Fix issue with Vault and Kubernetes Calico/Canal communication (#1434)

* Add vault namespace and fixes related to connection issue

* Add default policy for default namespace

* Remove service endpoint, execute certificate part if enabled, setting protocol correctly in Vault Helm chart

* Add possibility to configure manually Vault endpoint

core/src/epicli/data/common/ansible/playbooks/roles/vault/files/kubernetes/vault-namespace.yml

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault

core/src/epicli/data/common/ansible/playbooks/roles/vault/files/vault/configure-vault.sh

@@ -197,7 +197,7 @@ function configure_kubernetes {
     local vault_protocol="$3";
     local helm_custom_values_set_bool="$4";
     log_and_print "Configuring Kubernetes...";
-    local files_to_apply=( app-namespace.yml vault-endpoint-configuration.yml vault-service-account.yml app-service-account.yml )
+    local files_to_apply=( app-namespace.yml vault-namespace.yml vault-default-policy.yml vault-service-account.yml app-service-account.yml )
     for file in "${files_to_apply[@]}" ; do
         if [ "$file" = "app-namespace.yml" ] && [ "$kubernetes_namespace" = "default" ]; then
             continue
@@ -217,9 +217,9 @@ function configure_kubernetes {
     elif [ "${command_result[1]}" = "1" ] ; then
         log_and_print "Installing Vault Agent Helm Chart...";
         if [ "$helm_custom_values_set_bool" = "true" ] ; then
-          helm upgrade --install --wait -f /tmp/vault_helm_chart_values.yaml vault /tmp/v0.4.0.tar.gz
+          helm upgrade --install --wait -f /tmp/vault_helm_chart_values.yaml vault /tmp/v0.4.0.tar.gz --namespace vault
         else
-          helm upgrade --install --wait vault /tmp/v0.4.0.tar.gz
+          helm upgrade --install --wait vault /tmp/v0.4.0.tar.gz --namespace vault
         fi
         check_status $? "Vault Agent Helm Chart installed." "There was an error during installation of Vault Agent Helm Chart.";
     fi

core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml

@@ -13,9 +13,24 @@
     state: absent
     path: /tmp/vault_helm_chart_values.yaml
 
+- name: Set full Vault address
+  set_fact:
+    full_vault_address: "{{ specification.tls_disable | ternary('http', 'https') }}://{{ hostvars[groups['vault'][0]]['ansible_default_ipv4']['address'] }}:8200"
+  when: specification.vault_helm_chart_values.injector.externalVaultAddr is not defined
+
+- name: Set final Vault Helm chart's custom configuration file content
+  set_fact:
+    final_vault_helm_chart_values: "{{ specification.vault_helm_chart_values | combine({'injector': {'externalVaultAddr': full_vault_address}},recursive=True) }}"
+  when: specification.vault_helm_chart_values.injector.externalVaultAddr is not defined
+
+- name: Set final Vault Helm chart's custom configuration file content - manual externalVaultAddr config
+  set_fact:
+    final_vault_helm_chart_values: "{{ specification.vault_helm_chart_values }}"
+  when: specification.vault_helm_chart_values.injector.externalVaultAddr is defined
+
 - name: Copy Vault Helm chart's custom configuration to file
   copy:
-    content: "{{ specification.vault_helm_chart_values }}"
+    content: "{{ final_vault_helm_chart_values }}"
     dest: /tmp/vault_helm_chart_values.yaml
   when: vault_helm_chart_values_bool
 
@@ -139,31 +154,35 @@
         src: vault/vault.service.j2
       register: service_conf
 
