flywithu/rancher_community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Several refactorings of ports, and more after pull-request recommendations were suggested by rawmind0

Browse Source
This commit is contained in:
Cobb, Randy 2018-04-09 14:43:15 -07:00
parent dc7c9c36bd
commit 34f243dd6f
4 changed files with 78 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
templates/vault/0/README.md Normal file
View File

@ -0,0 +1,21 @@
# Vault #
### Info:
This template deploys a Hashicorp Vault server along with a Rancher LoadBalancer. Once it is deployed, you will have a working Vault server ready to be scaled up to meet your environment's needs.
The template is designed to be flexible in how you configure it; you can either statically bind Vault to an existing Consul stack, or ignore Consul all together and paste in your own Vault configuration.
This catalog item uses these two main containers:
* [Vault](https://www.vaultproject.io) - The official Hashicorp Vault image
* [Rancher LoadBalancer](https://hub.docker.com/r/rancher/lb-service-haproxy/) - Rancher's own official HAProxy load balancer
## Deployment:
1. Select the catalog item and choose a version from the drop-down box
2. Adjust any values on the page to meet your needs.
3. Make any adjustments to the default config provided, such as:
* A different backend than the Consul server specified.
* Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself.
4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION
5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more.
6. Enjoy!

71
templates/vault/0/docker-compose.yml.tpl
View File

@ -1,36 +1,35 @@
version: '2'
volumes:
vault-config:
driver: ${volumeDriver}
vault-file:
driver: ${volumeDriver}
services:
vault-lb:
image: rancher/lb-service-haproxy:v0.7.15
ports:
- 8200:8200/tcp
- 8201:8201/tcp
labels:
io.rancher.scheduler.affinity:host_label: lbhost=true
io.rancher.container.agent.role: environmentAdmin,agent
io.rancher.container.agent_service.drain_provider: 'true'
io.rancher.container.create_agent: 'true'
vault:
cap_add:
- IPC_LOCK
image: vault
environment:
VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG}
{{- if eq .Values.useConsul "true"}}
external_links:
- ${consulService}:consul
{{- end}}
volumes:
- vault-file:/vault/file
- vault-config:/vault/config
logging:
driver: journald
command:
- server
labels:
io.rancher.container.pull_image: always
version: '2'
volumes:
vault-config:
driver: ${VOLUME_DRIVER}
vault-file:
driver: ${VOLUME_DRIVER}
services:
vault-lb:
image: rancher/lb-service-haproxy:v0.9.1
ports:
- ${VAULT_LISTEN_PORT}:8200/tcp
- ${VAULT_CLUSTER_PORT}:8201/tcp
labels:
io.rancher.scheduler.affinity:host_label: lbhost=true
io.rancher.container.agent.role: environmentAdmin,agent
io.rancher.container.agent_service.drain_provider: 'true'
io.rancher.container.create_agent: 'true'
vault:
cap_add:
- IPC_LOCK
image: vault:0.9.6
environment:
VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG}
VAULT_REDIRECT_INTERFACE: "eth0"
VAULT_CLUSTER_INTERFACE: "eth0"
{{- if eq .Values.USE_CONSUL "true"}}
external_links:
- ${CONSUL_SERVICE}:consul
{{- end}}
volumes:
- vault-file:/vault/file
- vault-config:/vault/config
command:
- server

26
templates/vault/0/rancher-compose.yml
View File

@ -1,7 +1,7 @@
version: '2'
catalog:
name: Vault
version: 1.0-test-rancher1
version: 1.0-rancher1
description: |
Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster
uuid: vault-rac-0
@ -12,21 +12,33 @@ catalog:
This is the embedded JSON format config file that vault will use at startup
type: multiline
default: |
{"backend":{"consul":{"address":"http://<listenAddress>:<listenPort>", "advertise_addr":"http://<advertiseAddress>","path":"<Path>"}}, "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}}
- variable: useConsul
{"backend":{"consul":{"address":"consul:8500", "path":"vault"}}, "listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name": "myCluster" }
- variable: VAULT_LISTEN_PORT
label: Vault Listen Port
description:
This is the port number you want Vault to listen on. Actually, Vault ALWAYS listens on port 8200, but it isn't exposed, so you can set the port you want the LoadBalancer to listen on.
default: 8200
type: int
- variable: VAULT_CLUSTER_PORT
label: Vault Cluster Port
description:
Similar to the Vault Listen Port, this is the VAULT CLUSTER listen port to use.
default: 8201
type: int
- variable: USE_CONSUL
label: Would you like to back Vault with Consul?
description: |
Selecting yes or no allows you to back your vault repoository with a pre-installed
Consul cluster/server
default: false
type: boolean
- variable: consulService
- variable: CONSUL_SERVICE
label: Specify the Consul service to connect to
description: |
The pre-installed Consul server to back to
default: "select"
type: service
- variable: volumeDriver
- variable: VOLUME_DRIVER
label: Driver for volumes
description: |
How/Where to store your vault config and logs
@ -47,12 +59,12 @@ services:
- priority: 1
protocol: tcp
service: vault
source_port: 8200
source_port: ${VAULT_LISTEN_PORT}
target_port: 8200
- priority: 2
protocol: tcp
service: vault
source_port: 8201
source_port: ${VAULT_CLUSTER_PORT}
target_port: 8201
health_check:
response_timeout: 2000

7
templates/vault/config.yml
View File

@ -1,8 +1,7 @@
name: Vault
description: |
This template installs a Vault server with optional configuration items, including backing store
version: 1.0-test-rancher1
An OFFICIAL Vault server with optional configuration items, including backing store
version: 1.0-rancher1
category: Platform
maintainer: Randal Cobb <randy.cobb@nordstrom.com>
license:
projectURL: http://www.nordstrom.com/tech/givingBack