Structure (#11)

* chore(repo): improve directory layouts
FalcoSuessgott · Oct 27, 2023 · 0adc132 · 0adc132
1 parent 9849ce3
commit 0adc132
Show file tree

Hide file tree

Showing 72 changed files with 216 additions and 361 deletions.
diff --git a/.envrc b/.envrc
@@ -1,5 +1,5 @@
 export VAULT_ADDR="https://127.0.0.1"
-export VAULT_CAPATH="./vault/ca.crt"
+export VAULT_CAPATH="./vault-tls/output/ca.crt"
 export VAULT_TOKEN="$(cat .vault_token)"
-
+export MINIKUBE_PROFILE="vault-playground"
 export TF_CLI_ARGS_test="-compact-warnings"
diff --git a/.gitignore b/.gitignore
@@ -2,9 +2,5 @@
 **/.terraform.lock.hcl
 **/terraform.tfstate
 **/terraform.tfstate.backup
-**/*.crt
-**/*.key
-**/prometheus-token
 **/.vault_token
-**/external_secret.yml
-**/secret_store.yml
+**/output/*
diff --git a/Makefile b/Makefile
@@ -30,3 +30,12 @@ cleanup: ## cleanup
 
 	rm terraform.tfstate || true
 	rm terraform.tfstate.backup || true
+
+.PHONY: new-lab
+new-lab:  ## creates a new lab directory
+	mkdir -p $(name)/terraform
+	mkdir -p $(name)/output
+	touch $(name)/output/.gitkeep
+	mkdir -p $(name)/templates
+	mkdir -p $(name)/files
+	echo "$(name)" > docs/$(name).md
diff --git a/docs/cm.md b/docs/cm.md
@@ -20,7 +20,7 @@ The following resources will be created:
 
 1. The Cert Manager Helm Chart is going to be installed in the `cm` Namespace.
 2. A Kubernetes Auth Role `cm` bound to the `cm` Namespace & Service Account
-3. PKI Engine under `cert-manager` is configured and role `nip-io` has been created 
+3. PKI Engine under `cert-manager` is configured and role `nip-io` has been created
 4. A policy (`cm`) that allows signing and issuing certificates for the `nip-io` PKI Role is created. (Read more about [nip.io](https://nip.io/))
 5. An Issuer `vault-issuer` is created for authenticating to Vault
 6. An Ingress resource `ingress` is created requesting a Certificate from Vaults PKI
@@ -30,16 +30,16 @@ The following resources will be created:
 The Cert Manager (CM) is going to be installed in the `cm` namespace using the [Helm Chart](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager):
 
 ```bash
-$>  helm list -n cm 
+$>  helm list -n cm
 NAME    NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
-cm      cm              1               2023-10-27 09:56:20.72302046 +0200 CEST deployed        cert-manager-v1.13.1    v1.13.1 
+cm      cm              1               2023-10-27 09:56:20.72302046 +0200 CEST deployed        cert-manager-v1.13.1    v1.13.1
 ```
 
 Additionally, a Vault Kubernetes Auth Role bounded to the Namespace and the ESM Service Account has been created:
 
 ```bash
 # https://localhost/ui/vault/access/minikube-cluster/item/role/cm
-$> vault read auth/minikube-cluster/role/cm 
+$> vault read auth/minikube-cluster/role/cm
 Key                                 Value
 ---                                 -----
 alias_name_source                   serviceaccount_uid
@@ -70,7 +70,7 @@ a PKI role `nip-io` has been created, allowing issuing of certs for `nip.io` sub
 
