RE-implemented starlord + vault

README.md

@@ -143,6 +143,7 @@ It is the custom at Runnable to play a song to the entire team when deploying. F
 | sauron | [Sauron theme song from LOTR](https://www.youtube.com/watch?v=V_rk9VBrXMY) |
 | Security Groups | [Out of the Woods - Tayor Swift](https://www.youtube.com/watch?v=JLf9q36UsBk)
 | shiva | [FFXIV Shiva Theme](https://www.youtube.com/watch?v=noJiH8HLZw4) |
+| starlord | [Blue Swede - Hooked on a Feeling](https://www.youtube.com/watch?v=NrI-UBIB8Jk) |
 | swarm-deamon | [Pink Floyd - Another Brick In The Wall](https://www.youtube.com/watch?v=5IpYOF4Hi6Q) |
 | swarm-manager | [Eric Prydz VS Pink Floyd - 'Proper Education'](https://www.youtube.com/watch?v=IttkDYE33aU) |
 | varnish | [Karate Kid Theme Song](https://www.youtube.com/watch?v=VIYqtkdMxQg) |

ansible/delta-hosts/hosts

@@ -34,6 +34,9 @@ delta-consul-a
 delta-consul-b
 delta-consul-c
 
+[user-vault]
+localhost
+
 [worker]
 localhost
 
@@ -104,6 +107,9 @@ localhost
 [sauron]
 localhost
 
+[starlord]
+localhost
+
 [swarm-manager]
 localhost
 
@@ -162,7 +168,9 @@ sauron
 shiva
 socket-server
 socket-server-proxy
+starlord
 swarm-manager
+user-vault
 userland
 web
 worker

ansible/delta-hosts/variables

@@ -142,9 +142,18 @@ sauron_rollbar_key=83157ae2d50d4b6398e404c0b9978d26
 aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q
 aws_secret_access_key=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
 
+[starlord:vars]
+starlord_vault_token=319ff979-b066-87c7-1172-6f3b5305d749
+
 [swarm-manager:vars]
 environment_name=delta
 
+[user-vault:vars]
+user_vault_s3_access_key=AKIAJRB2ERCOLHGNYAFQ
+user_vault_s3_secret_key=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
+user_vault_s3_bucket=delta-user-vault
+vault_config_file=user-vault.yml
+
 [vault:vars]
 vault_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af
 vault_aws_access_key_id=AKIAJ7R4UIM45KH2WGWQ
@@ -192,6 +201,7 @@ vault_token_03=47f3cb74f5374fa3c51c90fd25e3d4cc851034de97584995fce5fc5382342f1f0
 rabbit_port=54321
 registry_username=runnable+deltapush
 registry_token=4PX2AU9QIJSCDLZEXILYX6ZP2RCXY1HR10WVZKWVR0JW8DS5IIY87D96V0RACMK5
+dock_vault_user_creation_access_token=ddf20c34-019c-5b24-9c0d-1b44e3edf29a
 
 [web:vars]
 web_intercom_id=wqzm3rju

ansible/gamma-hosts/hosts

@@ -38,6 +38,9 @@ gamma-consul-a
 gamma-consul-b
 gamma-consul-c
 
+[user-vault]
+localhost
+
 [worker]
 localhost
 
@@ -95,6 +98,9 @@ localhost
 [shiva]
 localhost
 
+[starlord]
+localhost
+
 [socket-server]
 localhost
 
@@ -161,7 +167,9 @@ sauron
 shiva
 socket-server
 socket-server-proxy
+starlord
 swarm-manager
+user-vault
 userland
 web
 worker

ansible/gamma-hosts/variables

@@ -120,9 +120,18 @@ sauron_rollbar_key=83157ae2d50d4b6398e404c0b9978d26
 aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q
 aws_secret_access_key=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
 
+[starlord:vars]
+starlord_vault_token=8d6b414a-2e6d-65fb-f0b8-c6200ae688ad
+
 [swarm-manager:vars]
 environment_name=gamma
 
+[user-vault:vars]
+user_vault_s3_access_key=AKIAIOTM4MKOJJVUL7IQ
+user_vault_s3_secret_key=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
+user_vault_s3_bucket=gamma-user-vault
+vault_config_file=user-vault.yml
+
 [vault:vars]
 vault_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af
 vault_aws_access_key_id=AKIAJ7R4UIM45KH2WGWQ
@@ -173,6 +182,7 @@ vault_token_02=3489b87c913058740537bbbd4503f3720d74f7cb0f4e0c30a9436e1e52a18d700
 vault_token_03=ac4e1e9800cbf77283298d08172a2f0e46d0b7cbc457c47788d04768af12584a02
 registry_username=runnable+gamma
 registry_token=8G0NT1HZQZHYXU7OB1QAI8HA1560V6R68DE6R6B8YJWQAED82JAFCD057ZWIDT76
+dock_vault_user_creation_access_token=137f441f-db71-40a2-8448-10a565323b1e
 
 [web:vars]
 web_intercom_id=xs5g95pd

ansible/group_vars/all.yml

@@ -127,6 +127,7 @@ drake_port: 80
 # ec2
 aws_access_key: "AKIAIWRXWZ4P3MIMY3LA"
 aws_secret_key: "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"
+aws_region: "us-west-2"
 
 # eru
 eru_http_port: 5501
@@ -217,6 +218,10 @@ npm_token: c76363e9-78e0-4667-82ac-e2ac01efcfe2
 # remote vault
 vault_port: 8200
 
