flywithu/rancher_community-catalog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #754 from MadOtis/add-vault-config

Browse Source 
Add vault config
This commit is contained in:
Raúl Sánchez 2018-04-11 23:55:48 +02:00 committed by GitHub
commit ca610a2ffe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 201 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
templates/vault/0/README.md Normal file
View File

@ -0,0 +1,33 @@
# Vault #
### Info:
This template deploys a Hashicorp Vault server along with a Rancher LoadBalancer. Once it is deployed, you will have a working Vault server ready to be scaled up to meet your environment's needs.
The template is designed to be flexible in how you configure it; you can either statically bind Vault to an existing Consul stack, or ignore Consul all together and paste in your own Vault configuration.
This catalog item uses these two main containers:
* [Vault](https://www.vaultproject.io) - The official Hashicorp Vault image
* [Rancher LoadBalancer](https://hub.docker.com/r/rancher/lb-service-haproxy/) - Rancher's own official HAProxy load balancer
## Deployment:
1. Select the catalog item and choose a version from the drop-down box
2. Adjust any values on the page to meet your needs.
3. Make any adjustments to the default config provided, such as:
* A different backend than the Consul server specified.
* Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself.
4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION
5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more.
6. Enjoy!
## Backend Configuration
This field is for specifying your backend configuration options. You enter them in a JSON key:value pair format just as you would in a JSON Vault configuration file; with each separate element being comma-delimited. For example:
```
"address":"http://locahost:2379","etcd_api":"v3"
```
would be a valid configuration for Etcd and
```
"access_key":"abcd1234","secret_key":"defg5678","bucket":"my-bucket"
```
would be valid for Amazon S3 buckets.:w

42
templates/vault/0/docker-compose.yml.tpl Executable file
View File

@ -0,0 +1,42 @@
version: '2'
volumes:
vault-config:
driver: ${VOLUME_DRIVER}
vault-file:
driver: ${VOLUME_DRIVER}
services:
vault-lb:
image: rancher/lb-service-haproxy:v0.9.1
ports:
- ${VAULT_LISTEN_PORT}:8200/tcp
- ${VAULT_CLUSTER_PORT}:8201/tcp
labels:
io.rancher.container.agent.role: environmentAdmin,agent
io.rancher.container.agent_service.drain_provider: 'true'
io.rancher.container.create_agent: 'true'
{{- if .Values.HOST_LABEL }}
io.rancher.scheduler.affinity:host_label: ${HOST_LABEL}
{{- end }}
vault:
image: vault:0.9.6
cap_add:
- IPC_LOCK
{{- if .Values.BACKEND_SERVICE }}
external_links:
- ${BACKEND_SERVICE}:SERVICE
{{- end }}
environment:
VAULT_REDIRECT_INTERFACE: "eth0"
VAULT_CLUSTER_INTERFACE: "eth0"
VAULT_LOCAL_CONFIG: |
{
"storage":{"${VAULT_BACKEND}":{ ${BACKEND_CONFIGURATION} }},
"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}},
"cluster_name":"${VAULT_CLUSTER_NAME}"
}
volumes:
- vault-file:/vault/file
- vault-config:/vault/config
command:
- server