 ```bash
 # https://localhost/ui/vault/secrets/cert-manager-intermediate/pki/issuers
-$> vault read cert-manager-intermediate/roles/nip-io    
+$> vault read cert-manager-intermediate/roles/nip-io
 Key                                   Value
 ---                                   -----
 allow_any_name                        false
@@ -90,23 +90,23 @@ A corresponding policy `cm` that allows reading issuing and singing certs has be
 ```bash
 # https://localhost/ui/vault/policy/acl/cm
 $> vault policy read cm
-path "intermediate-ca" { 
-  capabilities = ["read", "list"] 
+path "cert-manager-intermediate" {
+  capabilities = ["read", "list"]
 }
 
-path "intermediate-ca/sign/nip-io" { 
-  capabilities = ["create", "update"] 
+path "cert-manager-intermediate/sign/nip-io" {
+  capabilities = ["create", "update"]
 }
 
-path "intermediate-ca/issue/nip-io" { 
-  capabilities = ["create"] 
+path "cert-manager-intermediate/issue/nip-io" {
+  capabilities = ["create"]
 }
 ```
 
 We deploy `kuard` as a Demo App aswell as a corresponding service:
 
 ```bash
-$>cat minikube/cm/kuard.yml                                                              
+$> cat k8s-cert-mananger/files/kuard.yml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -128,7 +128,7 @@ spec:
         name: kuard
         ports:
         - containerPort: 8080
-$> cat minikube/cm/kuard_svc.yml 
+$> cat k8s-cert-mananger/files/kuard_svc.yml
 ---
 apiVersion: v1
 kind: Service
@@ -147,7 +147,7 @@ spec:
 A Issuer has been created authenticating to Vault and the PKI Engine:
 
 ```bash
-$> cat minikube/cm/issuer.yml   
+$> cat k8s-cert-mananger/output/issuer.yml
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -169,7 +169,7 @@ spec:
 An Ingress has been created, pointing to our Demo App and requesting a Certificate:
 
 ```bash
-$> cat minikube/cm/ingress.yml 
+$> cat k8s-cert-mananger/output/ingress.yml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -198,18 +198,18 @@ spec:
 The certificate was requested, signed and issued successfully and is stored as a kubernetes secret:
 
 ```bash
-$> kubectl describe secret kuard-cert -n cm   
+$> kubectl describe secret kuard-cert -n cm
 Name:         kuard-cert
 Namespace:    cm
 Labels:       controller.cert-manager.io/fao=true
 Annotations:  cert-manager.io/alt-names: 192.168.49.2.nip.io
               cert-manager.io/certificate-name: kuard-cert
-              cert-manager.io/common-name: 
-              cert-manager.io/ip-sans: 
+              cert-manager.io/common-name:
+              cert-manager.io/ip-sans:
               cert-manager.io/issuer-group: cert-manager.io
               cert-manager.io/issuer-kind: Issuer
               cert-manager.io/issuer-name: vault-issuer
-              cert-manager.io/uri-sans: 
+              cert-manager.io/uri-sans:
 
 Type:  kubernetes.io/tls
 
@@ -234,4 +234,4 @@ how to fix it, please visit the web page mentioned above.
 $> curl "https://$(minikube ip).nip.io" --cacert vault/ca.crt
 <!doctype html>
 ...
-```
+```
diff --git a/docs/d.md b/docs/d.md
@@ -0,0 +1 @@
+d
diff --git a/docs/esm.md b/docs/esm.md
@@ -96,7 +96,7 @@ path "esm/*" {
 A CRD `SecretStore` has been created:
 
 ```bash
-$> cat minikube/esm/secret_store.yml
+$> cat k8s-external-secrets-manager/output/secret_store.yml
 apiVersion: external-secrets.io/v1beta1
 kind: SecretStore
 metadata:
@@ -119,15 +119,12 @@ spec:
   retrySettings:
     maxRetries: 5
     retryInterval: 10s
-$> kubectl get secretstores.external-secrets.io esm-secret-store -n esm
-NAME               AGE   STATUS   CAPABILITIES   READY
-esm-secret-store   10m   Valid    ReadWrite      True
 ```
 
-And a CRD `ExternalSecret`:
+And a CRD `ExternalSecret` has been created:
 
 ```bash
-$> cat minikube/esm/external_secret.yml
+$> cat k8s-external-secrets-manager/output/external_secret.yml
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
@@ -150,9 +147,6 @@ spec:
       remoteRef:
         key: esm/secrets
         property: username
-$> kubectl get externalsecrets.external-secrets.io esm-external-secret -n esm
-NAME                  STORE              REFRESH INTERVAL   STATUS         READY
-esm-external-secret   esm-secret-store   1h                 SecretSynced   True
 ```
 
