updated k8s-cluster-acs

rberlind · rberlind · commit bf485f2c66a1 · 2018-03-30T13:54:43.000-04:00
diff --git a/infrastructure-as-code/k8s-cluster-acs/README.md b/infrastructure-as-code/k8s-cluster-acs/README.md
@@ -14,7 +14,7 @@ This Terraform configuration gets the Azure credentials from a [Vault](https://w
 1. Create an Azure Service Principal for Terraform and Kubernetes to use when interacting with the Azure Resource Manager. See these [instructions](https://www.terraform.io/docs/providers/azurerm/authenticating_via_service_principal.html).
 1. Set up a Vault server if you do not already have access to one and determine your username, password, and associated Vault token.
 1. We assume that the [Userpass auth method](https://www.vaultproject.io/docs/auth/userpass.html) is enabled on your Vault server.  If not, that is ok.  You will login to the Vault UI with your Vault token instead of with your username. Wherever the Terraform-specific instructions below ask you to specify your Vault username, just make one up for yourself.
-1. Your Vault username and token will need to have a Vault policy like [sample-policy.hcl](./sample-policy.hcl) associated with them. You could use this one after changing "roger" to your username and renaming the file to \<username\>-policy.hcl.  Run `vault write sys/policy/<username>-policy policy=@<username>-policy.hcl` to import the policy to your Vault server. Then run `vault write auth/userpass/users/<username> policies="<username>-policy"` to associate the policy with your username. (If you already have other policies associated with the user, then be sure to include those policies in the list of policies with commas between them.) To create a new token and associate the policy with it, run `vault token-create -display-name="<username>-token" -policy="<username>-policy"`.
+1. Your Vault username and token will need to have a Vault policy like [sample-policy.hcl](./sample-policy.hcl) associated with them. You could use this one after changing "roger" to your username and renaming the file to \<username\>-policy.hcl.  Run `vault write sys/policy/<username> policy=@<username>-policy.hcl` to import the policy to your Vault server. Then run `vault write auth/userpass/users/<username> policies="<username>"` to associate the policy with your username. (If you already have other policies associated with the user, then be sure to include those policies in the list of policies with commas between them.) To create a new token and associate the policy with it, run `vault token-create -display-name="<username>-token" -policy="<username>"`.
 1. Login to the UI of your Vault server or use the Vault CLI to add your Azure client_id, client_secret, subscription_id, and tenant_id with those names in secret/<vault_username>/azure/credentials. Note that this is the path to the secret and that the 4 Azure credentials will be 4 keys underneath this single secret.  If using the vault CLI, you would use `vault write secret/<vault_username>/azure/credentials client_id=<client_id> client_secret=<client_secret> subscription_id=<subscription_id> tenant_id=<tenant_id>`, providing the actual values for your Azure service principal.
 1. If you do not already have a Terraform Enterprise (TFE) account, request one from sales@hashicorp.com.
 1. After getting access to your TFE account, create an organization in it. Click the Cancel button when prompted to create a new workspace.
@@ -31,13 +31,13 @@ Execute the following commands to deploy your Kubernetes cluster to ACS.
 1. Create a workspace in your TFE organization called k8s-cluster-acs-dev if you plan to provision both dev and prod clusters, otherwise k8s-cluster-acs.
 1. Configure the k8s-cluster-acs-dev or k8s-cluster-acs workspace to connect to the fork of this repository in your own GitHub account.
 1. Click the "More options" link, set the Terraform Working Directory to "infrastructure-as-code/k8s-cluster-acs" and the VCS Branch to "dev" or "master", matching the branch you are actually using. (If you leave this blank, the master branch will be used.)
-1. On the Variables tab of your workspace, add the following variables to the Terraform variables: dns_agent_pool_prefix, dns_master_prefix, environment, resource_group_name, and vault_user. We recommend values for the first four of these like "<user>-k8s-agentpool-dev", "<user>-k8s-master-dev", "dev", and "<user>-k8s-example-dev". Be sure to set vault_user to your username on the Vault server you are using. Note that the dns_agent_pool_prefix and dns_master_prefix values must be unique within Azure. If you see errors related to these when provisioning your ACS cluster, please pick different values.
-1. Set the following Environment Variables: VAULT_ADDR to the address of your Vault server including the port (e.g., "http://<your_vault_dns>:8200") and VAULT_TOKEN to your Vault token. Be sure to mark the VAULT_TOKEN variable as sensitive so that other people cannot read it.
+1. On the Variables tab of your workspace, add the following variables to the Terraform variables: dns_agent_pool_prefix, dns_master_prefix, environment, resource_group_name, vault_addr, and vault_user. We recommend values for the first four of these like "<user>-k8s-agentpool-dev", "<user>-k8s-master-dev", "dev", and "<user>-k8s-example-dev". Be sure to set vault_addr to the address of your Vault server including the port (e.g., "http://<your_vault_dns>:8200") and vault_user to your username on your Vault server. Note that the dns_agent_pool_prefix and dns_master_prefix values must be unique within Azure. If you see errors related to these when provisioning your ACS cluster, please pick different values.
+1. Set the VAULT_TOKEN environment variable to your Vault token. Be sure to mark the VAULT_TOKEN variable as sensitive so that other people cannot read it.
 1. Click the "Queue Plan" button in the upper right corner of your workspace.
 1. On the Latest Run tab, you should see a new run. If the plan succeeds, you can view the plan and verify that the ACS cluster will be created when you apply your plan.
 1. Click the "Confirm and Apply" button to actually provision your ACS dev cluster.
 
