NOISSUE - Add vault config (#110)

* fix imagePullSecretes

Signed-off-by: mteodor <mirko.teodorovic@gmail.com>

* procedure for setting up vault and certs

Signed-off-by: mteodor <mirko.teodorovic@gmail.com>

* revert to master

Signed-off-by: mteodor <mirko.teodorovic@gmail.com>

* remove mainflux dir

Signed-off-by: mteodor <mirko.teodorovic@gmail.com>

scripts/.env

@@ -0,0 +1,13 @@
+### Vault
+MF_VAULT_HOST=vault
+MF_VAULT_PORT=8200
+MF_VAULT_TOKEN=
+MF_VAULT_CA_NAME=mainflux
+MF_VAULT_CA_ROLE_NAME=mainflux
+MF_VAULT_PKI_PATH=pki
+MF_VAULT_PKI_INT_PATH=pki_int
+MF_VAULT_CA_CN=mainflux.com
+MF_VAULT_CA_OU='Mainflux Cloud'
+MF_VAULT_CA_O='Mainflux Labs'
+MF_VAULT_CA_C=Serbia
+MF_VAULT_CA_L=Belgrade

scripts/vault-set-pki.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/bash
+set -euo pipefail
+
+
+readDotEnv() {
+    set -o allexport
+    source /.env
+    set +o allexport
+}
+
+vault() {
+    kubectl exec vault-0 -n mf -- vault "$@"
+}
+
+vaultEnablePKI() {
+    vault secrets enable -path ${MF_VAULT_PKI_PATH} pki
+    vault secrets tune -max-lease-ttl=87600h ${MF_VAULT_PKI_PATH}
+}
+
+vaultAddRoleToSecret() {
+    vault write ${MF_VAULT_PKI_PATH}/roles/${MF_VAULT_CA_NAME} \
+        allow_any_name=true \
+        max_ttl="4300h" \
+        default_ttl="4300h" \
+        generate_lease=true
+}
+
+vaultGenerateRootCACertificate() {
+    echo "Generate root CA certificate"
+    vault write -format=json ${MF_VAULT_PKI_PATH}/root/generate/exported \
+        common_name="\"$MF_VAULT_CA_CN CA Root\"" \
+        ou="\"$MF_VAULT_CA_OU\""\
+        organization="\"$MF_VAULT_CA_O\"" \
+        country="\"$MF_VAULT_CA_C\"" \
+        locality="\"$MF_VAULT_CA_L\"" \
+        ttl=87600h | tee >(jq -r .data.certificate >data/${MF_VAULT_CA_NAME}_ca.crt) \
+                         >(jq -r .data.issuing_ca  >data/${MF_VAULT_CA_NAME}_issuing_ca.crt) \
+                         >(jq -r .data.private_key >data/${MF_VAULT_CA_NAME}_ca.key)
+}
+
+vaultGenerateIntermediateCAPKI() {
+    echo "Generate Intermediate CA PKI"
+    vault secrets enable -path=${MF_VAULT_PKI_INT_PATH} pki
+    vault secrets tune -max-lease-ttl=43800h ${MF_VAULT_PKI_INT_PATH}
+}
+
+vaultGenerateIntermediateCSR() {
+    echo "Generate intermediate CSR"
+    vault write -format=json ${MF_VAULT_PKI_INT_PATH}/intermediate/generate/exported \
+        common_name="$MF_VAULT_CA_CN Intermediate Authority" \
+        | tee >(jq -r .data.csr         >data/${MF_VAULT_CA_NAME}_int.csr) \
+              >(jq -r .data.private_key >data/${MF_VAULT_CA_NAME}_int.key)
+}
+
+vaultSignIntermediateCSR() {
+    echo "Sign intermediate CSR"
+    kubectl cp data/${MF_VAULT_CA_NAME}_int.csr vault-0:/vault/${MF_VAULT_CA_NAME}_int.csr -n mf
+    vault write -format=json ${MF_VAULT_PKI_PATH}/root/sign-intermediate \
+        csr=@/vault/${MF_VAULT_CA_NAME}_int.csr \
+        | tee >(jq -r .data.certificate >data/${MF_VAULT_CA_NAME}_int.crt) \
+              >(jq -r .data.issuing_ca >data/${MF_VAULT_CA_NAME}_int_issuing_ca.crt)
+}
+
+vaultInjectIntermediateCertificate() {
+    echo "Inject Intermediate Certificate"