 Finally, a Kubernetes Secret containing the KVv2 Secrets from `/esm/secrets/` has been created:

diff --git a/docs/haproxy.md b/docs/haproxy.md
@@ -5,4 +5,3 @@ HAProxy does not terminate the TLS Connection instead of it passes through the c
 
 ## HAProxy Stats & Metrics
 You can explore HAProxy Metrics under [http://localhost:8404/stats](http://localhost:8404/stats) and see how the metrics change with every request to Vault.
-
diff --git a/docs/minikube.md b/docs/minikube.md
@@ -28,7 +28,6 @@ kubernetes-dashboard   kubernetes-dashboard-55c4cbbc7c-7rv8w
 As well as the Kubernetes Dashboard:
 
 ```bash
-$> minikube profile vault-playground
 $> minikube dashboard # opens Dashbord in browser
 $> minikube dashboard --url # print Dashboard URL
 ```

diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -58,6 +58,9 @@ minikube = {
 
   # enable vault secrets operator
   vault_secrets_operator = true
+
+  # enable cert manager
+  cert_manager = true
 }
 ```
 

diff --git a/docs/vault.md b/docs/vault.md
@@ -33,8 +33,9 @@ Simply source `.envrc` and run `vault status`
 ```bash
 $> cat .envrc
 export VAULT_ADDR="https://127.0.0.1"
-export VAULT_CAPATH="./vault/ca.crt"
+export VAULT_CAPATH="./vault-tls/output/ca.crt"
 export VAULT_TOKEN="$(cat .vault_token)"
+export MINIKUBE_PROFILE="vault-playground"
 
 $> source .envrc
 

diff --git a/grafana.tf b/grafana.tf
diff --git a/minikube/cm/kuard.yml → k8s-cert-manager/files/kuard.yml b/minikube/cm/kuard.yml → k8s-cert-manager/files/kuard.yml
@@ -18,4 +18,4 @@ spec:
         imagePullPolicy: Always
         name: kuard
         ports:
-        - containerPort: 8080
+        - containerPort: 8080
diff --git a/minikube/cm/kuard_svc.yml → k8s-cert-manager/files/kuard_svc.yml b/minikube/cm/kuard_svc.yml → k8s-cert-manager/files/kuard_svc.yml
@@ -10,4 +10,4 @@ spec:
     targetPort: 8080
     protocol: TCP
   selector:
-    app: kuard
+    app: kuard
diff --git a/minikube/cm/values.yml → k8s-cert-manager/files/values.yml b/minikube/cm/values.yml → k8s-cert-manager/files/values.yml
diff --git a/k8s-cert-manager/files/vault-policy.hcl b/k8s-cert-manager/files/vault-policy.hcl
@@ -0,0 +1,11 @@
+path "cert-manager-intermediate" {
+  capabilities = ["read", "list"]
+}
+
+path "cert-manager-intermediate/sign/nip-io" {
+  capabilities = ["create", "update"]
+}
+
+path "cert-manager-intermediate/issue/nip-io" {
+  capabilities = ["create"]
+}
diff --git a/templates/cm_ingress.yml.tmpl → k8s-cert-manager/templates/ingress.yml b/templates/cm_ingress.yml.tmpl → k8s-cert-manager/templates/ingress.yml
@@ -7,7 +7,7 @@ metadata:
   namespace: cm
 spec:
   rules:
-  - host: 192.168.49.2.nip.io
+  - host: ${minikube_ip}.nip.io
     http:
       paths:
       - pathType: Prefix
@@ -19,5 +19,5 @@ spec:
               number: 80
   tls:
   - hosts:
-    - 192.168.49.2.nip.io
-    secretName: kuard-cert
+    - ${minikube_ip}.nip.io
+    secretName: kuard-cert
diff --git a/templates/cm_issuer.yml.tmpl → k8s-cert-manager/templates/issuer.yml b/templates/cm_issuer.yml.tmpl → k8s-cert-manager/templates/issuer.yml
diff --git a/modules/minikube_cm/cm.tf → k8s-cert-manager/terraform/cm.tf b/modules/minikube_cm/cm.tf → k8s-cert-manager/terraform/cm.tf
@@ -6,7 +6,7 @@ resource "helm_release" "cm" {
   create_namespace = true
   namespace        = "cm"
 
