Merge branch 'develop' into 'main'

Release v1.0.0

See merge request !2

charts/Chart.yaml

+name: vault
+version: ${PROJECT_RELEASE_VERSION}

charts/templates/_helpers.tpl

+{{- define "redpanda.password" -}}
+{{- if not (get .Values "redpandaGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "redpandaGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "redpandaGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "pgadmin.password" -}}
+{{- if not (get .Values "pgadminGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "pgadminGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "pgadminGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "rediscommander.password" -}}
+{{- if not (get .Values "redisCommanderGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "redisCommanderGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "redisCommanderGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "redis.password" -}}
+{{- if not (get .Values "redisGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "redisGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "redisGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "redpandakafkauser.password" -}}
+{{- if not (get .Values "redpandaKafkaGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "redpandaKafkaGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "redpandaKafkaGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "notificationkafkauser.password" -}}
+{{- if not (get .Values "notificationKafkaGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "notificationKafkaGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "notificationKafkaGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "mailpitui.password" -}}
+{{- if not (get .Values "mailpituiGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "mailpituiGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "mailpituiGeneratedPassword" -}}
+{{- end -}}
+
+{{- define "mailpitsmtp.password" -}}
+{{- if not (get .Values "mailpitsmtpGeneratedPassword") -}}
+{{- $password := randAlphaNum 16 | nospace -}}
+{{- $_ := set .Values "mailpitsmtpGeneratedPassword" $password -}}
+{{- end -}}
+{{- get .Values "mailpitsmtpGeneratedPassword" -}}
+{{- end -}}
\ No newline at end of file

charts/templates/secrets.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+  name: pg-admin-secret
+data:
+  password: {{ include "pgadmin.password" . | b64enc }}
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redpanda-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  auth: {{ htpasswd "admin" (include "redpanda.password" .) | b64enc }}
+  password: {{ include "redpanda.password" . | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kafka-users-secret
+data:
+  redpanda: {{ include "redpandakafkauser.password" . | b64enc }}
+  notification: {{ include "notificationkafkauser.password" . | b64enc }}
+  {{- range .Values.agentList.authorities }}
+  "{{ . }}_authprovider": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_usersroles": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_onboarding": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_tier2gw": {{ randAlphaNum 16 | nospace | b64enc }}
+  {{- end }}
+  {{- range .Values.agentList.providers }}
+  "{{ . }}_authprovider": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_usersroles": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_contract": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_infrabe": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_tier2gw": {{ randAlphaNum 16 | nospace | b64enc }}
+  {{- end }}
+  {{- range .Values.agentList.consumers }}
+  "{{ . }}_authprovider": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_usersroles": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_contract": {{ randAlphaNum 16 | nospace | b64enc }}
+  "{{ . }}_tier2gw": {{ randAlphaNum 16 | nospace | b64enc }}
+  {{- end }}
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redis-secrets
+data:
+  redis: {{ include "redis.password" . | b64enc }}
+  commander: {{ include "rediscommander.password" . | b64enc }}
+type: Opaque
+{{- if .Values.mailpit.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mailpit-secrets
+data:
+  ui: {{ include "mailpitui.password" . | b64enc }}
+  ui.htpasswd: {{ htpasswd "admin" (include "mailpitui.password" .) | b64enc }}
+  smtp: {{ "smtppass" | b64enc }}
+  smtp.htpasswd: {{ htpasswd "smtp" "smtppass" | b64enc }}
+type: Opaque
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-secrets
+data:
+  {{- range .Values.agentList.authorities }}
+  {{ . }}: {{ randAlphaNum 16 | nospace | b64enc }}
+  {{- end }}
+  {{- range .Values.agentList.providers }}
+  {{ . }}: {{ randAlphaNum 16 | nospace | b64enc }}
+  {{- end }}
+  {{- range .Values.agentList.consumers }}
+  {{ . }}: {{ randAlphaNum 16 | nospace | b64enc }}
+  {{- end }}
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-secrets
+data:
+  gitops_test: {{ randAlphaNum 16 | nospace | b64enc }}
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ejbca-secret
+data:
+  keystorepass: {{ randAlphaNum 16 | nospace | b64enc }}
+type: Opaque
\ No newline at end of file

charts/templates/vault-rbac.yaml

+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/part-of: vault-operator
+  name: vault
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/instance: leader-election-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: role
+    app.kubernetes.io/part-of: vault-operator
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/instance: leader-election-rolebinding
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/part-of: vault-operator
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/part-of: vault-operator
+  name: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/part-of: vault-operator
+  name: vault-auth-delegator-{{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file

charts/values.yaml

+cluster:
+  namespace: common
+
+image:
+  repository: hashicorp/vault
+  tag: 1.19.0
+
+replicasCount: 3
+
+agentList: {}
+
+kafkaCredentials: {}
+#  infrabe: infrabe
+#  user1: password1
+
+hashicorp:
+  service: "http://vaultservice.vaultns.svc.cluster.local:8200"
+  role: "accessrole_name"
+  secretEngine: name
+
+domainSuffix: int.simpl-europe.eu
+
+mailpit:
+  enabled: true
\ No newline at end of file

documents/README.md

+# Vault
+
+## Description
+This project contains the configuration files required for Vault deployment using Helm, preconfigured for use with SIMPL project.
+
+## Pre-Requisites
+
+Ensure you have the following tools installed before starting the deployment process:
+- Git
+- Helm
+- Kubectl
+
+Additionally, ensure you have access to a Kubernetes cluster where ArgoCD is installed.
+
+The following versions of the elements will be used in the process:
+
+| Pre-Requisites         |     Version     | Description                                                                                                                                     |
+| ---------------------- |     :-----:     | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| DNS sub-domain name    |       N/A       | This domain will be used to address all services of the agent. <br/> example: `*.common.int.simpl-europe.eu`   |  
+| Kubernetes Cluster     | 1.29.x or newer | Other version *might* work but tests were performed using 1.29.x version   |
+
+## Installation
+
+Modify the values file for your preference and deploy as an usual Helm chart. 
+
+Mentionable values:
+
+| Variable name                 |     Example         | Description     |
+| ----------------------        |     :-----:         | --------------- |
+| cluster.namespace             | common      | namespace of deployment  |
+| image.repository              | hashicorp/vault     | image repo  |
+| image.tag                     | 1.19.0 | image tag |
+| replicasCount                 | 3 | enables autocreation of topics |
+| agentList                     | below the table | list of agents for which secrets should be created |
+| kafkaCredentials              | user: password | additional accounts that should be created for kafka |
+| hashicorp.service             | http://vaultservice.vaultns.svc.cluster.local:8200 | link to vault service
+| hashicorp.role                | accessrole_name | name of role for vault access |
+| hashicorp.secretEngine        | name | secret engine name in vault |
+| domainSuffix                  | int.simpl-europe.eu | domain suffix
+| mailpit                       | true | should secret for mailpit be created |
+
+Example of agentList:
+
+    agentList:
+      authorities:
+      - authority1
+      consumers:
+      - consumer01
+      providers:
+      - dataprovider01
+
+All the mentioned hashicorp branch values should be populated.
\ No newline at end of file

pipeline.variables.sh

-PROJECT_VERSION_NUMBER="0.0.1"
\ No newline at end of file
+PROJECT_VERSION_NUMBER="1.0.0"
\ No newline at end of file