From 9d43941a257548ffa74236180328e635e2173315 Mon Sep 17 00:00:00 2001 From: Chris Pick Date: Mon, 24 Sep 2018 17:52:39 -0400 Subject: [PATCH 1/2] Rename evnVault*Addr -> envVault*Addr --- pkg/util/k8sutil/vault.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/util/k8sutil/vault.go b/pkg/util/k8sutil/vault.go index 44c6cb8..d8439e7 100644 --- a/pkg/util/k8sutil/vault.go +++ b/pkg/util/k8sutil/vault.go @@ -41,8 +41,8 @@ var ( vaultTLSAssetVolume = "vault-tls-secret" vaultConfigVolName = "vault-config" - evnVaultRedirectAddr = "VAULT_API_ADDR" - evnVaultClusterAddr = "VAULT_CLUSTER_ADDR" + envVaultRedirectAddr = "VAULT_API_ADDR" + envVaultClusterAddr = "VAULT_CLUSTER_ADDR" ) const ( @@ -152,11 +152,11 @@ func vaultContainer(v *api.VaultService) v1.Container { }, Env: []v1.EnvVar{ { - Name: evnVaultRedirectAddr, + Name: envVaultRedirectAddr, Value: VaultServiceURL(v.GetName(), v.GetNamespace(), VaultClientPort), }, { - Name: evnVaultClusterAddr, + Name: envVaultClusterAddr, Value: VaultServiceURL(v.GetName(), v.GetNamespace(), vaultClusterPort), }, }, From fbd1faf524e43e2b6cc0624e057556f50e6be477 Mon Sep 17 00:00:00 2001 From: Chris Pick Date: Mon, 24 Sep 2018 17:54:16 -0400 Subject: [PATCH 2/2] Run vault_exporter sidecar Run [`vault_exporter`](https://github.com/grapeshot/vault_exporter) as a sidecar to allow Prometheus to import `vault` status metrics (eg: whether it's initialized or sealed). Closes #346. --- pkg/util/k8sutil/vault.go | 75 ++++++++++++++++++++++++++++++++------- 1 file changed, 63 insertions(+), 12 deletions(-) diff --git a/pkg/util/k8sutil/vault.go b/pkg/util/k8sutil/vault.go index d8439e7..56f79f4 100644 --- a/pkg/util/k8sutil/vault.go +++ b/pkg/util/k8sutil/vault.go @@ -39,10 +39,13 @@ var ( // VaultConfigPath is the path that vault pod uses to read config from VaultConfigPath = "/run/vault/config/vault.hcl" - vaultTLSAssetVolume = "vault-tls-secret" - vaultConfigVolName = "vault-config" - envVaultRedirectAddr = "VAULT_API_ADDR" - envVaultClusterAddr = "VAULT_CLUSTER_ADDR" + vaultTLSAssetVolume = "vault-tls-secret" + vaultClientTLSAssetVolume = "vault-client-tls-secret" + vaultConfigVolName = "vault-config" + envVaultAddr = "VAULT_ADDR" + envVaultRedirectAddr = "VAULT_API_ADDR" + envVaultClusterAddr = "VAULT_CLUSTER_ADDR" + envVaultCacert = "VAULT_CACERT" ) const ( @@ -51,9 +54,12 @@ const ( vaultClientPortName = "vault-client" vaultClusterPortName = "vault-cluster" - exporterStatsdPort = 9125 - exporterPromPort = 9102 - exporterImage = "prom/statsd-exporter:v0.5.0" + statsdExporterStatsdPort = 9125 + statsdExporterPromPort = 9102 + statsdExporterImage = "prom/statsd-exporter:v0.5.0" + + vaultExporterPromPort = 9410 + vaultExporterImage = "grapeshot/vault_exporter:v0.1.1" ) // EtcdClientTLSSecretName returns the name of etcd client TLS secret for the given vault name @@ -214,14 +220,41 @@ func vaultContainer(v *api.VaultService) v1.Container { func statsdExporterContainer() v1.Container { return v1.Container{ Name: "statsd-exporter", - Image: exporterImage, + Image: statsdExporterImage, Ports: []v1.ContainerPort{{ Name: "statsd", - ContainerPort: exporterStatsdPort, + ContainerPort: statsdExporterStatsdPort, Protocol: "UDP", }, { Name: "prometheus", - ContainerPort: exporterPromPort, + ContainerPort: statsdExporterPromPort, + Protocol: "TCP", + }}, + } +} + +func vaultExporterContainer() v1.Container { + return v1.Container{ + Name: "vault-exporter", + Image: vaultExporterImage, + Env: []v1.EnvVar{ + { + Name: envVaultAddr, + Value: fmt.Sprintf("https://localhost:%d", VaultClientPort), + }, + { + Name: envVaultCacert, + Value: filepath.Join(vaultutil.VaultTLSAssetDir, api.CATLSCertName), + }, + }, + VolumeMounts: []v1.VolumeMount{{ + Name: vaultClientTLSAssetVolume, + ReadOnly: true, + MountPath: vaultutil.VaultTLSAssetDir, + }}, + Ports: []v1.ContainerPort{{ + Name: "status", + ContainerPort: vaultExporterPromPort, Protocol: "TCP", }}, } @@ -242,7 +275,7 @@ func DeployVault(kubecli kubernetes.Interface, v *api.VaultService) error { Labels: selector, }, Spec: v1.PodSpec{ - Containers: []v1.Container{vaultContainer(v), statsdExporterContainer()}, + Containers: []v1.Container{vaultContainer(v), statsdExporterContainer(), vaultExporterContainer()}, Volumes: []v1.Volume{{ Name: vaultConfigVolName, VolumeSource: v1.VolumeSource{ @@ -261,6 +294,7 @@ func DeployVault(kubecli kubernetes.Interface, v *api.VaultService) error { configEtcdBackendTLS(&podTempl, v) configVaultServerTLS(&podTempl, v) + configVaultClientTLS(&podTempl, v) d := &appsv1beta1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -307,7 +341,12 @@ func DeployVault(kubecli kubernetes.Interface, v *api.VaultService) error { { Name: "prometheus", Protocol: v1.ProtocolTCP, - Port: exporterPromPort, + Port: statsdExporterPromPort, + }, + { + Name: "status", + Protocol: v1.ProtocolTCP, + Port: vaultExporterPromPort, }, }, }, @@ -481,3 +520,15 @@ func configVaultServerTLS(pt *v1.PodTemplateSpec, v *api.VaultService) { } pt.Spec.Volumes[1].VolumeSource.Projected.Sources = append(pt.Spec.Volumes[1].VolumeSource.Projected.Sources, serverTLSVolume) } + +// configVaultClientTLS mounts the volume containing the vault client TLS assets for the vault-exporter pod +func configVaultClientTLS(pt *v1.PodTemplateSpec, v *api.VaultService) { + pt.Spec.Volumes = append(pt.Spec.Volumes, v1.Volume{ + Name: vaultClientTLSAssetVolume, + VolumeSource: v1.VolumeSource{ + Secret: &v1.SecretVolumeSource{ + SecretName: v.Spec.TLS.Static.ClientSecret, + }, + }, + }) +}