use opentofu to configure openbao + other bao fixes

.gitignore

@@ -1,3 +1,4 @@
 /secrets
 secrets.yaml
 bao-root.json
+.kubeconfig

helm/openbao/kustomization.yaml

@@ -10,6 +10,7 @@ helmCharts:
     injector:
       enabled: false
     server:
+      logLevel: debug
       image:
         registry: git.janky.solutions
         repository: jankysolutions/infra/openbao
@@ -23,9 +24,16 @@ helmCharts:
     csi:
       enabled: true
       debug: true
+      image:
+        registry: git.janky.solutions
+        repository: jankysolutions/infra/openbao-csi-provider
+        tag: latest
       agent:
+        logLevel: debug
         image:
-          repository: quay.io/openbao/openbao
+          # registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17
+          repository: git.janky.solutions/jankysolutions/infra/openbao
+          tag: latest
   releaseName: openbao
   version: 0.5.0
   repo: https://openbao.github.io/openbao-helm

helm/render-all.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 set -exuo pipefail
 
+cd -- "$( dirname -- "${BASH_SOURCE[0]}" )"
+
 header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
 
 # operators

helm/secrets-store-csi-driver/kustomization.yaml

@@ -6,6 +6,9 @@ helmCharts:
   valuesInline:
     syncSecret:
       enabled: true
+    linux:
+      registrar:
+        logVerbosity: 1
   releaseName: secrets-store-csi-driver
   version: v1.4.5
   repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

k8s/kustomization.yaml

@@ -3,14 +3,15 @@ kind: Kustomization
 resources:
   - operators
   - system
-  # - adsb
   - forgejo
   - generic-device-plugin
   - invoiceninja
+  - keycloak
   - matrix
+  - miniflux
   - monitoring
   - s3staticsites
   - shlink
+  - snipeit
   - system-upgrade-controller
-  - keycloak
-  - miniflux
+  - tofu

k8s/operators/openbao/bundle.yaml

@@ -416,6 +416,8 @@ spec:
           value: https://$(HOSTNAME).openbao-internal:8201
         - name: HOME
           value: /home/openbao
+        - name: BAO_LOG_LEVEL
+          value: debug
         image: git.janky.solutions/jankysolutions/infra/openbao:latest
         imagePullPolicy: IfNotPresent
         lifecycle:
@@ -525,7 +527,7 @@ spec:
         env:
         - name: VAULT_ADDR
           value: unix:///var/run/vault/agent.sock
-        image: docker.io/hashicorp/vault-csi-provider:1.4.1
+        image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 2
@@ -558,10 +560,10 @@ spec:
         - bao
         env:
         - name: VAULT_LOG_LEVEL
-          value: info
+          value: debug
         - name: VAULT_LOG_FORMAT
           value: standard
-        image: quay.io/openbao/openbao:2.0.0-alpha20240329
+        image: git.janky.solutions/jankysolutions/infra/openbao:latest
         imagePullPolicy: IfNotPresent
         name: openbao-agent
         ports:

k8s/operators/secrets-store-csi-driver/bundle.yaml

@@ -388,7 +388,7 @@ spec:
                 - virtual-kubelet
       containers:
       - args:
-        - --v=5
+        - --v=1
         - --csi-address=/csi/csi.sock
         - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock
         image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1

tf/.gitignore

@@ -0,0 +1,37 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

tf/.terraform.lock.hcl

@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/vault" {
+  version = "4.4.0"
+  hashes = [
+    "h1:s0t6P9ZfUQnHLxtUcnpPWpME68KwO/OxZqHAKSIvOoo=",
+    "zh:0309ea8f81386e17ab13c06c5991ca959708c55c815b0cfba2bbcd865e0d606e",
+    "zh:40e56199ccd266bffa216e8ebbcdc2e29b6ef5145b39377be766e763cac759c8",
+    "zh:6fad1f073bd2e53e34736e000f98db581137e153ac80bbb5c4f1a1e38b46a1d2",
+    "zh:74564fd4759decccf7f3c952aa2feba1012f103a66ec354aa3b3292a2f1b2412",
+    "zh:7aae012c1a43e6e5dae6f608ec0f08cdb3f95fa121a32e413fe7ee37cb99947f",
+    "zh:7c83f508e164844b1dd9bafe9de0fe60c7be7b55a02e704a6e2f50cff38b7d96",
+    "zh:873a42322b68d9fba4a38217b97ee04a1eb617e811d7f9954016f5c3eb6cb0bc",
+    "zh:9db2b13472cf91a5f18f0a7c6ae532277c05b0980d87f492341426b981679f7b",
+    "zh:ac1cbd2926265db80efe3f1814bed82901f7d8a7d4e5b1e22592e1eef234b1c7",
+    "zh:f465a955cc96f640e7426a648ba672c169a4a2959bad6146fe61583d67642561",
+  ]
+}