-You will see outputs representing the URL to access your ACS dev cluster in the Azure Portal, your private key PEM, the FQDN of your cluster, TLS certs/keys for your cluster, the Vault Kubernetes authentication backend, and your Vault username.  You will need these when using Terraform's Kubernetes Provider to provision Kubernetes pods and services in other workspaces that use your dev cluster.
+You will see outputs representing the URL to access your ACS dev cluster in the Azure Portal, your private key PEM, the FQDN of your cluster, TLS certs/keys for your cluster, the Vault Kubernetes authentication backend, the Vault address, and your Vault username.  You will need these when using Terraform's Kubernetes Provider to provision Kubernetes pods and services in other workspaces that use your dev cluster. However, if you configure a workspace against the Terraform code in the [k8s-services](../../self-serve-infrastructure/k8s-services) directory of this repository to provision your pods and services, the outputs will automatically be used by that workspace.
 
 You can also validate that the cluster was created in the Azure Portal.
 
@@ -49,14 +49,14 @@ You can execute the following steps if you want to create a production ACS clust
 1. Run `git push origin prod` to push your prod branch to your fork.
 1. Configure the k8s-cluster-acs-prod workspace to connect to the fork of this repository in your own GitHub account.
 1. Click the "More options" link, set the Terraform Working Directory to "infrastructure-as-code/k8s-cluster-acs" and the VCS Branch to "prod".
-1. On the Variables tab of your workspace, add the following variables to the Terraform variables: dns_agent_pool_prefix, dns_master_prefix, environment, resource_group_name, and vault_user. We recommend values for the first four of these like "<user>-k8s-agentpool-prod", "<user>-k8s-master-prod", "prod", and "<user>-k8s-example-prod". Be sure to set vault_user to your username on the Vault server you are using.
-1. Set the same Vault environment variables that you set for your k8s-cluster-acs-dev workspace.
+1. On the Variables tab of your workspace, add the following variables to the Terraform variables: dns_agent_pool_prefix, dns_master_prefix, environment, resource_group_name, vault_addr, and vault_user. We recommend values for the first four of these like "<user>-k8s-agentpool-prod", "<user>-k8s-master-prod", "prod", and "<user>-k8s-example-prod". Be sure to set vault_server to your Vault server including the port and vault_user to your username on your Vault server.
+1. Set the VAULT_TOKEN environment variable just as you did for your k8s-cluster-acs-dev workspace.
 1. In GitHub, do a pull request to merge your dev branch into your prod branch within your fork. (You might need to make some small change in your dev branch so that the two branches differ before doing this.)
 1. On the Latest Run tab, you should see a new run. If the plan succeeds, you can view the plan and verify that the ACS cluster will be created when you apply your plan.
 1. However, you will not yet see the "Confirm and Apply" button. To see it, you must first go back to GitHub and merge the pull request. At that point, a new run will be triggered within TFE which will allow you to apply the plan if you want.
 1. Click the "Confirm and Apply" button to actually provision your ACS production cluster.
 
