diff --git a/README.md b/README.md index 2dd96f56..8b540f53 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,7 @@ It is the custom at Runnable to play a song to the entire team when deploying. F | sauron | [Sauron theme song from LOTR](https://www.youtube.com/watch?v=V_rk9VBrXMY) | | Security Groups | [Out of the Woods - Tayor Swift](https://www.youtube.com/watch?v=JLf9q36UsBk) | shiva | [FFXIV Shiva Theme](https://www.youtube.com/watch?v=noJiH8HLZw4) | +| starlord | [Blue Swede - Hooked on a Feeling](https://www.youtube.com/watch?v=NrI-UBIB8Jk) | | swarm-deamon | [Pink Floyd - Another Brick In The Wall](https://www.youtube.com/watch?v=5IpYOF4Hi6Q) | | swarm-manager | [Eric Prydz VS Pink Floyd - 'Proper Education'](https://www.youtube.com/watch?v=IttkDYE33aU) | | varnish | [Karate Kid Theme Song](https://www.youtube.com/watch?v=VIYqtkdMxQg) | diff --git a/ansible/delta-hosts/hosts b/ansible/delta-hosts/hosts index 3bd8f866..c5b14919 100644 --- a/ansible/delta-hosts/hosts +++ b/ansible/delta-hosts/hosts @@ -34,6 +34,9 @@ delta-consul-a delta-consul-b delta-consul-c +[user-vault] +localhost + [worker] localhost @@ -104,6 +107,9 @@ localhost [sauron] localhost +[starlord] +localhost + [swarm-manager] localhost @@ -162,7 +168,9 @@ sauron shiva socket-server socket-server-proxy +starlord swarm-manager +user-vault userland web worker diff --git a/ansible/delta-hosts/variables b/ansible/delta-hosts/variables index 360cade4..0dc676f8 100644 --- a/ansible/delta-hosts/variables +++ b/ansible/delta-hosts/variables @@ -142,9 +142,18 @@ sauron_rollbar_key=83157ae2d50d4b6398e404c0b9978d26 aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 +[starlord:vars] +starlord_vault_token=319ff979-b066-87c7-1172-6f3b5305d749 + [swarm-manager:vars] environment_name=delta +[user-vault:vars] +user_vault_s3_access_key=AKIAJRB2ERCOLHGNYAFQ +user_vault_s3_secret_key=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 +user_vault_s3_bucket=delta-user-vault +vault_config_file=user-vault.yml + [vault:vars] vault_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af vault_aws_access_key_id=AKIAJ7R4UIM45KH2WGWQ @@ -192,6 +201,7 @@ vault_token_03=47f3cb74f5374fa3c51c90fd25e3d4cc851034de97584995fce5fc5382342f1f0 rabbit_port=54321 registry_username=runnable+deltapush registry_token=4PX2AU9QIJSCDLZEXILYX6ZP2RCXY1HR10WVZKWVR0JW8DS5IIY87D96V0RACMK5 +dock_vault_user_creation_access_token=ddf20c34-019c-5b24-9c0d-1b44e3edf29a [web:vars] web_intercom_id=wqzm3rju diff --git a/ansible/gamma-hosts/hosts b/ansible/gamma-hosts/hosts index b6c8406c..a7fd1d5a 100644 --- a/ansible/gamma-hosts/hosts +++ b/ansible/gamma-hosts/hosts @@ -38,6 +38,9 @@ gamma-consul-a gamma-consul-b gamma-consul-c +[user-vault] +localhost + [worker] localhost @@ -95,6 +98,9 @@ localhost [shiva] localhost +[starlord] +localhost + [socket-server] localhost @@ -161,7 +167,9 @@ sauron shiva socket-server socket-server-proxy +starlord swarm-manager +user-vault userland web worker diff --git a/ansible/gamma-hosts/variables b/ansible/gamma-hosts/variables index 39f51aab..65bce5fa 100644 --- a/ansible/gamma-hosts/variables +++ b/ansible/gamma-hosts/variables @@ -120,9 +120,18 @@ sauron_rollbar_key=83157ae2d50d4b6398e404c0b9978d26 aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 +[starlord:vars] +starlord_vault_token=8d6b414a-2e6d-65fb-f0b8-c6200ae688ad + [swarm-manager:vars] environment_name=gamma +[user-vault:vars] +user_vault_s3_access_key=AKIAIOTM4MKOJJVUL7IQ +user_vault_s3_secret_key=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 +user_vault_s3_bucket=gamma-user-vault +vault_config_file=user-vault.yml + [vault:vars] vault_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af vault_aws_access_key_id=AKIAJ7R4UIM45KH2WGWQ @@ -173,6 +182,7 @@ vault_token_02=3489b87c913058740537bbbd4503f3720d74f7cb0f4e0c30a9436e1e52a18d700 