+    kubectl cp data/${MF_VAULT_CA_NAME}_int.crt vault-0:/vault/${MF_VAULT_CA_NAME}_int.crt -n mf
+    vault write ${MF_VAULT_PKI_INT_PATH}/intermediate/set-signed certificate=@/vault/${MF_VAULT_CA_NAME}_int.crt
+}
+
+vaultGenerateIntermediateCertificateBundle() {
+    echo "Generate intermediate certificate bundle"
+    cat data/${MF_VAULT_CA_NAME}_int.crt data/${MF_VAULT_CA_NAME}_ca.crt \
+       > data/${MF_VAULT_CA_NAME}_int_bundle.crt
+}
+
+vaultSetupIssuingURLs() {
+    echo "Setup URLs for CRL and issuing"
+    VAULT_ADDR=http://$MF_VAULT_HOST:$MF_VAULT_PORT
+    vault write ${MF_VAULT_PKI_INT_PATH}/config/urls \
+        issuing_certificates="$VAULT_ADDR/v1/${MF_VAULT_PKI_INT_PATH}/ca" \
+        crl_distribution_points="$VAULT_ADDR/v1/${MF_VAULT_PKI_INT_PATH}/crl"
+}
+
+vaultSetupCARole() {
+    echo "Setup CA role"
+    vault write ${MF_VAULT_PKI_INT_PATH}/roles/${MF_VAULT_CA_ROLE_NAME} \
+        allow_subdomains=true \
+        allow_any_name=true \
+        max_ttl="720h"
+}
+
+vaultGenerateServerCertificate() {
+    echo "Generate server certificate"
+    vault write -format=json ${MF_VAULT_PKI_INT_PATH}/issue/${MF_VAULT_CA_ROLE_NAME} \
+        common_name="$MF_VAULT_CA_CN" ttl="8670h" \
+        | tee >(jq -r .data.certificate >data/${MF_VAULT_CA_CN}.crt) \
+              >(jq -r .data.private_key >data/${MF_VAULT_CA_CN}.key)
+}
+
+vaultCleanupFiles() {
+    kubectl exec vault-0 -n mf -- sh -c 'rm -rf /vault/*.{crt,csr}'
+}
+
+if ! command -v jq &> /dev/null
+then
+    echo "jq command could not be found, please install it and try again."
+    exit
+fi
+
+readDotEnv
+
+mkdir -p data
+
+vault login ${MF_VAULT_TOKEN}
+
+vaultEnablePKI
+vaultAddRoleToSecret
+vaultGenerateRootCACertificate
+vaultGenerateIntermediateCAPKI
+vaultGenerateIntermediateCSR
+vaultSignIntermediateCSR
+vaultInjectIntermediateCertificate
+vaultGenerateIntermediateCertificateBundle
+vaultSetupIssuingURLs
+vaultSetupCARole
+vaultGenerateServerCertificate
+vaultCleanupFiles
+
+
+exit 0

scripts/vault.md

@@ -0,0 +1,32 @@
+# Install and configure `vault` with `certs`
+
+Install vault
+
+```
+helm install vault hashicorp/vault -n mf
+```
+
+Initialize vault
+```bash
+kubectl exec -it vault-0 -n mf -- vault operator init  -key-shares=1 -key-threshold=1
+```
+
+Take a not for unseal keys and root token, by default on `init` operation you will get 5 keys and you need 3 to unseal
+```bash
+kubectl exec vault-0 -n vault -- vault operator unseal <VAULT_UNSEAL_KEY>
+```
+
+Edit `.env` and set to `MF_VAULT_TOKEN` to value of root token 
+
+Execute `/vault-set-pki.sh`
+
+Now upgrade installation of mainflux enabling certs service and setting proper values
+```bash
+ helm upgrade mainflux  --create-namespace -n mf . \
+                        ...
+                        --set certs.enabled=true \
+                        --set certs.signVaultToken=s.8by6kA75cKciQBQvvkCu21m \
+                        --set certs.signVaultHost=http://vault:8200 \
+                        --set certs.signVaultPKIPath=pki_int \
+                        --set certs.signVaultRole=mainflux
+```