The following resources are composed to implement the referenced Composite Resource Definition (XRD).
ServiceAccount
KeyRing
CryptoKey
CryptoKeyPolicy
ServiceAccountPolicy
Bucket
BucketPolicyMember
BucketPolicyMember
Release
Release
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: vaults.gcp.multivault.crossplane.io
creationTimestamp: null
labels:
provider: helm
spec:
compositeTypeRef:
apiVersion: gcp.multivault.crossplane.io/v1alpha1
kind: Vaults
resources:
- base:
apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccount
spec:
forProvider:
description: sa used by vault to access bucket and cryptokey for auto unseal
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.annotations[crossplane.io/external-name]
- fromFieldPath: metadata.name
toFieldPath: spec.forProvider.displayName
transforms:
- type: string
string:
fmt: vault service account for cluster %s
- base:
apiVersion: kms.gcp.crossplane.io/v1alpha1
kind: KeyRing
metadata:
annotations:
crossplane.io/external-name: vault-on-gke-keyring
spec:
forProvider:
location: global
- base:
apiVersion: kms.gcp.crossplane.io/v1alpha1
kind: CryptoKey
spec:
forProvider:
keyRingSelector:
matchControllerRef: true
purpose: ENCRYPT_DECRYPT
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.annotations[crossplane.io/external-name]
- base:
apiVersion: kms.gcp.crossplane.io/v1alpha1
kind: CryptoKeyPolicy
spec:
forProvider:
cryptoKeySelector:
matchControllerRef: true
policy:
bindings:
- role: roles/cloudkms.cryptoKeyEncrypterDecrypter
serviceAccountMemberSelector:
matchControllerRef: true
- base:
apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccountPolicy
spec:
forProvider:
policy:
bindings:
- role: roles/iam.workloadIdentityUser
serviceAccountSelector:
matchControllerRef: true
patches:
- fromFieldPath: spec.projectID
toFieldPath: spec.forProvider.policy.bindings[0].members[0]
transforms:
- type: string
string:
fmt: serviceAccount:%s.svc.id.goog[vault-system/vault]
- base:
apiVersion: storage.gcp.crossplane.io/v1alpha3
kind: Bucket
spec:
location: US
storageClass: MULTI_REGIONAL
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.annotations[crossplane.io/external-name]
- base:
apiVersion: storage.gcp.crossplane.io/v1alpha1
kind: BucketPolicyMember
spec:
forProvider:
bucketSelector:
matchControllerRef: true
role: roles/storage.objectAdmin
serviceAccountMemberSelector:
matchControllerRef: true
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- type: string
string:
fmt: "%s-object-admin"
- base:
apiVersion: storage.gcp.crossplane.io/v1alpha1
kind: BucketPolicyMember
spec:
forProvider:
bucketSelector:
matchControllerRef: true
role: roles/storage.legacyBucketReader
serviceAccountMemberSelector:
matchControllerRef: true
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- type: string
string:
fmt: "%s-legacy-reader"
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
annotations:
crossplane.io/external-name: vault-tls
name: vault-tls
spec:
forProvider:
chart:
url: https://storage.googleapis.com/helm-repo-dev/vault-base-0.1.0.tgz
namespace: vault-system
values: {}
rollbackLimit: 3
patches:
- fromFieldPath: metadata.labels
toFieldPath: metadata.labels
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.providerConfigRef.name
toFieldPath: spec.providerConfigRef.name
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
annotations:
crossplane.io/external-name: vault-cluster
name: vault-cluster
spec:
forProvider:
chart:
name: vault
repository: https://helm.releases.hashicorp.com
version: 0.19.0
namespace: vault-system
values:
global:
tlsDisable: false
server:
extraContainers:
- env:
- name: GCS_BUCKET_NAME
- name: KMS_KEY_ID
- name: VAULT_CACERT
value: /vault/userconfig/vault-server-tls/ca.crt
image: registry.hub.docker.com/sethvargo/vault-init:0.2.0
imagePullPolicy: Always
name: vault-init
volumeMounts:
- mountPath: /vault/userconfig/vault-server-tls
name: userconfig-vault-server-tls
extraEnvironmentVars:
GOOGLE_REGION: global
VAULT_CACERT: /vault/userconfig/vault-server-tls/ca.crt
extraVolumes:
- name: vault-server-tls
type: secret
ha:
enabled: true
serviceAccount:
create: true
name: vault
standalone:
enabled: false
rollbackLimit: 3
patches:
- fromFieldPath: metadata.labels
toFieldPath: metadata.labels
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.providerConfigRef.name
toFieldPath: spec.providerConfigRef.name
- fromFieldPath: spec.projectID
toFieldPath: spec.forProvider.values.server.extraEnvironmentVars[GOOGLE_PROJECT]
- fromFieldPath: metadata.name
toFieldPath: spec.forProvider.values.server.extraContainers[0].env[0].value
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.projectID
- fromFieldPath: metadata.name
strategy: string
string:
fmt: projects/%s/locations/global/keyRings/vault-on-gke-keyring/cryptoKeys/%s
toFieldPath: spec.forProvider.values.server.extraContainers[0].env[1].value
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: metadata.name
- fromFieldPath: spec.projectID
strategy: string
string:
fmt: "%s@%s.iam.gserviceaccount.com"
toFieldPath: spec.forProvider.values.server.serviceAccount.annotations["iam.gke.io/gcp-service-account"]
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: metadata.name
- fromFieldPath: spec.projectID
- fromFieldPath: metadata.name
strategy: string
string:
fmt: |
ui = false
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
tls_key_file = "/vault/userconfig/vault-server-tls/tls.key"
tls_client_ca_file = "/vault/userconfig/vault-server-tls/ca.crt"
}
storage "gcs" {
bucket = "%s"
ha_enabled = "true"
}
seal "gcpckms" {
project = "%s"
region = "global"
key_ring = "vault-on-gke-keyring"
crypto_key = "%s"
}
toFieldPath: spec.forProvider.values.server.ha.config
writeConnectionSecretsToNamespace: crossplane-system
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.