vault_token_03=ac4e1e9800cbf77283298d08172a2f0e46d0b7cbc457c47788d04768af12584a02 registry_username=runnable+gamma registry_token=8G0NT1HZQZHYXU7OB1QAI8HA1560V6R68DE6R6B8YJWQAED82JAFCD057ZWIDT76 +dock_vault_user_creation_access_token=137f441f-db71-40a2-8448-10a565323b1e [web:vars] web_intercom_id=xs5g95pd diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 9b1df58b..271c4820 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -127,6 +127,7 @@ drake_port: 80 # ec2 aws_access_key: "AKIAIWRXWZ4P3MIMY3LA" aws_secret_key: "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" +aws_region: "us-west-2" # eru eru_http_port: 5501 @@ -217,6 +218,10 @@ npm_token: c76363e9-78e0-4667-82ac-e2ac01efcfe2 # remote vault vault_port: 8200 +# user-vault +user_vault_port: 8200 +user_vault_host_address: user-vault + # local-vault vault_local_port: 31836 vault_addr: http://127.0.0.1:{{ vault_local_port }} diff --git a/ansible/group_vars/alpha-api-base.yml b/ansible/group_vars/alpha-api-base.yml index 2b22c96e..ec93a8bb 100644 --- a/ansible/group_vars/alpha-api-base.yml +++ b/ansible/group_vars/alpha-api-base.yml @@ -118,3 +118,5 @@ api_base_container_envs: value: "{{ api_intercom_app_id | default('ansible_undefined') }}" - name: INTERCOM_API_KEY value: "{{ api_intercom_api_key | default('ansible_undefined') }}" + - name: USER_VAULT_ENDPOINT + value: "http://{{ user_vault_host_address }}:{{ user_vault_port }}" diff --git a/ansible/group_vars/alpha-starlord.yml b/ansible/group_vars/alpha-starlord.yml new file mode 100644 index 00000000..544d399d --- /dev/null +++ b/ansible/group_vars/alpha-starlord.yml @@ -0,0 +1,23 @@ +name: starlord + +container_image: "{{ registry_host }}/runnable/{{ name }}" +container_tag: "{{ git_branch }}" +inject_ca: false +repo: git@github.com:CodeNow/{{ name }}.git +node_version: "6.10.2" + +container_envs: + - name: NODE_ENV + value: "{{ node_env }}" + - name: VAULT_ENDPOINT + value: "http://{{ user_vault_host_address }}:{{ user_vault_port }}" + - name: VAULT_TOKEN + value: "{{starlord_vault_token}}" + - name: RABBITMQ_HOSTNAME + value: "{{ rabbit_host_address }}" + - name: RABBITMQ_PASSWORD + value: "{{ rabbit_password }}" + - name: RABBITMQ_PORT + value: "{{ rabbit_port }}" + - name: RABBITMQ_USERNAME + value: "{{ rabbit_username }}" diff --git a/ansible/group_vars/alpha-user-vault.yml b/ansible/group_vars/alpha-user-vault.yml new file mode 100644 index 00000000..0eaf2d35 --- /dev/null +++ b/ansible/group_vars/alpha-user-vault.yml @@ -0,0 +1,18 @@ +name: user-vault + +container_image: vault +container_tag: 0.7.0 +hosted_ports: ["{{ user_vault_port }}"] + +volume_mounts: + - name: "{{ name }}" + path: /config + kind: configMap + +container_run_args: > + vault server + -log-level=warn + -config=/config/vault.hcl + +add_capabilities: + - IPC_LOCK diff --git a/ansible/roles/vault/additional-files/user-vault/README.md b/ansible/roles/vault/additional-files/user-vault/README.md new file mode 100644 index 00000000..944efa0e --- /dev/null +++ b/ansible/roles/vault/additional-files/user-vault/README.md @@ -0,0 +1,54 @@ +# Configuring Vault + +Vault is specifically designed to be manually setup. This is not automated for a reason. + +``` +kubectl port-forward INSTERT_VAULT_ID 8300:8200 +export VAULT_ADDR=http://localhost:8300 +``` + +The first time you setup vault we need to manually configure a bunch +of things so we don't pass around the root token. + +`vault init` + +Grab the keys, put them in 1password + +`vault unseal $key1` + +`vault unseal $key2` + +`vault unseal $key3` + +Verify the vault unsealed + +`vault auth` +Paste in the $rootToken + + +Now to setup the policies: + +``` +vault policy-write organizations-writeonly roles/vault/additional-files/user-vault/policies/organizations-writeonly.hcl +vault