evry-ace · ekarlso · Mar 4, 2021 · Mar 4, 2021
@@ -0,0 +1,5 @@
+apiVersion: v2
+description: Vault injector chart
+name: vault-injector
+version: 0.1.0
+appVersion: 0.8.0
@@ -0,0 +1,26 @@
+{{- define "vault-injector.name" -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vault-injector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "vault-injector.metaLabels" -}}
+app.kubernetes.io/name: {{ template "vault-injector.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: {{ include "vault-injector.name" .}}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/part-of: {{ include "vault-injector.name" . }}
+app.kubernetes.io/managed-by: helm
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+{{- end -}}
+
+{{- define "vault-injector.selectorLabels" -}}
+app.kubernetes.io/name: {{ template "vault-injector.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+{{- end -}}
@@ -0,0 +1,139 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.injector.replicas }}
+  selector:
+    matchLabels:
+      {{- include "vault-injector.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+      {{- include "vault-injector.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: "vault-injector"
+    {{- if or .Values.affinity .Values.podAntiAffinity }}
+      affinity:
+      {{- with .Values.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if eq .Values.podAntiAffinity "hard" }}
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: "{{ .Values.podAntiAffinityTopologyKey }}"
+              labelSelector:
+                matchLabels:
+                  {{- include "vault-injector.selectorLabels" . | nindent 18 }}
+      {{- else if eq .Values.podAntiAffinity "soft" }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              podAffinityTerm:
+                topologyKey: "{{ .Values.podAntiAffinityTopologyKey }}"
+                labelSelector:
+                  matchLabels:
+                    {{- include "vault-injector.selectorLabels" . | nindent 20 }}
+      {{- end }}
+    {{- end }}
+      containers:
+        - name: leader-elector
+          image: k8s.gcr.io/leader-elector:0.4
+          args:
+            - --election=vault-agent-injector-leader
+            - --election-namespace={{ .Release.namespace }}
+            - --http=0.0.0.0:4040
+            - --ttl=60s
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 4040
+              scheme: HTTP
+            failureThreshold: 2
+            initialDelaySeconds: 1
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 4040
+              scheme: HTTP
+            failureThreshold: 2
+            initialDelaySeconds: 2
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources:
+            limits:
+              cpu: 50m
+              memory: 64Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+        - name: sidecar-injector
+          image: "{{ .Values.injector.image.repo }}:{{ .Values.injector.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: AGENT_INJECT_LISTEN
+              value: ":8080"
+            - name: AGENT_INJECT_LOG_LEVEL
+              value: "{{ .Values.injector.agent_log_level }}"
+            - name: AGENT_INJECT_LOG_FORMAT
+              value: "{{ .Values.injector.agent_log_format }}"
+            - name: AGENT_INJECT_VAULT_ADDR
+              value: "{{ .Values.vault.endpoint }}"
+            - name: AGENT_INJECT_VAULT_IMAGE
+              value: "{{ .Values.vault.image.repo }}:{{ .Values.vault.image.tag }}"
+            - name: AGENT_INJECT_TLS_AUTO
+              value: vault-agent-injector-cfg
+            - name: AGENT_INJECT_TLS_AUTO_HOSTS
+              value: "{{ .Values.vault.tls_auto_hosts }}"
+            - name: AGENT_INJECT_USE_LEADER_ELECTOR
+              value: "true"
+          args:
+            - agent-inject
+            - 2>&1
+          resources:
+            {{ toYaml .Values.injector.resources | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          livenessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+              scheme: HTTPS
+            failureThreshold: 2
+            initialDelaySeconds: 1
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+              scheme: HTTPS
+            failureThreshold: 2
+            initialDelaySeconds: 2
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 5
@@ -0,0 +1,17 @@
+# These are created here so they can be cleaned up easily. The endpoints
+# especially, since if they're left around the leader won't expire for about a
+# minute.
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: vault-agent-injector-leader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-injector-certs
+  namespace: {{ .Release.Namespace }}
@@ -0,0 +1,36 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: vault-agent-injector-cfg
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+webhooks:
+  - name: vault.hashicorp.com
+    sideEffects: None
+    admissionReviewVersions: ["v1", "v1beta1"]
+    failurePolicy: {{ .Values.podsFailurePolicy }}
+    clientConfig:
+      service:
+        name: vault-agent-injector-svc
+        path: "/mutate"
+        namespace: "{{ .Release.Namespace }}"
+      caBundle: ""
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["deployments", "jobs", "pods", "statefulsets"]
+    namespaceSelector:
+      {{- if .Values.namespaceSelector.matchLabels }}
+      matchLabels:
+        {{ toYaml .Values.namespaceSelector.matchLabels | nindent 6 }}
+      {{- end }}
+      matchExpressions:
+      {{- if .Values.namespaceSelector.matchExpressions }}
+        {{ toYaml .Values.namespaceSelector.matchExpressions | nindent 6 }}
+      {{- end }}
+        - key: name
+          operator: NotIn
+          values:
+            - {{ .Release.Namespace }}
@@ -0,0 +1,71 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault-injector-clusterrole
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-injector-binding
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-injector-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: vault-injector
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-injector-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["endpoints", "secrets"]
+  verbs:
+    - "create"
+    - "get"
+    - "watch"
+    - "list"
+    - "update"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-injector-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-injector-role
+subjects:
+- kind: ServiceAccount
+  name: vault-injector
+  namespace: {{ .Release.Namespace }}
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-agent-injector-svc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vault-injector.metaLabels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 443
+    targetPort: 8080
+  selector:
+    {{- include "vault-injector.selectorLabels" . | nindent 4 }}
@@ -0,0 +1,31 @@
+vault:
+  tls_auto_hosts: vault-agent-injector-svc,vault-agent-injector-svc.$(NAMESPACE),vault-agent-injector-svc.$(NAMESPACE).svc
+  endpoint: https://vault.vault-system:8200
+  image:
+    repo: vault
+    tag: v1.6.3
+
+injector:
+  image:
+    repo: hashicorp/vault-k8s
+    tag: "0.8.0"
+  agent_log_level: info
+  agent_log_format: "standard"
+  replicas: 2
+
+  resources:
+    limits:
+      cpu: 50m
+      memory: 128Mi
+    requests:
+      cpu: 50m
+      memory: 128Mi
+
+podAntiAffinity: hard
+podAntiAffinityTopologyKey: "kubernetes.io/hostname"
+
+namespaceSelector:
+  matchLabels: {}
+  matchExpressions: []
+
+podsFailurePolicy: Fail