Closed MadOtis closed 6 years ago
Only for my personal info: is that something similar to that one?
https://github.com/rancher/rancher-catalog/tree/v1.6-development/infra-templates/secrets-bridge-v2/1
I don't believe so... secrets bridge interfaces with vault to provide access to rancher, if I remember correctly. I've only looked at secrets bridge once or twice because it doesn't really mention installing a vault container.
---- On Wed, 21 Mar 2018 02:50:14 -0700 notifications@github.com wrote ----
Only for my personal info: is that something similar to that one?
https://github.com/rancher/rancher-catalog/tree/v1.6-development/infra-templates/secrets-bridge-v2/1
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
Hi @MadOtis, thanks for the PR and contribute.
Please, take a look at changes requested.
Thanks for that feedback! All those changes are easy to implement. Some values are simply defaults for my environment and, therefore be honest, I never thought to clean those out (like the journals log value). I'll get it all cleaned up and updated as soon as I can today.
Cheers! Randy
---- On Mon, 09 Apr 2018 04:03:47 -0700 notifications@github.com wrote ----
@rawmind0 requested changes on this pull request.
In templates/vault/0/rancher-compose.yml:
- local
- rancher-nfs
- rancher-efs
- rancher-ebs +services:
- vault-lb:
- scale: 1
- start_on_create: true
- lb_config:
- certs: []
- port_rules:
- priority: 1
- protocol: tcp
- service: vault
- source_port: 8200
- target_port: 18200 What do you think if you add another question at catalog, to be able to choose source_port number to publish??
Is target_port definition right?? What happens if someone edit VAULT_LOCAL_CONFIG "listener" field?? Have you consider to use VAULT_REDIRECT_ADDR env variable as showed at vault image docker-entrypoint.sh??
You could ask for a port to listen VAULT_LISTEN_PORT, remove "listener" field from VAULT_LOCAL_CONFIG and add variable into vault services docker definition
VAULT_REDIRECT_ADDR: http://0.0.0.0:${VAULT_LISTEN_PORT} and in this file,
source_port: ${VAULT_LISTEN_PORT}
target_port: ${VAULT_LISTEN_PORT} In templates/vault/0/docker-compose.yml.tpl:
- driver: ${volumeDriver} +services:
- vault-lb:
- image: rancher/lb-service-haproxy:v0.7.15
- ports:
- 8200:8200/tcp
- 8201:8201/tcp
- labels:
- io.rancher.scheduler.affinity:host_label: lbhost=true
- io.rancher.container.agent.role: environmentAdmin,agent
- io.rancher.container.agent_service.drain_provider: 'true'
- io.rancher.container.create_agent: 'true'
- vault:
- cap_add:
- IPC_LOCK
- image: vault Please, set a concrete tag for docker images. Generic tags, implicit or explicit are not reproducible.
- vault-lb:
- scale: 1
- start_on_create: true
- lb_config:
- certs: []
- port_rules:
- priority: 1
- protocol: tcp
- service: vault
- source_port: 8200
- target_port: 18200
- priority: 2
- protocol: tcp
- service: vault
- source_port: 8201
- target_port: 8201 Is mandatory expose vault cluster port?? If yes, What do you think if you add another question at catalog, to be able to choose source_port number to publish??
Have you consider to use VAULT_CLUSTER_ADDR as showed at vault image docker-entrypoint.sh?? You could ask for a port to listen VAULT_CLUSTER_PORT and add variable into vault services docker definition
VAULT_CLUSTER_ADDR: http://0.0.0.0:${VAULT_CLUSTER_PORT} and in this file,
source_port: ${VAULT_CLUSTER_PORT}
target_port: ${VAULT_CLUSTER_PORT} In templates/vault/0/docker-compose.yml.tpl:
- io.rancher.container.create_agent: 'true'
- vault:
- cap_add:
- IPC_LOCK
- image: vault
- environment:
- VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} +{{- if eq .Values.useConsul "true"}}
- external_links:
- ${consulService}:consul +{{- end}}
- volumes:
- vault-file:/vault/file
- vault-config:/vault/config
- logging:
- driver: journald Is mandatory to use journald driver for docker logging??
In templates/vault/0/docker-compose.yml.tpl:
- image: vault
- environment:
- VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} +{{- if eq .Values.useConsul "true"}}
- external_links:
- ${consulService}:consul +{{- end}}
- volumes:
- vault-file:/vault/file
- vault-config:/vault/config
- logging:
- driver: journald
- command:
- server
- labels:
- io.rancher.container.pull_image: always Using concrete docker image tag, don't need to pull image always.
@@ -0,0 +1,67 @@ +version: '2' +catalog:
- name: Vault
- version: 1.0-test-rancher1
- description: |
- Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster
- uuid: vault-rac-0
- questions:
- variable: VAULT_LOCAL_CONFIG
- label: Provide a default config?
- description: |
- This is the embedded JSON format config file that vault will use at startup
- type: multiline
- default: |
- {"backend":{"consul":{"address":"http://
: ", "advertise_addr":"http:// ","path":" "}}, "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}} Default value didn't work. What do you think to add a templates/vault/0/README.md to explain who to set it??
In templates/vault/0/rancher-compose.yml:
- label: Specify the Consul service to connect to
- description: |
- The pre-installed Consul server to back to
- default: "select"
- type: service
- variable: volumeDriver
- label: Driver for volumes
- description: |
- How/Where to store your vault config and logs
- default: local
- type: enum
- options:
- local
- rancher-nfs
- rancher-efs
- rancher-ebs What do you think to add VAULT_LISTEN_PORT and VAULT_CLUSTER_PORT to avoid collisions and be able to choose distinct ports numbers.
Thanks for the changes @MadOtis .
Default config is just working if consul is selected as backend. I propose you an alternative to do it and make that works with consul or file as vault backend. Please, take a look at changes requested.
@MadOtis , nice changes. Thanks for add all storage backends. :)
There are some errors at some definitions, please take a look to changes requested.
Latest PR changes committed.
Thanks @MadOtis for the changes. Finally it's working fine. :)
LGTM...
Awesome! I'm adding a few finishing touches to another contribution for AWX, too. I've tried to keep it updated with your comments from Vault, so in a day or so, I'll be branching off again for AWX.
Thanks for all the suggestions! I've learned a lot!
---- On Wed, 11 Apr 2018 14:55:46 -0700 notifications@github.com wrote ----
Thanks @MadOtis for the changes. Finally it's working fine. :)
LGTM...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Wanted to give back to the community, so I've added a catalog item for Hashicorp's Vault that I use in several environments. Not sure of any licensing restrictions from Hashicorp, but I see other stuff of their's in the catalog, so I added this one.