Add encrypted storageclass, enable chartmuseum with encryption

This commit is contained in:
Amarpreet Minhas 2023-07-19 18:01:55 +00:00
parent d7c0c7e1b3
commit c87b182e02
5 changed files with 150 additions and 21 deletions

View file

@ -40,11 +40,11 @@ helmApps:
repoURL: https://charts.gabe565.com
chart: miniflux
revision: 0.6.1
# - app: chartmuseum
# namespace: chartmuseum
# repoURL: https://chartmuseum.github.io/charts
# chart: chartmuseum
# revision: 3.10.1
- app: chartmuseum
namespace: chartmuseum
repoURL: https://chartmuseum.github.io/charts
chart: chartmuseum
revision: 3.10.1
- app: nextcloud
namespace: nextcloud
repoURL: https://nextcloud.github.io/helm/

View file

@ -7,7 +7,7 @@ metadata:
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn-retain
storageClassName: longhorn-encrypted-retain
resources:
requests:
storage: 10Gi

View file

@ -1,15 +0,0 @@
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-retain
provisioner: driver.longhorn.io
allowVolumeExpansion: true
reclaimPolicy: Retain
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "30"
fromBackup: ""
fsType: "ext4"
...

124
manifests/longhorn.yaml Normal file
View file

@ -0,0 +1,124 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: longhorn-system
name: longhorn
...
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: serviceaccounttoken
namespace: longhorn-system
annotations:
kubernetes.io/service-account.name: "longhorn"
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: longhorn-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: longhorn
namespace: longhorn-system
...
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: longhorn
namespace: longhorn-system
spec:
provider:
vault:
server: "https://vault.service.masked.name:8200"
path: "kv"
version: "v2"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
auth:
kubernetes:
mountPath: "k8s-teapot"
role: longhorn
secretRef:
name: "serviceaccounttoken"
...
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: longhorn-encryption
namespace: longhorn-system
spec:
secretStoreRef:
name: longhorn
kind: SecretStore
data:
- secretKey: CRYPTO_KEY_VALUE
remoteRef:
key: longhorn
property: CRYPTO_KEY_VALUE
- secretKey: CRYPTO_KEY_PROVIDER
remoteRef:
key: longhorn
property: CRYPTO_KEY_PROVIDER
- secretKey: CRYPTO_KEY_CIPHER
remoteRef:
key: longhorn
property: CRYPTO_KEY_CIPHER
- secretKey: CRYPTO_KEY_HASH
remoteRef:
key: longhorn
property: CRYPTO_KEY_HASH
- secretKey: CRYPTO_KEY_SIZE
remoteRef:
key: longhorn
property: CRYPTO_KEY_SIZE
- secretKey: CRYPTO_PBKDF
remoteRef:
key: longhorn
property: CRYPTO_PBKDF
...
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-retain
provisioner: driver.longhorn.io
allowVolumeExpansion: true
reclaimPolicy: Retain
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "30"
fromBackup: ""
fsType: "ext4"
...
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-encrypted-retain
provisioner: driver.longhorn.io
allowVolumeExpansion: true
reclaimPolicy: Retain
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "120"
fromBackup: ""
fsType: "ext4"
encrypted: "true"
csi.storage.k8s.io/provisioner-secret-name: "longhorn-encryption"
csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
csi.storage.k8s.io/node-publish-secret-name: "longhorn-encryption"
csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
csi.storage.k8s.io/node-stage-secret-name: "longhorn-encryption"
csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
...

20
scripts/longhorn.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
VAULT_AUTH_NAMESPACE="k8s-teapot"
cat << EOH > longhorn.hcl
path "kv/data/longhorn" {
capabilities = ["read"]
}
EOH
vault policy write longhorn longhorn.hcl
rm longhorn.hcl
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n longhorn-system -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/longhorn \
bound_service_account_names=longhorn \
bound_service_account_namespaces=longhorn-system \
policies=longhorn \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=longhorn jwt=${TOKEN} iss=https://${HOST_IP}:6443