing token, tokens issued by the previous version will expire. This means running apps will no longer be able to access Vault using those tokens. If you need to keep those tokens fresh, then reuse the original PERM_TOKEN.
+
+#### Description: 
+  This is the server side component for the Vault Secrets bridge with Rancher. This service should *NOT* be deployed in the same environment as user applications. It will have access to Vault, and compromising it will give the person access to *ALL* secrets available in that environment. It should instead be run in an environment reserved for the team operating Rancher.
+  
+  The reason this uses a temporary Cubbyhole token to start the service is that ENV variables do show up in the Rancher API and Docker inspect commands. That said, if this service fails, the issuing token will expire and all app tokens will also expire.
+  
+#### Setup
+
+See [setup guide](https://github.com/rancher/secrets-bridge/blob/master/docs/setup.md)
+  
diff --git a/templates/secrets-bridge-server/1/docker-compose.yml b/templates/secrets-bridge-server/1/docker-compose.yml
new file mode 100644
index 0000000..a456787
--- /dev/null
+++ b/templates/secrets-bridge-server/1/docker-compose.yml
@@ -0,0 +1,24 @@
+secrets-bridge:
+    image: rancher/secrets-bridge:v0.2.0
+    environment:
+        CATTLE_ACCESS_KEY: ${CATTLE_ACCESS_KEY}
+        CATTLE_SECRET_KEY: ${CATTLE_SECRET_KEY}
+        CATTLE_URL: ${CATTLE_URL}
+        VAULT_TOKEN: ${VAULT_TOKEN}
+        VAULT_CUBBYPATH: ${VAULT_CUBBYPATH}
+    command: 
+        - server
+        - --vault-url
+        - ${VAULT_URL}
+        - --rancher-url
+        - $CATTLE_URL
+        - --rancher-secret
+        - ${CATTLE_SECRET_KEY}
+        - --rancher-access
+        - ${CATTLE_ACCESS_KEY}
+secrets-bridge-lb:
+    ports:
+        - "${LBPORT}:8181"
+    image: rancher/load-balancer-service
+    links:
+        - secrets-bridge:secrets-bridge
diff --git a/templates/secrets-bridge-server/1/rancher-compose.yml b/templates/secrets-bridge-server/1/rancher-compose.yml
new file mode 100644
index 0000000..79f628d
--- /dev/null
+++ b/templates/secrets-bridge-server/1/rancher-compose.yml
@@ -0,0 +1,52 @@
+.catalog:
+    name: "Secrets Bridge Server"
+    version: 0.1.0-rancher1
+    minimum_rancher_version: v1.2.0
+    description: |
+       Server side secrets bridge between Rancher and Vault
+    questions:
+        - variable: CATTLE_URL
+          type: string
+          label: "Cattle URL"
+          required: true
+          description: "URL to the Cattle Project this service is managing"
+        - variable: CATTLE_ACCESS_KEY
+          type: string
+          label: "Cattle Access Key"
+          required: true
+          description: "Cattle Access API Key"
+        - variable: CATTLE_SECRET_KEY
+          type: password
+          label: "Cattle Secret Key"
+          required: true
+          description: "Cattle Secret API Key"
+        - variable: VAULT_TOKEN
+          type: password
+          label: "Vault Temp Token"
+          required: true
+          description: "Temporary Token to Access Vault Cubbyhole"
+        - variable: VAULT_URL
+          type: string
+          label: "URL to Vault server"
+          required: true
+          description: "URL to the Vault server"
+        - variable: VAULT_CUBBYPATH
+          type: string
+          label: "Vault Cubbyhole Path"
+          required: true
+          description: "Path to get the permenant API key"
+        - variable: LBPORT
+          description: "Port for Secrets Bridge LB to listen on"
+          label: "LB Port"
+          type: string
+          required: true
+secrets-bridge-lb:
+  scale: 1
+  load_balancer_config:
+    haproxy_config: {}
+  health_check:
+    port: 42
+    interval: 2000
+    unhealthy_threshold: 3
+    healthy_threshold: 2
+    response_timeout: 2000
diff --git a/templates/secrets-bridge-server/config.yml b/templates/secrets-bridge-server/config.yml
index d9e4c7f..12bce8d 100644
--- a/templates/secrets-bridge-server/config.yml
+++ b/templates/secrets-bridge-server/config.yml
@@ -1,4 +1,4 @@
 name: "Secrets Bridge"
 description: "Server side of bridge between Vault and Rancher"
-version: "0.0.1-rancher1"
+version: "0.1.0-rancher1"
 category: Security