From 517af2d4020a7105f5fb7563b7a10ebd013fdfee Mon Sep 17 00:00:00 2001 From: vandomej Date: Sat, 27 Sep 2025 19:13:52 -0700 Subject: [PATCH] Adding existing vault code --- README.md | 7 ++ hc_vault/.gitignore | 7 ++ hc_vault/README.md | 52 ++++++++++++ hc_vault/docker-compose.yml | 53 ++++++++++++ hc_vault/example.yaml | 125 ++++++++++++++++++++++++++++ hc_vault/hc_vault/Dockerfile | 6 ++ hc_vault/hc_vault/config/config.hcl | 22 +++++ hc_vault/nginx/conf/nginx.conf | 40 +++++++++ 8 files changed, 312 insertions(+) create mode 100644 README.md create mode 100644 hc_vault/.gitignore create mode 100644 hc_vault/README.md create mode 100644 hc_vault/docker-compose.yml create mode 100644 hc_vault/example.yaml create mode 100644 hc_vault/hc_vault/Dockerfile create mode 100644 hc_vault/hc_vault/config/config.hcl create mode 100644 hc_vault/nginx/conf/nginx.conf diff --git a/README.md b/README.md new file mode 100644 index 0000000..05d8708 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Setup + +`brew install minikube` + +```bash + minikube start --driver=podman --container-runtime=cri-o +``` \ No newline at end of file diff --git a/hc_vault/.gitignore b/hc_vault/.gitignore new file mode 100644 index 0000000..8a6436f --- /dev/null +++ b/hc_vault/.gitignore @@ -0,0 +1,7 @@ +# Ignore the directory where Vault stores its data +vault_data/ + +# Ignore all pem, crt, and key files +*.pem +*.crt +*.key \ No newline at end of file diff --git a/hc_vault/README.md b/hc_vault/README.md new file mode 100644 index 0000000..cf990ef --- /dev/null +++ b/hc_vault/README.md @@ -0,0 +1,52 @@ +# Setup + +Make sure you have `podman` and `podman-compose` installed. + +```bash +brew install podman podman-compose +``` + +Make sure the needed directories exists: + +```bash +mkdir -p ./hc_vault/vault_data +mkdir -p ./hc_vault/certs +mkdir -p ./ssl-certs +``` + +Generate tailscale certs and place them in ssl-certs folder +```bash +tailscale cert . + +cp ~/Library/Containers/io.tailscale.ipn.macos/Data/* ./ +``` + +Then rename them to: +- tailscale-cert.crt +- tailscale-key.key + +Then generate a self-signed root CA and use it to sign the Vault server cert: +```bash +brew install mkcert nss + +mkcert -install + +mkcert -key-file ./hc_vaut/certs/vault.key -cert-file ./hc_cault/certs/vault.crt \ + "*.faun-snapper.ts.net" \ + "faun-snapper.ts.net" \ + 127.0.0.1 \ + "localhost" \ + "::1" \ + "vault" + +# Copy Root CA cert as well +cp "$(mkcert -CAROOT)/rootCA.pem" ./hc_vault/certs/rootCA.pem +``` + + + +Then just run + +```bash +podman-compose up -d +``` \ No newline at end of file diff --git a/hc_vault/docker-compose.yml b/hc_vault/docker-compose.yml new file mode 100644 index 0000000..76fb8b7 --- /dev/null +++ b/hc_vault/docker-compose.yml @@ -0,0 +1,53 @@ +version: '3.8' + +services: + vault: + build: ./hc_vault + image: tepichord/vault:latest + hostname: vault + command: server + cap_add: + - IPC_LOCK + security_opt: + - label=disable + privileged: true + volumes: + - ./hc_vault/config:/vault/config:z + - ./hc_vault/certs:/opt/vault/certs:z + - ./hc_vault/vault_data:/opt/vault/data:z # Host directory (easy to backup) + environment: + - VAULT_ADDR=https://127.0.0.1:8200 + - VAULT_API_ADDR=https://0.0.0.0:8200 + - VAULT_CACERT=/opt/vault/certs/rootCA.pem + ports: + - "8200:8200" # Only for direct access if needed + restart: unless-stopped + healthcheck: + test: ["CMD", "vault", "status", "-format=json"] + interval: 5m + timeout: 10s + retries: 3 + + nginx: + image: nginx:alpine + hostname: nginx + volumes: + - ./nginx/conf:/etc/nginx:z + - ./ssl-certs:/etc/ssl:z + - ./hc_vault/certs:/etc/vault-certs:z # For trusting Vault's cert + ports: + - "8443:443" + - "8080:80" # Optional: redirect HTTP to HTTPS + depends_on: + - vault + restart: unless-stopped + healthcheck: + test: ["CMD", "nginx", "-t"] + interval: 5m + timeout: 10s + retries: 3 + +networks: + default: + name: vault-network + driver: bridge \ No newline at end of file diff --git a/hc_vault/example.yaml b/hc_vault/example.yaml new file mode 100644 index 0000000..e7e99a5 --- /dev/null +++ b/hc_vault/example.yaml @@ -0,0 +1,125 @@ +# Save the output of this file and use kubectl create -f to import +# it into Kubernetes. +# +# Created with podman-5.6.1 + +# NOTE: The namespace sharing for a pod has been modified by the user and is not the same as the +# default settings for kubernetes. This can lead to unexpected behavior when running the generated +# kube yaml in a kubernetes cluster. +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: "2025-09-22T02:26:07Z" + labels: + app: podhcvault + name: podhcvault +spec: + ports: + - name: "8200" + nodePort: 32706 + port: 8200 + targetPort: 8200 + - name: "80" + nodePort: 30266 + port: 80 + targetPort: 80 + - name: "443" + nodePort: 32536 + port: 443 + targetPort: 443 + selector: + app: podhcvault + type: NodePort +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + bind-mount-options: /Users/tepichord/hc_vault/nginx/conf:z + io.kubernetes.cri-o.SandboxID/hcvaultnginx1: 9953963847a9ec2c093caca148c53d760368fb3dd9acbd5992d5deafd5d73e8d + io.kubernetes.cri-o.SandboxID/hcvaultvault1: 9953963847a9ec2c093caca148c53d760368fb3dd9acbd5992d5deafd5d73e8d + creationTimestamp: "2025-09-22T02:26:07Z" + labels: + app: podhcvault + name: podhcvault +spec: + containers: + - args: + - server + env: + - name: VAULT_CACERT + value: /opt/vault/certs/rootCA.pem + - name: VAULT_ADDR + value: https://127.0.0.1:8200 + - name: VAULT_API_ADDR + value: https://0.0.0.0:8200 + - name: HOSTNAME + value: vault + image: localhost/tepichord/vault:latest + name: hcvaultvault1 + ports: + - containerPort: 8200 + securityContext: + privileged: true + procMount: Unmasked + seLinuxOptions: + type: spc_t + volumeMounts: + - mountPath: /vault/config + name: users-tepichord-hc-vault-hc-vault-config-host-0 + - mountPath: /opt/vault/certs + name: users-tepichord-hc-vault-hc-vault-certs-host-1 + - mountPath: /opt/vault/data + name: users-tepichord-hc-vault-hc-vault-vault-data-host-2 + - mountPath: /vault/logs + name: 2dd2aea4dfe15af0880037ebad6ed68dac260d980411abc9b0b171a57c110d71-pvc + - mountPath: /vault/file + name: 4d7764e1aa42ba3d48ef865a321b85883dcdaaacf863d1c0eab041c2d50f96c6-pvc + - args: + - nginx + - -g + - daemon off; + env: + - name: HOSTNAME + value: nginx + image: docker.io/library/nginx:alpine + name: hcvaultnginx1 + ports: + - containerPort: 80 + - containerPort: 443 + volumeMounts: + - mountPath: /etc/ssl + name: users-tepichord-hc-vault-ssl-certs-host-0 + - mountPath: /etc/vault-certs + name: users-tepichord-hc-vault-hc-vault-certs-host-1 + - mountPath: /etc/nginx + name: users-tepichord-hc-vault-nginx-conf-host-2 + hostname: vault + volumes: + - hostPath: + path: /Users/tepichord/hc_vault/hc_vault/vault_data + type: Directory + name: users-tepichord-hc-vault-hc-vault-vault-data-host-2 + - name: 2dd2aea4dfe15af0880037ebad6ed68dac260d980411abc9b0b171a57c110d71-pvc + persistentVolumeClaim: + claimName: 2dd2aea4dfe15af0880037ebad6ed68dac260d980411abc9b0b171a57c110d71 + - name: 4d7764e1aa42ba3d48ef865a321b85883dcdaaacf863d1c0eab041c2d50f96c6-pvc + persistentVolumeClaim: + claimName: 4d7764e1aa42ba3d48ef865a321b85883dcdaaacf863d1c0eab041c2d50f96c6 + - hostPath: + path: /Users/tepichord/hc_vault/ssl-certs + type: Directory + name: users-tepichord-hc-vault-ssl-certs-host-0 + - hostPath: + path: /Users/tepichord/hc_vault/nginx/conf + type: Directory + name: users-tepichord-hc-vault-nginx-conf-host-2 + - hostPath: + path: /Users/tepichord/hc_vault/hc_vault/config + type: Directory + name: users-tepichord-hc-vault-hc-vault-config-host-0 + - hostPath: + path: /Users/tepichord/hc_vault/hc_vault/certs + type: Directory + name: users-tepichord-hc-vault-hc-vault-certs-host-1 diff --git a/hc_vault/hc_vault/Dockerfile b/hc_vault/hc_vault/Dockerfile new file mode 100644 index 0000000..e29a6f7 --- /dev/null +++ b/hc_vault/hc_vault/Dockerfile @@ -0,0 +1,6 @@ +FROM hashicorp/vault:latest + +# VOLUME data + +RUN mkdir -p /opt/vault/data +RUN chown -R vault:vault /opt/vault/data \ No newline at end of file diff --git a/hc_vault/hc_vault/config/config.hcl b/hc_vault/hc_vault/config/config.hcl new file mode 100644 index 0000000..123a422 --- /dev/null +++ b/hc_vault/hc_vault/config/config.hcl @@ -0,0 +1,22 @@ +ui = true +api_addr = "https://0.0.0.0:8200" +default_lease_ttl = "2304h" +max_lease_ttl = "2304h" +disable_mlock = true + +storage "file" { + path = "/opt/vault/data" +} + +listener "tcp" { + address = "0.0.0.0:8200" + tls_cert_file = "/opt/vault/certs/vault.crt" + tls_key_file = "/opt/vault/certs/vault.key" + tls_client_ca_file = "/opt/vault/certs/rootCA.pem" +} + +user_lockout "all" { + lockout_threshold = 25 + lockout_duration = "60m" + lockout_counter_reset = "60m" +} \ No newline at end of file diff --git a/hc_vault/nginx/conf/nginx.conf b/hc_vault/nginx/conf/nginx.conf new file mode 100644 index 0000000..7e786e2 --- /dev/null +++ b/hc_vault/nginx/conf/nginx.conf @@ -0,0 +1,40 @@ +# nginx/conf/nginx.conf +events { + worker_connections 1024; +} + +http { + server { + listen 443 ssl; + server_name macbook-pro.tailscale-name.ts.net; + + ssl_certificate /etc/ssl/tailscale-cert.crt; + ssl_certificate_key /etc/ssl/tailscale-key.key; + + location / { + # FIXED: Use container hostname instead of localhost + proxy_pass https://vault:8200; + + # Trust Vault's self-signed certificate + proxy_ssl_certificate /etc/vault-certs/vault.crt; + proxy_ssl_certificate_key /etc/vault-certs/vault.key; + proxy_ssl_verify off; # Since you're using mkcert cert + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Important for WebSocket connections (Vault UI) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + } + + # Optional: HTTP to HTTPS redirect + server { + listen 80; + server_name macbook-pro.tailscale-name.ts.net; + return 301 https://$server_name$request_uri; + } +} \ No newline at end of file