tf/bao-auth-backends.tf

@@ -0,0 +1,24 @@
+resource "vault_jwt_auth_backend" "keycloak" {
+    description         = "Keycloak OIDC auth"
+    path                = "oidc"
+    type                = "oidc"
+    oidc_discovery_url  = "https://auth.janky.solutions/realms/janky.solutions"
+    oidc_client_id      = "openbao"
+    oidc_client_secret  = "secret123456"
+    bound_issuer        = "https://auth.janky.solutions/realms/janky.solutions"
+}
+
+resource "vault_auth_backend" "kubernetes" {
+  type = "kubernetes"
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s-default" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "kubernetes-default"
+  bound_service_account_names      = ["default"]
+  bound_service_account_namespaces = ["*"]
+  token_ttl                        = 3600
+  token_policies                   = [
+    vault_policy.k8s_default_sa.name
+  ]
+}

tf/bao-mounts.tf

@@ -0,0 +1,6 @@
+resource "vault_mount" "test-kv" {
+  path        = "test-kv"
+  type        = "kv"
+  options     = { version = "2" }
+  description = "Testing KV for evaluating how OpenBao works"
+}

tf/bao-policies.tf

@@ -0,0 +1,5 @@
+resource "vault_policy" "k8s_default_sa" {
+  name = "k8s-default-sa"
+
+  policy = file("bao-policies/k8s-default-sa.hcl")
+}

tf/bao-policies/k8s-default-sa.hcl

@@ -0,0 +1,8 @@
+path "test-kv/{{identity.entity.service_account_namespace}}/*" {
+    capabilities = ["read"]
+}
+
+# Allow a token to manage its own cubbyhole
+path "cubbyhole/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}

tf/bao-policies/oidc-example.hcl

@@ -0,0 +1,87 @@
+
+# Allow tokens to look up their own properties
+path "auth/token/lookup-self" {
+    capabilities = ["read"]
+}
+
+# Allow tokens to renew themselves
+path "auth/token/renew-self" {
+    capabilities = ["update"]
+}
+
+# Allow tokens to revoke themselves
+path "auth/token/revoke-self" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up its own capabilities on a path
+path "sys/capabilities-self" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up its own entity by id or name
+path "identity/entity/id/{{identity.entity.id}}" {
+  capabilities = ["read"]
+}
+path "identity/entity/name/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+
+
+# Allow a token to look up its resultant ACL from all policies. This is useful
+# for UIs. It is an internal path because the format may change at any time
+# based on how the internal ACL features and capabilities change.
+path "sys/internal/ui/resultant-acl" {
+    capabilities = ["read"]
+}
+
+# Allow a token to renew a lease via lease_id in the request body; old path for
+# old clients, new path for newer
+path "sys/renew" {
+    capabilities = ["update"]
+}
+path "sys/leases/renew" {
+    capabilities = ["update"]
+}
+
+# Allow looking up lease properties. This requires knowing the lease ID ahead
+# of time and does not divulge any sensitive information.
+path "sys/leases/lookup" {
+    capabilities = ["update"]
+}
+
+# Allow a token to manage its own cubbyhole
+path "cubbyhole/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Allow a token to wrap arbitrary values in a response-wrapping token
+path "sys/wrapping/wrap" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up the creation time and TTL of a given
+# response-wrapping token
+path "sys/wrapping/lookup" {
+    capabilities = ["update"]
+}
+
+# Allow a token to unwrap a response-wrapping token. This is a convenience to
+# avoid client token swapping since this is also part of the response wrapping
+# policy.
+path "sys/wrapping/unwrap" {
+    capabilities = ["update"]
+}
+
+# Allow general purpose tools
+path "sys/tools/hash" {
+    capabilities = ["update"]
+}
+path "sys/tools/hash/*" {
+    capabilities = ["update"]
+}
+
+# Allow a token to make requests to the Authorization Endpoint for OIDC providers.
+path "identity/oidc/provider/+/authorize" {
+    capabilities = ["read", "update"]
+}

tf/providers.tf

@@ -0,0 +1,14 @@
+data "terraform_remote_state" "foo" {
+  backend = "kubernetes"
+  config = {
+    secret_suffix    = "state"
+    namespace        = "tofu"
+    config_path      = "../.kubeconfig"
+  }
+}
+
+provider "vault" {
+  # This will default to using $VAULT_ADDR
+  # But can be set explicitly
+  # address = "https://vault.example.net:8200"
+}