+# user-vault
+user_vault_port: 8200
+user_vault_host_address: user-vault
+
 # local-vault
 vault_local_port: 31836
 vault_addr: http://127.0.0.1:{{ vault_local_port }}

ansible/group_vars/alpha-api-base.yml

@@ -118,3 +118,5 @@ api_base_container_envs:
     value: "{{ api_intercom_app_id | default('ansible_undefined') }}"
   - name: INTERCOM_API_KEY
     value: "{{ api_intercom_api_key | default('ansible_undefined') }}"
+  - name: USER_VAULT_ENDPOINT
+    value: "http://{{ user_vault_host_address }}:{{ user_vault_port }}"

ansible/group_vars/alpha-starlord.yml

@@ -0,0 +1,23 @@
+name: starlord
+
+container_image: "{{ registry_host }}/runnable/{{ name }}"
+container_tag: "{{ git_branch }}"
+inject_ca: false
+repo: [email protected]:CodeNow/{{ name }}.git
+node_version: "6.10.2"
+
+container_envs:
+  - name: NODE_ENV
+    value: "{{ node_env }}"
+  - name: VAULT_ENDPOINT
+    value: "http://{{ user_vault_host_address }}:{{ user_vault_port }}"
+  - name: VAULT_TOKEN
+    value: "{{starlord_vault_token}}"
+  - name: RABBITMQ_HOSTNAME
+    value: "{{ rabbit_host_address }}"
+  - name: RABBITMQ_PASSWORD
+    value: "{{ rabbit_password }}"
+  - name: RABBITMQ_PORT
+    value: "{{ rabbit_port }}"
+  - name: RABBITMQ_USERNAME
+    value: "{{ rabbit_username }}"

ansible/group_vars/alpha-user-vault.yml

@@ -0,0 +1,18 @@
+name: user-vault
+
+container_image: vault
+container_tag: 0.7.0
+hosted_ports: ["{{ user_vault_port }}"]
+
+volume_mounts:
+ - name: "{{ name }}"
+   path: /config
+   kind: configMap
+
+container_run_args: >
+  vault server
+  -log-level=warn
+  -config=/config/vault.hcl
+
+add_capabilities:
+  - IPC_LOCK

ansible/roles/vault/additional-files/user-vault/README.md

@@ -0,0 +1,54 @@
+# Configuring Vault
+
+Vault is specifically designed to be manually setup. This is not automated for a reason.
+
+```
+kubectl port-forward INSTERT_VAULT_ID 8300:8200
+export VAULT_ADDR=http://localhost:8300
+```
+
+The first time you setup vault we need to manually configure a bunch 
+of things so we don't pass around the root token.
+
+`vault init`
+
+Grab the keys, put them in 1password
+
+`vault unseal $key1`
+
+`vault unseal $key2`
+
+`vault unseal $key3`
+
+Verify the vault unsealed
+
+`vault auth`
+Paste in the $rootToken
+
+
+Now to setup the policies:
+
+```
+vault policy-write organizations-writeonly roles/vault/additional-files/user-vault/policies/organizations-writeonly.hcl
+vault policy-write organizations-readonly roles/vault/additional-files/user-vault/policies/organizations-readonly.hcl
+vault policy-write dock-user-creator roles/vault/additional-files/user-vault/policies/dock-user-creator.hcl
+```
+
+Now to setup the roles
+
+`vault write auth/token/roles/organizations-readonly allowed_policies="organizations-readonly"`
+
+Now to setup new token for starlord:
+
+`vault token-create -policy="organizations-writeonly" -ttl="8760h"`
+
+Take the response of this and save it in the configuration for the environment you want as the `starlord_vault_token`
+
+Create a new token for the docks, so they can create readonly tokens.
+
+`vault token-create -policy="dock-user-creator" -ttl="8760h"`
+
+Save that token as the `dock_vault_user_creation_access_token`
+
+This allows the vault user to create a new user using:
+vault write -f auth/token/create/organizations-readonly

ansible/roles/vault/additional-files/user-vault/policies/dock-user-creator.hcl

@@ -0,0 +1,6 @@
+path "auth/token/create/organizations-readonly" {
+  capabilities = ["create", "update"]
+}
+path "sys/policy" {
+  capabilities = ["create", "update"]
+}

ansible/roles/vault/additional-files/user-vault/policies/organizations-readonly.hcl

@@ -0,0 +1,3 @@
+path "secret/organization/*" {
+  capabilities = ["read"]
+}

ansible/roles/vault/additional-files/user-vault/policies/organizations-writeonly.hcl

@@ -0,0 +1,3 @@
+path "secret/organization/*" {
+  capabilities = ["create","update"]
+}

ansible/roles/vault/tasks/main.yml

@@ -8,4 +8,4 @@
   tags: [ deploy ]
   template:
     dest: "{{ config_maps_path }}/{{ name }}"
-    src: vault.yml
+    src: "{{ vault_config_file | default('vault.yml') }}"

ansible/roles/vault/templates/user-vault.yml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ name }}
+data:
+  vault.hcl: |
+    storage "s3" {
+      access_key = "{{ user_vault_s3_access_key }}"
+      secret_key = "{{ user_vault_s3_secret_key }}"
+      bucket = "{{ user_vault_s3_bucket }}"
+      region = "{{ aws_region }}"
+    }
+
+    listener "tcp" {
+      address = "0.0.0.0:{{ user_vault_port }}"
+      tls_disable = 1
+    }
+
+    max_lease_ttl = "8760h"

ansible/starlord.yml

@@ -0,0 +1,8 @@
+---
+- hosts: starlord
+  vars_files:
+    - group_vars/alpha-starlord.yml
+  roles:
+  - role: notify
+  - role: builder
+  - role: k8-deployment

ansible/user-vault.yml

@@ -0,0 +1,9 @@
+---
+- hosts: user-vault
+  vars_files:
+    - group_vars/alpha-user-vault.yml
+  roles:
+  - role: notify
+  - role: vault
+  - role: k8-deployment
+  - role: k8-service