118
templates/vault/0/rancher-compose.yml Executable file
View File

@ -0,0 +1,118 @@
version: '2'
catalog:
name: Vault
version: 1.0-rancher1
description: |
Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster
uuid: vault-rac-0
questions:
- variable: VAULT_CLUSTER_NAME
label: Vault Cluster Name
description: |
Provide a name for this Vault cluster
type: string
default: myCluster
required: true
- variable: VAULT_LISTEN_PORT
label: Vault Listen Port
description: |
This is the port number you want Vault to listen on. Actually, Vault ALWAYS listens on port 8200, but it isn't exposed, so you can set the port you want the LoadBalancer to listen on.
default: 8200
type: int
required: true
- variable: VAULT_CLUSTER_PORT
label: Vault Cluster Port
description: |
Similar to the Vault Listen Port, this is the VAULT CLUSTER listen port to use.
default: 8201
type: int
required: true
- variable: VAULT_BACKEND
label: Select a backend for Vault
description: |
Vault supports several different backend storage engines. Please select the one you are interested in using. (NOTE: Must be pre-installed or added to a different stack)
default: file
type: enum
required: true
options:
- azure
- cockroachdb
- consul
- couchdb
- dynamodb
- etcd
- file
- gcs
- inmem
- manta
- mysql
- postgresql
- spanner
- cassandra
- s3
- swift
- zookeeper
- variable: BACKEND_SERVICE
label: Specify the Backend service to connect to
description: |
The pre-installed Backend server to back to. To reference, you can use the memory variable "SERVICE" in your URLs. For example: "consul://SERVICE:8500"
type: service
- variable: BACKEND_CONFIGURATION
label: Specify the backend configuration in valid JSON format
default: '"path":"/vault/file"'
required: true
description: |
Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) in JSON format
type: string
- variable: HOST_LABEL
label: Optional Host label to bind LoadBalancer to
description: |
If you wish to bind your LoadBalancer to a specific host node, you can specify the label and value here in name=value pair format
default: "lbhost=true"
type: string
- variable: CLUSTER_SCALE
label: How many Vault servers do you want in your cluster?
description: |
Select the number of VAULT servers you want to set up in your cluster
default: 1
type: int
required: true
- variable: VOLUME_DRIVER
label: Driver for volumes
description: |
How/Where to store your vault config and logs
default: local
type: enum
options:
- local
- rancher-nfs
- rancher-efs
- rancher-ebs
services:
vault-lb:
scale: 1
start_on_create: true
lb_config:
certs: []
port_rules:
- priority: 1
protocol: tcp
service: vault
source_port: ${VAULT_LISTEN_PORT}
target_port: 8200
- priority: 2
protocol: tcp
service: vault
source_port: ${VAULT_CLUSTER_PORT}
target_port: 8201
health_check:
response_timeout: 2000
healthy_threshold: 2
port: 42
unhealthy_threshold: 3
initializing_timeout: 60000
interval: 2000
reinitializing_timeout: 60000
vault:
scale: ${CLUSTER_SCALE}
start_on_create: true

1
templates/vault/catalogIcon-entry.svg Normal file
View File

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 73.6 72" width="2500" height="2446"><defs><path id="a" d="M37.6 36.8c1.2 0 2.1-1 2.1-2.1s-.9-2.1-2.1-2.1-2.1 1-2.1 2.1.9 2.1 2.1 2.1zM31.3 31c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1-1.2 0-2.1 1-2.1 2.1 0 1.2.9 2.1 2.1 2.1zm6.3 0c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1s-2.1 1-2.1 2.1c0 1.2.9 2.1 2.1 2.1zm6.3 0c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1-1.2 0-2.1 1-2.1 2.1 0 1.2 1 2.1 2.1 2.1zm-12.6-5.7c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1-1.2 0-2.1 1-2.1 2.1 0 1.2.9 2.1 2.1 2.1zm6.3 0c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1s-2.1 1-2.1 2.1c0 1.2.9 2.1 2.1 2.1zm6.3 0c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1-1.2 0-2.1 1-2.1 2.1 0 1.2 1 2.1 2.1 2.1zm-6.3-5.7c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1s-2.1 1-2.1 2.1.9 2.1 2.1 2.1zm6.3 0c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1-1.2 0-2.1 1-2.1 2.1s1 2.1 2.1 2.1zm-12.6 0c1.2 0 2.1-1 2.1-2.1 0-1.2-.9-2.1-2.1-2.1-1.2 0-2.1 1-2.1 2.1s.9 2.1 2.1 2.1zM36.8 72L0 0h73.6L36.8 72z"/></defs><use xlink:href="#a" overflow="visible" fill-rule="evenodd" clip-rule="evenodd"/></svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

7
templates/vault/config.yml Normal file
View File

@ -0,0 +1,7 @@
name: Vault
description: |
An OFFICIAL Vault server with optional configuration items, including backing store
version: 1.0-rancher1
category: Platform
maintainer: Randal Cobb <randy.cobb@nordstrom.com>