-    - name: Look for certificate in role directory
-      local_action: find paths="{{ role_path }}/files/tls-certs" patterns="*.pem"
-      become: no
-      register: provided_certificates
-
-    - name: Check if any certificate exists in role directory
-      set_fact:
-        certificate_exists: "{{ provided_certificates.matched > 0 }}"
-
-    - name: Display result
-      debug:
-        msg: Certificate file {{ (provided_certificates.matched > 0) | ternary('found','not found') }}
-
-    - name: Copy certificate to remote host
-      copy:
-        src: "{{ item.path }}"
-        dest: "{{ specification.vault_install_dir }}/tls/"
-      loop: "{{ provided_certificates.files }}"
-      when:
-        - certificate_exists
-
-    - name: Generate TLS certificate
-      include_tasks: generate-certificate.yml
+    - name: Configure Hashicorp Vault TLS support if enabled
       when:
-        - not certificate_exists
+        - not specification.tls_disable
+      block:
+        - name: Look for certificate in role directory
+          local_action: find paths="{{ role_path }}/files/tls-certs" patterns="*.pem"
+          become: no
+          register: provided_certificates
+
+        - name: Check if any certificate exists in role directory
+          set_fact:
+            certificate_exists: "{{ provided_certificates.matched > 0 }}"
+
+        - name: Display result
+          debug:
+            msg: Certificate file {{ (provided_certificates.matched > 0) | ternary('found','not found') }}
+
+        - name: Copy certificate to remote host
+          copy:
+            src: "{{ item.path }}"
+            dest: "{{ specification.vault_install_dir }}/tls/"
+          loop: "{{ provided_certificates.files }}"
+          when:
+            - certificate_exists
+
+        - name: Generate TLS certificate
+          include_tasks: generate-certificate.yml
+          when:
+            - not certificate_exists
 
     - name: Restart Vault service and reload config
       systemd:
@@ -227,22 +246,30 @@
         mode: u=rw,g=r,o=
         src: vault/users.csv.j2
 
-    - name: Create application namespace yaml
+    - name: Copy Vault namespace yaml
+      copy:
+        src: kubernetes/vault-namespace.yml
+        dest: "{{ specification.vault_install_dir }}/kubernetes/"
+        owner: "{{ specification.vault_system_user }}"
+        group: "{{ specification.vault_system_group }}"
+        mode: u=rw,g=r,o=
+
+    - name: Create policy yaml for default namespace
       template:
-        dest: "{{ specification.vault_install_dir }}/kubernetes/app-namespace.yml"
+        dest: "{{ specification.vault_install_dir }}/kubernetes/vault-default-policy.yml"
         owner: "{{ specification.vault_system_user }}"
         group: "{{ specification.vault_system_group }}"
         mode: u=rw,g=r,o=
-        src: kubernetes/app-namespace.yml.j2
-      when: not specification.kubernetes_namespace == "default"
+        src: kubernetes/vault-default-policy.yml.j2
 
-    - name: Create Vault endpoint configuration yaml
+    - name: Create application namespace yaml
       template:
-        dest: "{{ specification.vault_install_dir }}/kubernetes/vault-endpoint-configuration.yml"
+        dest: "{{ specification.vault_install_dir }}/kubernetes/app-namespace.yml"
         owner: "{{ specification.vault_system_user }}"
         group: "{{ specification.vault_system_group }}"
         mode: u=rw,g=r,o=
-        src: kubernetes/vault-endpoint-configuration.yml.j2
+        src: kubernetes/app-namespace.yml.j2
+      when: not specification.kubernetes_namespace == "default"
 
     - name: Create Vault service account yaml
       template:

core/src/epicli/data/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: vault-policy
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    {% for server in groups['vault'] %}- ipBlock:
+        cidr: {{ hostvars[server]['ansible_default_ipv4']['address'] }}/32
+    {% endfor %}ports:
+    - protocol: TCP
+      port: 8200

core/src/epicli/data/common/defaults/configuration/vault.yml

@@ -40,7 +40,6 @@ specification:
     vault_helm_chart_file_name: v0.4.0.tar.gz
   vault_helm_chart_values:
     injector:
-      externalVaultAddr: https://external-vault:8200
       image:
         repository: "{{ image_registry_address }}/hashicorp/vault-k8s"
       agentImage: