Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vault): enable snapshots #4417

Merged
merged 1 commit into from
Jan 29, 2025
Merged

feat(vault): enable snapshots #4417

merged 1 commit into from
Jan 29, 2025

Conversation

jazzlyn
Copy link
Collaborator

@jazzlyn jazzlyn commented Jan 29, 2025

No description provided.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tyriis-automation
Copy link
Contributor 

--- kubernetes/kube-nas/apps Kustomization: flux-system/flux-apps Kustomization: flux-system/vault-snapshots

+++ kubernetes/kube-nas/apps Kustomization: flux-system/flux-apps Kustomization: flux-system/vault-snapshots

@@ -0,0 +1,37 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: flux-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+    substitution.flux.home.arpa/enabled: 'true'
+  name: vault-snapshots
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: vault-snapshots
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  dependsOn:
+  - name: vault
+  interval: 30m
+  path: ./kubernetes/kube-nas/apps/secops/vault/snapshots
+  postBuild:
+    substituteFrom:
+    - kind: ConfigMap
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets
+  prune: true
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  targetNamespace: secops
+  timeout: 5m
+  wait: true
+
--- kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots ExternalSecret: secops/vault-snapshot-agent-credentials

+++ kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots ExternalSecret: secops/vault-snapshot-agent-credentials

@@ -0,0 +1,28 @@

+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  labels:
+    app.kubernetes.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vault-snapshot-agent-credentials
+  namespace: secops
+spec:
+  data:
+  - remoteRef:
+      key: infra/kube-nas/secops/vault/approle-snapshot-agent
+      property: role_id
+    secretKey: APPROLE_ROLE_ID
+  - remoteRef:
+      key: infra/kube-nas/secops/vault/approle-snapshot-agent
+      property: secret_id
+    secretKey: APPROLE_SECRET_ID
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: kube-nas-vault
+  target:
+    creationPolicy: Owner
+    name: vault-snapshot-agent-credentials
+
--- kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots ExternalSecret: secops/vault-snapshots-gcp-sa

+++ kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots ExternalSecret: secops/vault-snapshots-gcp-sa

@@ -0,0 +1,24 @@

+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  labels:
+    app.kubernetes.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vault-snapshots-gcp-sa
+  namespace: secops
+spec:
+  data:
+  - remoteRef:
+      key: infra/kube-nas/secops/vault/vault-snapshots-gcp-sa
+      property: credentials
+    secretKey: credentials.json
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: kube-nas-vault
+  target:
+    creationPolicy: Owner
+    name: vault-snapshots-gcp-sa
+
--- kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots ExternalSecret: secops/vault-snapshots-gcs

+++ kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots ExternalSecret: secops/vault-snapshots-gcs

@@ -0,0 +1,24 @@

+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  labels:
+    app.kubernetes.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vault-snapshots-gcs
+  namespace: secops
+spec:
+  data:
+  - remoteRef:
+      key: infra/kube-nas/secops/vault/vault-snapshots-gcs
+      property: bucket-name
+    secretKey: BUCKET_NAME
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: kube-nas-vault
+  target:
+    creationPolicy: Owner
+    name: vault-snapshots-gcs
+
--- kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots HelmRelease: secops/vault-snapshots

+++ kubernetes/kube-nas/apps/secops/vault/snapshots Kustomization: flux-system/vault-snapshots HelmRelease: secops/vault-snapshots

@@ -0,0 +1,105 @@

+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  labels:
+    app.kubernetes.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/name: vault-snapshots
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vault-snapshots
+  namespace: secops
+spec:
+  chart:
+    spec:
+      chart: app-template
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+      version: 3.6.1
+  interval: 15m
+  values:
+    controllers:
+      vault-snapshots:
+        annotations:
+          reloader.stakater.com/auto: 'true'
+        containers:
+          snapshot:
+            command:
+            - /bin/sh
+            - -ec
+            - |
+              mkdir -p /data/snapshots
+              export VAULT_TOKEN=$(vault write -format=json auth/approle/login role_id=$APPROLE_ROLE_ID secret_id=$APPROLE_SECRET_ID | awk -F'"' '/client_token/{print $4}')
+              vault operator raft snapshot save /data/snapshots/vault-raft.snap
+              ls -l /data/snapshots
+            env:
+            - name: VAULT_ADDR
+              value: http://vault-active.secops.svc.cluster.local:8200
+            envFrom:
+            - secretRef:
+                name: vault-snapshot-agent-credentials
+            image:
+              repository: vault
+              tag: 1.13.3@sha256:f98ac9dd97b0612746630033771bc7a8c86408a44a056f3f4be47fc576ec3744
+            resources:
+              requests:
+                cpu: 10m
+                memory: 10Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+          upload:
+            command:
+            - /bin/sh
+            - -ec
+            - |
+              until [ -f /data/snapshots/vault-raft.snap ]; do sleep 5; done
+              gcloud auth activate-service-account --key-file=/data/credentials/credentials.json
+              gsutil cp /data/snapshots/vault-raft.snap gs://$BUCKET_NAME/vault_raft_$(date +"%Y%m%d_%H%M%S").snap
+            env:
+            - name: HOME
+              value: /data/nobody
+            envFrom:
+            - secretRef:
+                name: vault-snapshots-gcs
+            image:
+              repository: google/cloud-sdk
+              tag: 507.0.0-alpine@sha256:2cfaf692f2218e9d57c73a72adc56e488f8508c3dd152a8d4bbea05546d62e2a
+            resources:
+              requests:
+                cpu: 10m
+                memory: 10Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+        cronjob:
+          concurrencyPolicy: Forbid
+          schedule: 0 6 * * *
+        pod:
+          securityContext:
+            runAsGroup: 65534
+            runAsNonRoot: true
+            runAsUser: 65534
+        type: cronjob
+    persistence:
+      credentials:
+        advancedMounts:
+          vault-snapshots:
+            upload:
+            - path: /data/credentials/credentials.json
+              readOnly: true
+              subPath: credentials.json
+        name: vault-snapshots-gcp-sa
+        type: secret
+      data:
+        globalMounts:
+        - path: /data
+        type: emptyDir
+