-You will see outputs representing the URL to access your ACS dev cluster in the Azure Portal, your private key PEM, the FQDN of your cluster, TLS certs/keys for your cluster, the Vault Kubernetes authentication backend, and your Vault username.  You will need these when using Terraform's Kubernetes Provider to provision Kubernetes pods and services in other workspaces that use your dev ACS cluster. However, if you configure a workspace against the Terraform code in the [k8s-services](../../self-serve-infrastructure/k8s-services) directory of this repository to provision your pods and services, the outputs will automatically be used by that workspace.
+You will see outputs representing the URL to access your ACS dev cluster in the Azure Portal, your private key PEM, the FQDN of your cluster, TLS certs/keys for your cluster, the Vault Kubernetes authentication backend, your Vault address, and your Vault username.  You will need these when using Terraform's Kubernetes Provider to provision Kubernetes pods and services in other workspaces that use your dev ACS cluster. However, if you configure a workspace against the Terraform code in the [k8s-services](../../self-serve-infrastructure/k8s-services) directory of this repository to provision your pods and services, the outputs will automatically be used by that workspace.
 
 You can also validate that the cluster was created in the Azure Portal.
 
diff --git a/infrastructure-as-code/k8s-cluster-acs/main.tf b/infrastructure-as-code/k8s-cluster-acs/main.tf
@@ -6,7 +6,9 @@ resource "tls_private_key" "ssh_key" {
   algorithm = "RSA"
 }
 