-  values = [file("${path.root}/minikube/cm/values.yml")]
+  values = [file("${path.module}/../files/values.yml")]
 }
 
 # https://cert-manager.io/docs/configuration/vault/#secretless-authentication-with-a-service-account
@@ -50,25 +50,22 @@ resource "kubernetes_role_binding_v1" "rb" {
 }
 
 resource "local_file" "vault_issuer" {
-  filename = "${path.root}/minikube/cm/issuer.yml"
-  content = templatefile("./templates/cm_issuer.yml.tmpl", {
-    name             = "vault-issuer"
-    vault_server     = "https://host.minikube.internal"
-    namespace        = helm_release.cm.namespace
-    ca_cert          = base64encode(var.ca_cert)
-    vault_auth_mount = vault_kubernetes_auth_backend_role.cm.backend
-    vault_auth_role  = vault_kubernetes_auth_backend_role.cm.role_name
-    sa_name          = "vault-issuer"
+  filename = "${path.module}/../output/issuer.yml"
+  content = templatefile("${path.module}/../templates/issuer.yml", {
+    ca_cert = base64encode(var.ca_cert)
   })
 }
 
 resource "kubectl_manifest" "vault_issuer" {
   yaml_body = local_file.vault_issuer.content
+
+  depends_on = [helm_release.cm]
 }
 
 resource "local_file" "ingress" {
-  filename = "${path.root}/minikube/cm/ingress.yml"
-  content = templatefile("./templates/cm_ingress.yml.tmpl", {
+  filename = "${path.module}/../output/ingress.yml"
+  content = templatefile("${path.module}/../templates/ingress.yml", {
+    minikube_ip = var.minikube_ip
   })
 }
 

diff --git a/modules/minikube_cm/kuard.tf → k8s-cert-manager/terraform/kuard.tf b/modules/minikube_cm/kuard.tf → k8s-cert-manager/terraform/kuard.tf
@@ -1,11 +1,11 @@
 resource "kubectl_manifest" "kuard" {
-  yaml_body = file("${path.root}/minikube/cm/kuard.yml")
+  yaml_body = file("${path.module}/../files/kuard.yml")
 
   depends_on = [helm_release.cm]
 }
 
 resource "kubectl_manifest" "kuard_svc" {
-  yaml_body = file("${path.root}/minikube/cm/kuard_svc.yml")
+  yaml_body = file("${path.module}/../files/kuard_svc.yml")
 
   depends_on = [helm_release.cm]
-}
+}
diff --git a/k8s-cert-manager/terraform/variables.tf b/k8s-cert-manager/terraform/variables.tf
@@ -0,0 +1,7 @@
+variable "ca_cert" {
+  type = string
+}
+
+variable "minikube_ip" {
+  type = string
+}
diff --git a/modules/minikube_cm/vault.tf → k8s-cert-manager/terraform/vault.tf b/modules/minikube_cm/vault.tf → k8s-cert-manager/terraform/vault.tf
@@ -1,7 +1,7 @@
 resource "vault_policy" "cm" {
   name = "cm"
 
-  policy = file("${path.root}/minikube/cm/vault-policy.hcl")
+  policy = file("${path.module}/../files/vault-policy.hcl")
 }
 
 resource "vault_kubernetes_auth_backend_role" "cm" {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,4 +5,3 @@ HAProxy does not terminate the TLS Connection instead of it passes through the c

		## HAProxy Stats & Metrics
		You can explore HAProxy Metrics under [http://localhost:8404/stats](http://localhost:8404/stats) and see how the metrics change with every request to Vault.