From 3acaaf6d09e8adba8c83fe9650c6e0656046627a Mon Sep 17 00:00:00 2001 From: Finn Date: Tue, 10 Sep 2024 00:32:41 -0700 Subject: [PATCH] use opentofu to configure openbao + other bao fixes --- .gitignore | 1 + helm/openbao/kustomization.yaml | 10 ++- helm/render-all.sh | 2 + .../kustomization.yaml | 3 + k8s/kustomization.yaml | 7 +- k8s/operators/openbao/bundle.yaml | 8 +- .../secrets-store-csi-driver/bundle.yaml | 2 +- tf/.gitignore | 37 ++++++++ tf/.terraform.lock.hcl | 19 ++++ tf/bao-auth-backends.tf | 24 +++++ tf/bao-mounts.tf | 6 ++ tf/bao-policies.tf | 5 ++ tf/bao-policies/k8s-default-sa.hcl | 8 ++ tf/bao-policies/oidc-example.hcl | 87 +++++++++++++++++++ tf/providers.tf | 14 +++ 15 files changed, 225 insertions(+), 8 deletions(-) create mode 100644 tf/.gitignore create mode 100644 tf/.terraform.lock.hcl create mode 100644 tf/bao-auth-backends.tf create mode 100644 tf/bao-mounts.tf create mode 100644 tf/bao-policies.tf create mode 100644 tf/bao-policies/k8s-default-sa.hcl create mode 100644 tf/bao-policies/oidc-example.hcl create mode 100644 tf/providers.tf diff --git a/.gitignore b/.gitignore index 179fc9c..e37f1e8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /secrets secrets.yaml bao-root.json +.kubeconfig diff --git a/helm/openbao/kustomization.yaml b/helm/openbao/kustomization.yaml index dd2cd1a..a2bfa9a 100644 --- a/helm/openbao/kustomization.yaml +++ b/helm/openbao/kustomization.yaml @@ -10,6 +10,7 @@ helmCharts: injector: enabled: false server: + logLevel: debug image: registry: git.janky.solutions repository: jankysolutions/infra/openbao @@ -23,9 +24,16 @@ helmCharts: csi: enabled: true debug: true + image: + registry: git.janky.solutions + repository: jankysolutions/infra/openbao-csi-provider + tag: latest agent: + logLevel: debug image: - repository: quay.io/openbao/openbao + # registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17 + repository: git.janky.solutions/jankysolutions/infra/openbao + tag: latest releaseName: openbao version: 0.5.0 repo: https://openbao.github.io/openbao-helm diff --git a/helm/render-all.sh b/helm/render-all.sh index ffda144..20fa0b7 100755 --- a/helm/render-all.sh +++ b/helm/render-all.sh @@ -1,6 +1,8 @@ #!/bin/bash set -exuo pipefail +cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" + header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten" # operators diff --git a/helm/secrets-store-csi-driver/kustomization.yaml b/helm/secrets-store-csi-driver/kustomization.yaml index 05eb61b..1b30c18 100644 --- a/helm/secrets-store-csi-driver/kustomization.yaml +++ b/helm/secrets-store-csi-driver/kustomization.yaml @@ -6,6 +6,9 @@ helmCharts: valuesInline: syncSecret: enabled: true + linux: + registrar: + logVerbosity: 1 releaseName: secrets-store-csi-driver version: v1.4.5 repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml index 6516278..dc62fe5 100644 --- a/k8s/kustomization.yaml +++ b/k8s/kustomization.yaml @@ -3,14 +3,15 @@ kind: Kustomization resources: - operators - system - # - adsb - forgejo - generic-device-plugin - invoiceninja + - keycloak - matrix + - miniflux - monitoring - s3staticsites - shlink + - snipeit - system-upgrade-controller - - keycloak - - miniflux + - tofu diff --git a/k8s/operators/openbao/bundle.yaml b/k8s/operators/openbao/bundle.yaml index 011cfcb..aab7686 100644 --- a/k8s/operators/openbao/bundle.yaml +++ b/k8s/operators/openbao/bundle.yaml @@ -416,6 +416,8 @@ spec: value: https://$(HOSTNAME).openbao-internal:8201 - name: HOME value: /home/openbao + - name: BAO_LOG_LEVEL + value: debug image: git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent lifecycle: @@ -525,7 +527,7 @@ spec: env: - name: VAULT_ADDR value: unix:///var/run/vault/agent.sock - image: docker.io/hashicorp/vault-csi-provider:1.4.1 + image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -558,10 +560,10 @@ spec: - bao env: - name: VAULT_LOG_LEVEL - value: info + value: debug - name: VAULT_LOG_FORMAT value: standard - image: quay.io/openbao/openbao:2.0.0-alpha20240329 + image: git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent name: openbao-agent ports: diff --git a/k8s/operators/secrets-store-csi-driver/bundle.yaml b/k8s/operators/secrets-store-csi-driver/bundle.yaml index 406bd14..85a8cc0 100644 --- a/k8s/operators/secrets-store-csi-driver/bundle.yaml +++ b/k8s/operators/secrets-store-csi-driver/bundle.yaml @@ -388,7 +388,7 @@ spec: - virtual-kubelet containers: - args: - - --v=5 + - --v=1 - --csi-address=/csi/csi.sock - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1 diff --git a/tf/.gitignore b/tf/.gitignore new file mode 100644 index 0000000..2faf43d --- /dev/null +++ b/tf/.gitignore @@ -0,0 +1,37 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore transient lock info files created by terraform apply +.terraform.tfstate.lock.info + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/tf/.terraform.lock.hcl b/tf/.terraform.lock.hcl new file mode 100644 index 0000000..aee520c --- /dev/null +++ b/tf/.terraform.lock.hcl @@ -0,0 +1,19 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/vault" { + version = "4.4.0" + hashes = [ + "h1:s0t6P9ZfUQnHLxtUcnpPWpME68KwO/OxZqHAKSIvOoo=", + "zh:0309ea8f81386e17ab13c06c5991ca959708c55c815b0cfba2bbcd865e0d606e", + "zh:40e56199ccd266bffa216e8ebbcdc2e29b6ef5145b39377be766e763cac759c8", + "zh:6fad1f073bd2e53e34736e000f98db581137e153ac80bbb5c4f1a1e38b46a1d2", + "zh:74564fd4759decccf7f3c952aa2feba1012f103a66ec354aa3b3292a2f1b2412", + "zh:7aae012c1a43e6e5dae6f608ec0f08cdb3f95fa121a32e413fe7ee37cb99947f", + "zh:7c83f508e164844b1dd9bafe9de0fe60c7be7b55a02e704a6e2f50cff38b7d96", + "zh:873a42322b68d9fba4a38217b97ee04a1eb617e811d7f9954016f5c3eb6cb0bc", + "zh:9db2b13472cf91a5f18f0a7c6ae532277c05b0980d87f492341426b981679f7b", + "zh:ac1cbd2926265db80efe3f1814bed82901f7d8a7d4e5b1e22592e1eef234b1c7", + "zh:f465a955cc96f640e7426a648ba672c169a4a2959bad6146fe61583d67642561", + ] +} diff --git a/tf/bao-auth-backends.tf b/tf/bao-auth-backends.tf new file mode 100644 index 0000000..0925354 --- /dev/null +++ b/tf/bao-auth-backends.tf @@ -0,0 +1,24 @@ +resource "vault_jwt_auth_backend" "keycloak" { + description = "Keycloak OIDC auth" + path = "oidc" + type = "oidc" + oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions" + oidc_client_id = "openbao" + oidc_client_secret = "secret123456" + bound_issuer = "https://auth.janky.solutions/realms/janky.solutions" +} + +resource "vault_auth_backend" "kubernetes" { + type = "kubernetes" +} + +resource "vault_kubernetes_auth_backend_role" "k8s-default" { + backend = vault_auth_backend.kubernetes.path + role_name = "kubernetes-default" + bound_service_account_names = ["default"] + bound_service_account_namespaces = ["*"] + token_ttl = 3600 + token_policies = [ + vault_policy.k8s_default_sa.name + ] +} diff --git a/tf/bao-mounts.tf b/tf/bao-mounts.tf new file mode 100644 index 0000000..7b1cc62 --- /dev/null +++ b/tf/bao-mounts.tf @@ -0,0 +1,6 @@ +resource "vault_mount" "test-kv" { + path = "test-kv" + type = "kv" + options = { version = "2" } + description = "Testing KV for evaluating how OpenBao works" +} diff --git a/tf/bao-policies.tf b/tf/bao-policies.tf new file mode 100644 index 0000000..4c845dc --- /dev/null +++ b/tf/bao-policies.tf @@ -0,0 +1,5 @@ +resource "vault_policy" "k8s_default_sa" { + name = "k8s-default-sa" + + policy = file("bao-policies/k8s-default-sa.hcl") +} diff --git a/tf/bao-policies/k8s-default-sa.hcl b/tf/bao-policies/k8s-default-sa.hcl new file mode 100644 index 0000000..7e8ffbb --- /dev/null +++ b/tf/bao-policies/k8s-default-sa.hcl @@ -0,0 +1,8 @@ +path "test-kv/{{identity.entity.service_account_namespace}}/*" { + capabilities = ["read"] +} + +# Allow a token to manage its own cubbyhole +path "cubbyhole/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} diff --git a/tf/bao-policies/oidc-example.hcl b/tf/bao-policies/oidc-example.hcl new file mode 100644 index 0000000..77b1b80 --- /dev/null +++ b/tf/bao-policies/oidc-example.hcl @@ -0,0 +1,87 @@ + +# Allow tokens to look up their own properties +path "auth/token/lookup-self" { + capabilities = ["read"] +} + +# Allow tokens to renew themselves +path "auth/token/renew-self" { + capabilities = ["update"] +} + +# Allow tokens to revoke themselves +path "auth/token/revoke-self" { + capabilities = ["update"] +} + +# Allow a token to look up its own capabilities on a path +path "sys/capabilities-self" { + capabilities = ["update"] +} + +# Allow a token to look up its own entity by id or name +path "identity/entity/id/{{identity.entity.id}}" { + capabilities = ["read"] +} +path "identity/entity/name/{{identity.entity.name}}" { + capabilities = ["read"] +} + + +# Allow a token to look up its resultant ACL from all policies. This is useful +# for UIs. It is an internal path because the format may change at any time +# based on how the internal ACL features and capabilities change. +path "sys/internal/ui/resultant-acl" { + capabilities = ["read"] +} + +# Allow a token to renew a lease via lease_id in the request body; old path for +# old clients, new path for newer +path "sys/renew" { + capabilities = ["update"] +} +path "sys/leases/renew" { + capabilities = ["update"] +} + +# Allow looking up lease properties. This requires knowing the lease ID ahead +# of time and does not divulge any sensitive information. +path "sys/leases/lookup" { + capabilities = ["update"] +} + +# Allow a token to manage its own cubbyhole +path "cubbyhole/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +# Allow a token to wrap arbitrary values in a response-wrapping token +path "sys/wrapping/wrap" { + capabilities = ["update"] +} + +# Allow a token to look up the creation time and TTL of a given +# response-wrapping token +path "sys/wrapping/lookup" { + capabilities = ["update"] +} + +# Allow a token to unwrap a response-wrapping token. This is a convenience to +# avoid client token swapping since this is also part of the response wrapping +# policy. +path "sys/wrapping/unwrap" { + capabilities = ["update"] +} + +# Allow general purpose tools +path "sys/tools/hash" { + capabilities = ["update"] +} +path "sys/tools/hash/*" { + capabilities = ["update"] +} + +# Allow a token to make requests to the Authorization Endpoint for OIDC providers. +path "identity/oidc/provider/+/authorize" { + capabilities = ["read", "update"] +} diff --git a/tf/providers.tf b/tf/providers.tf new file mode 100644 index 0000000..6b05dc3 --- /dev/null +++ b/tf/providers.tf @@ -0,0 +1,14 @@ +data "terraform_remote_state" "foo" { + backend = "kubernetes" + config = { + secret_suffix = "state" + namespace = "tofu" + config_path = "../.kubeconfig" + } +} + +provider "vault" { + # This will default to using $VAULT_ADDR + # But can be set explicitly + # address = "https://vault.example.net:8200" +}