Add encrypted storageclass, enable chartmuseum with encryption
This commit is contained in:
parent
d7c0c7e1b3
commit
c87b182e02
5 changed files with 150 additions and 21 deletions
|
|
@ -40,11 +40,11 @@ helmApps:
|
|||
repoURL: https://charts.gabe565.com
|
||||
chart: miniflux
|
||||
revision: 0.6.1
|
||||
# - app: chartmuseum
|
||||
# namespace: chartmuseum
|
||||
# repoURL: https://chartmuseum.github.io/charts
|
||||
# chart: chartmuseum
|
||||
# revision: 3.10.1
|
||||
- app: chartmuseum
|
||||
namespace: chartmuseum
|
||||
repoURL: https://chartmuseum.github.io/charts
|
||||
chart: chartmuseum
|
||||
revision: 3.10.1
|
||||
- app: nextcloud
|
||||
namespace: nextcloud
|
||||
repoURL: https://nextcloud.github.io/helm/
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ metadata:
|
|||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn-retain
|
||||
storageClassName: longhorn-encrypted-retain
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: longhorn-retain
|
||||
provisioner: driver.longhorn.io
|
||||
allowVolumeExpansion: true
|
||||
reclaimPolicy: Retain
|
||||
volumeBindingMode: Immediate
|
||||
parameters:
|
||||
numberOfReplicas: "3"
|
||||
staleReplicaTimeout: "30"
|
||||
fromBackup: ""
|
||||
fsType: "ext4"
|
||||
...
|
||||
124
manifests/longhorn.yaml
Normal file
124
manifests/longhorn.yaml
Normal file
|
|
@ -0,0 +1,124 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
namespace: longhorn-system
|
||||
name: longhorn
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: kubernetes.io/service-account-token
|
||||
metadata:
|
||||
name: serviceaccounttoken
|
||||
namespace: longhorn-system
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: "longhorn"
|
||||
...
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: longhorn-tokenreview-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:auth-delegator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: longhorn
|
||||
namespace: longhorn-system
|
||||
...
|
||||
---
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: SecretStore
|
||||
metadata:
|
||||
name: longhorn
|
||||
namespace: longhorn-system
|
||||
spec:
|
||||
provider:
|
||||
vault:
|
||||
server: "https://vault.service.masked.name:8200"
|
||||
path: "kv"
|
||||
version: "v2"
|
||||
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
||||
auth:
|
||||
kubernetes:
|
||||
mountPath: "k8s-teapot"
|
||||
role: longhorn
|
||||
secretRef:
|
||||
name: "serviceaccounttoken"
|
||||
...
|
||||
---
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: longhorn-encryption
|
||||
namespace: longhorn-system
|
||||
spec:
|
||||
secretStoreRef:
|
||||
name: longhorn
|
||||
kind: SecretStore
|
||||
data:
|
||||
- secretKey: CRYPTO_KEY_VALUE
|
||||
remoteRef:
|
||||
key: longhorn
|
||||
property: CRYPTO_KEY_VALUE
|
||||
- secretKey: CRYPTO_KEY_PROVIDER
|
||||
remoteRef:
|
||||
key: longhorn
|
||||
property: CRYPTO_KEY_PROVIDER
|
||||
- secretKey: CRYPTO_KEY_CIPHER
|
||||
remoteRef:
|
||||
key: longhorn
|
||||
property: CRYPTO_KEY_CIPHER
|
||||
- secretKey: CRYPTO_KEY_HASH
|
||||
remoteRef:
|
||||
key: longhorn
|
||||
property: CRYPTO_KEY_HASH
|
||||
- secretKey: CRYPTO_KEY_SIZE
|
||||
remoteRef:
|
||||
key: longhorn
|
||||
property: CRYPTO_KEY_SIZE
|
||||
- secretKey: CRYPTO_PBKDF
|
||||
remoteRef:
|
||||
key: longhorn
|
||||
property: CRYPTO_PBKDF
|
||||
...
|
||||
---
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: longhorn-retain
|
||||
provisioner: driver.longhorn.io
|
||||
allowVolumeExpansion: true
|
||||
reclaimPolicy: Retain
|
||||
volumeBindingMode: Immediate
|
||||
parameters:
|
||||
numberOfReplicas: "3"
|
||||
staleReplicaTimeout: "30"
|
||||
fromBackup: ""
|
||||
fsType: "ext4"
|
||||
...
|
||||
---
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: longhorn-encrypted-retain
|
||||
provisioner: driver.longhorn.io
|
||||
allowVolumeExpansion: true
|
||||
reclaimPolicy: Retain
|
||||
volumeBindingMode: Immediate
|
||||
parameters:
|
||||
numberOfReplicas: "3"
|
||||
staleReplicaTimeout: "120"
|
||||
fromBackup: ""
|
||||
fsType: "ext4"
|
||||
encrypted: "true"
|
||||
csi.storage.k8s.io/provisioner-secret-name: "longhorn-encryption"
|
||||
csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
|
||||
csi.storage.k8s.io/node-publish-secret-name: "longhorn-encryption"
|
||||
csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
|
||||
csi.storage.k8s.io/node-stage-secret-name: "longhorn-encryption"
|
||||
csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
|
||||
...
|
||||
20
scripts/longhorn.sh
Executable file
20
scripts/longhorn.sh
Executable file
|
|
@ -0,0 +1,20 @@
|
|||
#!/bin/bash
|
||||
VAULT_AUTH_NAMESPACE="k8s-teapot"
|
||||
cat << EOH > longhorn.hcl
|
||||
path "kv/data/longhorn" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOH
|
||||
vault policy write longhorn longhorn.hcl
|
||||
rm longhorn.hcl
|
||||
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
|
||||
TOKEN="$(kubectl get secret serviceaccounttoken -n longhorn-system -o go-template='{{ .data.token }}' | base64 -d)"
|
||||
|
||||
vault write auth/${VAULT_AUTH_NAMESPACE}/role/longhorn \
|
||||
bound_service_account_names=longhorn \
|
||||
bound_service_account_namespaces=longhorn-system \
|
||||
policies=longhorn \
|
||||
ttl=24h
|
||||
|
||||
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=longhorn jwt=${TOKEN} iss=https://${HOST_IP}:6443
|
||||
|
||||
Loading…
Reference in a new issue