@tyriis-automation
Copy link
Contributor 

--- HelmRelease: secops/vault-snapshots CronJob: secops/vault-snapshots

+++ HelmRelease: secops/vault-snapshots CronJob: secops/vault-snapshots

@@ -0,0 +1,110 @@

+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vault-snapshots
+  labels:
+    app.kubernetes.io/component: vault-snapshots
+    app.kubernetes.io/instance: vault-snapshots
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: vault-snapshots
+  annotations:
+    reloader.stakater.com/auto: 'true'
+spec:
+  suspend: false
+  concurrencyPolicy: Forbid
+  startingDeadlineSeconds: 30
+  schedule: 0 6 * * *
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      backoffLimit: 6
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/component: vault-snapshots
+            app.kubernetes.io/instance: vault-snapshots
+            app.kubernetes.io/name: vault-snapshots
+        spec:
+          enableServiceLinks: false
+          serviceAccountName: default
+          automountServiceAccountToken: true
+          securityContext:
+            runAsGroup: 65534
+            runAsNonRoot: true
+            runAsUser: 65534
+          hostIPC: false
+          hostNetwork: false
+          hostPID: false
+          dnsPolicy: ClusterFirst
+          restartPolicy: Never
+          containers:
+          - command:
+            - /bin/sh
+            - -ec
+            - |
+              mkdir -p /data/snapshots
+              export VAULT_TOKEN=$(vault write -format=json auth/approle/login role_id=$APPROLE_ROLE_ID secret_id=$APPROLE_SECRET_ID | awk -F'"' '/client_token/{print $4}')
+              vault operator raft snapshot save /data/snapshots/vault-raft.snap
+              ls -l /data/snapshots
+            env:
+            - name: VAULT_ADDR
+              value: http://vault-active.secops.svc.cluster.local:8200
+            envFrom:
+            - secretRef:
+                name: vault-snapshot-agent-credentials
+            image: vault:1.13.3@sha256:f98ac9dd97b0612746630033771bc7a8c86408a44a056f3f4be47fc576ec3744
+            name: snapshot
+            resources:
+              requests:
+                cpu: 10m
+                memory: 10Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /data
+              name: data
+          - command:
+            - /bin/sh
+            - -ec
+            - |
+              until [ -f /data/snapshots/vault-raft.snap ]; do sleep 5; done
+              gcloud auth activate-service-account --key-file=/data/credentials/credentials.json
+              gsutil cp /data/snapshots/vault-raft.snap gs://$BUCKET_NAME/vault_raft_$(date +"%Y%m%d_%H%M%S").snap
+            env:
+            - name: HOME
+              value: /data/nobody
+            envFrom:
+            - secretRef:
+                name: vault-snapshots-gcs
+            image: google/cloud-sdk:507.0.0-alpine@sha256:2cfaf692f2218e9d57c73a72adc56e488f8508c3dd152a8d4bbea05546d62e2a
+            name: upload
+            resources:
+              requests:
+                cpu: 10m
+                memory: 10Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /data/credentials/credentials.json
+              name: credentials
+              readOnly: true
+              subPath: credentials.json
+            - mountPath: /data
+              name: data
+          volumes:
+          - name: credentials
+            secret:
+              secretName: vault-snapshots-gcp-sa
+          - emptyDir: {}
+            name: data
+

@tyriis-automation
Copy link
Contributor

🦙 MegaLinter status: ✅ SUCCESS

Descriptor Linter Files Fixed Errors Elapsed time
✅ EDITORCONFIG editorconfig-checker 2 0 0.01s
✅ MARKDOWN markdownlint 1 0 0.53s
✅ REPOSITORY gitleaks yes no 3.3s
✅ YAML prettier 1 0 0.35s
✅ YAML yamllint 1 0 0.32s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security

@jazzlyn jazzlyn merged commit e82e1c3 into main Jan 29, 2025
17 checks passed
@jazzlyn jazzlyn deleted the feature/vault-enable-snapshots branch January 29, 2025 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/kubernetes cluster/kube-nas
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jazzlyn