upbound/platform-ref-multi-vault@v0.1.1vaults.gcp.multivault.crossplane.io
Resources (10)
The following resources are composed to implement the referenced Composite Resource Definition (XRD).
Kind
Group
Version
ServiceAccount
iam.gcp.crossplane.io
v1alpha1
KeyRing
kms.gcp.crossplane.io
v1alpha1
CryptoKey
kms.gcp.crossplane.io
v1alpha1
CryptoKeyPolicy
kms.gcp.crossplane.io
v1alpha1
ServiceAccountPolicy
iam.gcp.crossplane.io
v1alpha1
Bucket
storage.gcp.crossplane.io
v1alpha3
BucketPolicyMember
storage.gcp.crossplane.io
v1alpha1
BucketPolicyMember
storage.gcp.crossplane.io
v1alpha1
Release
helm.crossplane.io
v1beta1
Release
helm.crossplane.io
v1beta1
YAML
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: vaults.gcp.multivault.crossplane.io
creationTimestamp: null
labels:
provider: helm
spec:
compositeTypeRef:
apiVersion: gcp.multivault.crossplane.io/v1alpha1
kind: Vaults
resources:
- base:
apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccount
spec:
forProvider:
description: sa used by vault to access bucket and cryptokey for auto unseal
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.annotations[crossplane.io/external-name]
- fromFieldPath: metadata.name
toFieldPath: spec.forProvider.displayName
transforms:
- type: string
string:
fmt: vault service account for cluster %s
- base:
apiVersion: kms.gcp.crossplane.io/v1alpha1
kind: KeyRing
metadata:
annotations:
crossplane.io/external-name: vault-on-gke-keyring
spec:
forProvider:
location: global
- base:
apiVersion: kms.gcp.crossplane.io/v1alpha1
kind: CryptoKey
spec:
forProvider:
keyRingSelector:
matchControllerRef: true
purpose: ENCRYPT_DECRYPT
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.annotations[crossplane.io/external-name]
- base:
apiVersion: kms.gcp.crossplane.io/v1alpha1
kind: CryptoKeyPolicy
spec:
forProvider:
cryptoKeySelector:
matchControllerRef: true
policy:
bindings:
- role: roles/cloudkms.cryptoKeyEncrypterDecrypter
serviceAccountMemberSelector:
matchControllerRef: true
- base:
apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccountPolicy
spec:
forProvider:
policy:
bindings:
- role: roles/iam.workloadIdentityUser
serviceAccountSelector:
matchControllerRef: true
patches:
- fromFieldPath: spec.projectID
toFieldPath: spec.forProvider.policy.bindings[0].members[0]
transforms:
- type: string
string:
fmt: serviceAccount:%s.svc.id.goog[vault-system/vault]
- base:
apiVersion: storage.gcp.crossplane.io/v1alpha3
kind: Bucket
spec:
location: US
storageClass: MULTI_REGIONAL
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.annotations[crossplane.io/external-name]
- base:
apiVersion: storage.gcp.crossplane.io/v1alpha1
kind: BucketPolicyMember
spec:
forProvider:
bucketSelector:
matchControllerRef: true
role: roles/storage.objectAdmin
serviceAccountMemberSelector:
matchControllerRef: true
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- type: string
string:
fmt: "%s-object-admin"
- base:
apiVersion: storage.gcp.crossplane.io/v1alpha1
kind: BucketPolicyMember
spec:
forProvider:
bucketSelector:
matchControllerRef: true
role: roles/storage.legacyBucketReader
serviceAccountMemberSelector:
matchControllerRef: true
patches:
- fromFieldPath: metadata.name
toFieldPath: metadata.name
transforms:
- type: string
string:
fmt: "%s-legacy-reader"
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
annotations:
crossplane.io/external-name: vault-tls
name: vault-tls
spec:
forProvider:
chart:
url: https://storage.googleapis.com/helm-repo-dev/vault-base-0.1.0.tgz
namespace: vault-system
values: {}
rollbackLimit: 3
patches:
- fromFieldPath: metadata.labels
toFieldPath: metadata.labels
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.providerConfigRef.name
toFieldPath: spec.providerConfigRef.name
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
annotations:
crossplane.io/external-name: vault-cluster
name: vault-cluster
spec:
forProvider:
chart:
name: vault
repository: https://helm.releases.hashicorp.com
version: 0.19.0
namespace: vault-system
values:
global:
tlsDisable: false
server:
extraContainers:
- env:
- name: GCS_BUCKET_NAME
- name: KMS_KEY_ID
- name: VAULT_CACERT
value: /vault/userconfig/vault-server-tls/ca.crt
image: registry.hub.docker.com/sethvargo/vault-init:0.2.0
imagePullPolicy: Always
name: vault-init
volumeMounts:
- mountPath: /vault/userconfig/vault-server-tls
name: userconfig-vault-server-tls
extraEnvironmentVars:
GOOGLE_REGION: global
VAULT_CACERT: /vault/userconfig/vault-server-tls/ca.crt
extraVolumes:
- name: vault-server-tls
type: secret
ha:
enabled: true
serviceAccount:
create: true
name: vault
standalone:
enabled: false
rollbackLimit: 3
patches:
- fromFieldPath: metadata.labels
toFieldPath: metadata.labels
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
- fromFieldPath: spec.providerConfigRef.name
toFieldPath: spec.providerConfigRef.name
- fromFieldPath: spec.projectID
toFieldPath: spec.forProvider.values.server.extraEnvironmentVars[GOOGLE_PROJECT]
- fromFieldPath: metadata.name
toFieldPath: spec.forProvider.values.server.extraContainers[0].env[0].value
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.projectID
- fromFieldPath: metadata.name
strategy: string
string:
fmt: projects/%s/locations/global/keyRings/vault-on-gke-keyring/cryptoKeys/%s
toFieldPath: spec.forProvider.values.server.extraContainers[0].env[1].value
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: metadata.name
- fromFieldPath: spec.projectID
strategy: string
string:
fmt: "%s@%s.iam.gserviceaccount.com"
toFieldPath: spec.forProvider.values.server.serviceAccount.annotations["iam.gke.io/gcp-service-account"]
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: metadata.name
- fromFieldPath: spec.projectID
- fromFieldPath: metadata.name
strategy: string
string:
fmt: |
ui = false
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
tls_key_file = "/vault/userconfig/vault-server-tls/tls.key"
tls_client_ca_file = "/vault/userconfig/vault-server-tls/ca.crt"
}
storage "gcs" {
bucket = "%s"
ha_enabled = "true"
}
seal "gcpckms" {
project = "%s"
region = "global"
key_ring = "vault-on-gke-keyring"
crypto_key = "%s"
}
toFieldPath: spec.forProvider.values.server.ha.config
writeConnectionSecretsToNamespace: crossplane-system
Marketplace
© 2022 Upbound, Inc.
Marketplace
Discover the building blocksfor your internal cloud platform.