policy-write organizations-readonly roles/vault/additional-files/user-vault/policies/organizations-readonly.hcl +vault policy-write dock-user-creator roles/vault/additional-files/user-vault/policies/dock-user-creator.hcl +``` + +Now to setup the roles + +`vault write auth/token/roles/organizations-readonly allowed_policies="organizations-readonly"` + +Now to setup new token for starlord: + +`vault token-create -policy="organizations-writeonly" -ttl="8760h"` + +Take the response of this and save it in the configuration for the environment you want as the `starlord_vault_token` + +Create a new token for the docks, so they can create readonly tokens. + +`vault token-create -policy="dock-user-creator" -ttl="8760h"` + +Save that token as the `dock_vault_user_creation_access_token` + +This allows the vault user to create a new user using: +vault write -f auth/token/create/organizations-readonly diff --git a/ansible/roles/vault/additional-files/user-vault/policies/dock-user-creator.hcl b/ansible/roles/vault/additional-files/user-vault/policies/dock-user-creator.hcl new file mode 100644 index 00000000..27183b84 --- /dev/null +++ b/ansible/roles/vault/additional-files/user-vault/policies/dock-user-creator.hcl @@ -0,0 +1,6 @@ +path "auth/token/create/organizations-readonly" { + capabilities = ["create", "update"] +} +path "sys/policy" { + capabilities = ["create", "update"] +} diff --git a/ansible/roles/vault/additional-files/user-vault/policies/organizations-readonly.hcl b/ansible/roles/vault/additional-files/user-vault/policies/organizations-readonly.hcl new file mode 100644 index 00000000..90f54488 --- /dev/null +++ b/ansible/roles/vault/additional-files/user-vault/policies/organizations-readonly.hcl @@ -0,0 +1,3 @@ +path "secret/organization/*" { + capabilities = ["read"] +} diff --git a/ansible/roles/vault/additional-files/user-vault/policies/organizations-writeonly.hcl b/ansible/roles/vault/additional-files/user-vault/policies/organizations-writeonly.hcl new file mode 100644 index 00000000..8b2b56e9 --- /dev/null +++ b/ansible/roles/vault/additional-files/user-vault/policies/organizations-writeonly.hcl @@ -0,0 +1,3 @@ +path "secret/organization/*" { + capabilities = ["create","update"] +} diff --git a/ansible/roles/vault/tasks/main.yml b/ansible/roles/vault/tasks/main.yml index e0ade0f6..89c05da6 100644 --- a/ansible/roles/vault/tasks/main.yml +++ b/ansible/roles/vault/tasks/main.yml @@ -8,4 +8,4 @@ tags: [ deploy ] template: dest: "{{ config_maps_path }}/{{ name }}" - src: vault.yml + src: "{{ vault_config_file | default('vault.yml') }}" diff --git a/ansible/roles/vault/templates/user-vault.yml b/ansible/roles/vault/templates/user-vault.yml new file mode 100644 index 00000000..b3904171 --- /dev/null +++ b/ansible/roles/vault/templates/user-vault.yml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ name }} +data: + vault.hcl: | + storage "s3" { + access_key = "{{ user_vault_s3_access_key }}" + secret_key = "{{ user_vault_s3_secret_key }}" + bucket = "{{ user_vault_s3_bucket }}" + region = "{{ aws_region }}" + } + + listener "tcp" { + address = "0.0.0.0:{{ user_vault_port }}" + tls_disable = 1 + } + + max_lease_ttl = "8760h" diff --git a/ansible/starlord.yml b/ansible/starlord.yml new file mode 100644 index 00000000..4eb59bc8 --- /dev/null +++ b/ansible/starlord.yml @@ -0,0 +1,8 @@ +--- +- hosts: starlord + vars_files: + - group_vars/alpha-starlord.yml + roles: + - role: notify + - role: builder + - role: k8-deployment diff --git a/ansible/user-vault.yml b/ansible/user-vault.yml new file mode 100644 index 00000000..b6a546de --- /dev/null +++ b/ansible/user-vault.yml @@ -0,0 +1,9 @@ +--- +- hosts: user-vault + vars_files: + - group_vars/alpha-user-vault.yml + roles: + - role: notify + - role: vault + - role: k8-deployment + - role: k8-service