-provider "vault" {}
+provider "vault" {
+  address = "${var.vault_addr}"
+}
 
 data "vault_generic_secret" "azure_credentials" {
   path = "secret/${var.vault_user}/azure/credentials"
@@ -116,8 +118,8 @@ resource "vault_generic_secret" "role" {
   {
     "bound_service_account_names": "cats-and-dogs",
     "bound_service_account_namespaces": "default",
-    "policies": "${var.vault_user}-policy",
-    "ttl": "1h"
+    "policies": "${var.vault_user}",
+    "ttl": "24h"
   }
   EOT
 }
diff --git a/infrastructure-as-code/k8s-cluster-acs/outputs.tf b/infrastructure-as-code/k8s-cluster-acs/outputs.tf
@@ -29,3 +29,7 @@ output "vault_k8s_auth_backend" {
 output "vault_user" {
   value = "${var.vault_user}"
 }
+
+output "vault_addr" {
+  value = "${var.vault_addr}"
+}
diff --git a/infrastructure-as-code/k8s-cluster-acs/variables.tf b/infrastructure-as-code/k8s-cluster-acs/variables.tf
@@ -58,3 +58,7 @@ variable "environment" {
 variable "vault_user" {
   description = "Vault userid: determines location of secrets and affects path of k8s auth backend"
 }
+
+variable "vault_addr" {
+  description = "Address of Vault server including port"
+}
diff --git a/infrastructure-as-code/k8s-cluster-gke/README.md b/infrastructure-as-code/k8s-cluster-gke/README.md
@@ -15,7 +15,7 @@ This Terraform configuration gets the GCP credentials from a [Vault](https://www
 1. Follow these [instructions](https://www.terraform.io/docs/providers/google/index.html#authentication-json-file) to download an authentication JSON file for your project which Terraform will use when provisioning resources to your GCP project.
 1. Set up a Vault server if you do not already have access to one and determine your username, password, and associated Vault token.
 1. We assume that the [Userpass auth method](https://www.vaultproject.io/docs/auth/userpass.html) is enabled on your Vault server.  If not, that is ok.  You will login to the Vault UI with your Vault token instead of with your username. Wherever the Terraform-specific instructions below ask you to specify your Vault username, just make one up for yourself.
-1. Your Vault username and token will need to have a Vault policy like [sample-policy.hcl](./sample-policy.hcl) associated with them. You could use this one after changing "roger" to your username and renaming the file to \<username\>-policy.hcl.  Run `vault write sys/policy/<username>-policy policy=@<username>-policy.hcl` to import the policy to your Vault server. Then run `vault write auth/userpass/users/<username> policies="<username>-policy"` to associate the policy with your username. (If you already have other policies associated with the user, then be sure to include those policies in the list of policies with commas between them.) To create a new token and associate the policy with it, run `vault token-create -display-name="<username>-token" -policy="<username>-policy"`.
+1. Your Vault username and token will need to have a Vault policy like [sample-policy.hcl](./sample-policy.hcl) associated with them. You could use this one after changing "roger" to your username and renaming the file to \<username\>-policy.hcl.  Run `vault write sys/policy/<username> policy=@<username>-policy.hcl` to import the policy to your Vault server. Then run `vault write auth/userpass/users/<username> policies="<username>"` to associate the policy with your username. (If you already have other policies associated with the user, then be sure to include those policies in the list of policies with commas between them.) To create a new token and associate the policy with it, run `vault token-create -display-name="<username>-token" -policy="<username>"`.
 1. Login to the UI of your Vault server or use the Vault CLI to paste the contents of your GCP authentication JSON file into secret/<vault_username>/gcp/credentials. Note that this is the path to the secret and that the entire contents of the file will be be added to a single key equal to your GCP project ID underneath this single secret.  If using the vault CLI, you would use `vault write secret/<vault_username>/gcp/credentials <project_id>=<project_auth_json_contents>`, providing the actual contents of the JSON file for value of the key. Ideally, you will have created a GCP project with a globally unique name so that the project name and the project ID are identical.  If they differ, be sure to use the project ID, not the project Name.
 1. If you do not already have a Terraform Enterprise (TFE) account, request one from sales@hashicorp.com.
 1. After getting access to your TFE account, create an organization in it. Click the Cancel button when prompted to create a new workspace.

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,9 @@ resource "tls_private_key" "ssh_key" {`
`6`	`6`	`algorithm = "RSA"`
`7`	`7`	`}`
`8`	`8`
`9`		`-provider "vault" {}`
	`9`	`+provider "vault" {`
	`10`	`+ address = "${var.vault_addr}"`
	`11`	`+}`
`10`	`12`
`11`	`13`	`data "vault_generic_secret" "azure_credentials" {`
`12`	`14`	`path = "secret/${var.vault_user}/azure/credentials"`
`@@ -116,8 +118,8 @@ resource "vault_generic_secret" "role" {`
`116`	`118`	`{`
`117`	`119`	`"bound_service_account_names": "cats-and-dogs",`
`118`	`120`	`"bound_service_account_namespaces": "default",`
`119`		`- "policies": "${var.vault_user}-policy",`
`120`		`- "ttl": "1h"`
	`121`	`+ "policies": "${var.vault_user}",`
	`122`	`+ "ttl": "24h"`
`121`	`123`	`}`
`122`	`124`	`EOT`
`123`	`125`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,3 +29,7 @@ output "vault_k8s_auth_backend" {`
`29`	`29`	`output "vault_user" {`
`30`	`30`	`value = "${var.vault_user}"`
`31`	`31`	`}`
	`32`	`+`
	`33`	`+output "vault_addr" {`
	`34`	`+ value = "${var.vault_addr}"`
	`35`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -58,3 +58,7 @@ variable "environment" {`
`58`	`58`	`variable "vault_user" {`
`59`	`59`	`description = "Vault userid: determines location of secrets and affects path of k8s auth backend"`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+variable "vault_addr" {`
	`63`	`+ description = "Address of Vault server including port"`
	`64`	`+}`