use opentofu to configure openbao + other bao fixes
This commit is contained in:
parent
8f7fa85bb8
commit
3acaaf6d09
15 changed files with 225 additions and 8 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,3 +1,4 @@
|
||||||
/secrets
|
/secrets
|
||||||
secrets.yaml
|
secrets.yaml
|
||||||
bao-root.json
|
bao-root.json
|
||||||
|
.kubeconfig
|
||||||
|
|
|
@ -10,6 +10,7 @@ helmCharts:
|
||||||
injector:
|
injector:
|
||||||
enabled: false
|
enabled: false
|
||||||
server:
|
server:
|
||||||
|
logLevel: debug
|
||||||
image:
|
image:
|
||||||
registry: git.janky.solutions
|
registry: git.janky.solutions
|
||||||
repository: jankysolutions/infra/openbao
|
repository: jankysolutions/infra/openbao
|
||||||
|
@ -23,9 +24,16 @@ helmCharts:
|
||||||
csi:
|
csi:
|
||||||
enabled: true
|
enabled: true
|
||||||
debug: true
|
debug: true
|
||||||
|
image:
|
||||||
|
registry: git.janky.solutions
|
||||||
|
repository: jankysolutions/infra/openbao-csi-provider
|
||||||
|
tag: latest
|
||||||
agent:
|
agent:
|
||||||
|
logLevel: debug
|
||||||
image:
|
image:
|
||||||
repository: quay.io/openbao/openbao
|
# registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17
|
||||||
|
repository: git.janky.solutions/jankysolutions/infra/openbao
|
||||||
|
tag: latest
|
||||||
releaseName: openbao
|
releaseName: openbao
|
||||||
version: 0.5.0
|
version: 0.5.0
|
||||||
repo: https://openbao.github.io/openbao-helm
|
repo: https://openbao.github.io/openbao-helm
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -exuo pipefail
|
set -exuo pipefail
|
||||||
|
|
||||||
|
cd -- "$( dirname -- "${BASH_SOURCE[0]}" )"
|
||||||
|
|
||||||
header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
|
header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
|
||||||
|
|
||||||
# operators
|
# operators
|
||||||
|
|
|
@ -6,6 +6,9 @@ helmCharts:
|
||||||
valuesInline:
|
valuesInline:
|
||||||
syncSecret:
|
syncSecret:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
linux:
|
||||||
|
registrar:
|
||||||
|
logVerbosity: 1
|
||||||
releaseName: secrets-store-csi-driver
|
releaseName: secrets-store-csi-driver
|
||||||
version: v1.4.5
|
version: v1.4.5
|
||||||
repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
|
repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
|
||||||
|
|
|
@ -3,14 +3,15 @@ kind: Kustomization
|
||||||
resources:
|
resources:
|
||||||
- operators
|
- operators
|
||||||
- system
|
- system
|
||||||
# - adsb
|
|
||||||
- forgejo
|
- forgejo
|
||||||
- generic-device-plugin
|
- generic-device-plugin
|
||||||
- invoiceninja
|
- invoiceninja
|
||||||
|
- keycloak
|
||||||
- matrix
|
- matrix
|
||||||
|
- miniflux
|
||||||
- monitoring
|
- monitoring
|
||||||
- s3staticsites
|
- s3staticsites
|
||||||
- shlink
|
- shlink
|
||||||
|
- snipeit
|
||||||
- system-upgrade-controller
|
- system-upgrade-controller
|
||||||
- keycloak
|
- tofu
|
||||||
- miniflux
|
|
||||||
|
|
|
@ -416,6 +416,8 @@ spec:
|
||||||
value: https://$(HOSTNAME).openbao-internal:8201
|
value: https://$(HOSTNAME).openbao-internal:8201
|
||||||
- name: HOME
|
- name: HOME
|
||||||
value: /home/openbao
|
value: /home/openbao
|
||||||
|
- name: BAO_LOG_LEVEL
|
||||||
|
value: debug
|
||||||
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
lifecycle:
|
lifecycle:
|
||||||
|
@ -525,7 +527,7 @@ spec:
|
||||||
env:
|
env:
|
||||||
- name: VAULT_ADDR
|
- name: VAULT_ADDR
|
||||||
value: unix:///var/run/vault/agent.sock
|
value: unix:///var/run/vault/agent.sock
|
||||||
image: docker.io/hashicorp/vault-csi-provider:1.4.1
|
image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
failureThreshold: 2
|
failureThreshold: 2
|
||||||
|
@ -558,10 +560,10 @@ spec:
|
||||||
- bao
|
- bao
|
||||||
env:
|
env:
|
||||||
- name: VAULT_LOG_LEVEL
|
- name: VAULT_LOG_LEVEL
|
||||||
value: info
|
value: debug
|
||||||
- name: VAULT_LOG_FORMAT
|
- name: VAULT_LOG_FORMAT
|
||||||
value: standard
|
value: standard
|
||||||
image: quay.io/openbao/openbao:2.0.0-alpha20240329
|
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: openbao-agent
|
name: openbao-agent
|
||||||
ports:
|
ports:
|
||||||
|
|
|
@ -388,7 +388,7 @@ spec:
|
||||||
- virtual-kubelet
|
- virtual-kubelet
|
||||||
containers:
|
containers:
|
||||||
- args:
|
- args:
|
||||||
- --v=5
|
- --v=1
|
||||||
- --csi-address=/csi/csi.sock
|
- --csi-address=/csi/csi.sock
|
||||||
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock
|
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock
|
||||||
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
|
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
|
||||||
|
|
37
tf/.gitignore
vendored
Normal file
37
tf/.gitignore
vendored
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Local .terraform directories
|
||||||
|
**/.terraform/*
|
||||||
|
|
||||||
|
# .tfstate files
|
||||||
|
*.tfstate
|
||||||
|
*.tfstate.*
|
||||||
|
|
||||||
|
# Crash log files
|
||||||
|
crash.log
|
||||||
|
crash.*.log
|
||||||
|
|
||||||
|
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
|
||||||
|
# password, private keys, and other secrets. These should not be part of version
|
||||||
|
# control as they are data points which are potentially sensitive and subject
|
||||||
|
# to change depending on the environment.
|
||||||
|
*.tfvars
|
||||||
|
*.tfvars.json
|
||||||
|
|
||||||
|
# Ignore override files as they are usually used to override resources locally and so
|
||||||
|
# are not checked in
|
||||||
|
override.tf
|
||||||
|
override.tf.json
|
||||||
|
*_override.tf
|
||||||
|
*_override.tf.json
|
||||||
|
|
||||||
|
# Ignore transient lock info files created by terraform apply
|
||||||
|
.terraform.tfstate.lock.info
|
||||||
|
|
||||||
|
# Include override files you do wish to add to version control using negated pattern
|
||||||
|
# !example_override.tf
|
||||||
|
|
||||||
|
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
|
||||||
|
# example: *tfplan*
|
||||||
|
|
||||||
|
# Ignore CLI configuration files
|
||||||
|
.terraformrc
|
||||||
|
terraform.rc
|
19
tf/.terraform.lock.hcl
Normal file
19
tf/.terraform.lock.hcl
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# This file is maintained automatically by "tofu init".
|
||||||
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
|
provider "registry.opentofu.org/hashicorp/vault" {
|
||||||
|
version = "4.4.0"
|
||||||
|
hashes = [
|
||||||
|
"h1:s0t6P9ZfUQnHLxtUcnpPWpME68KwO/OxZqHAKSIvOoo=",
|
||||||
|
"zh:0309ea8f81386e17ab13c06c5991ca959708c55c815b0cfba2bbcd865e0d606e",
|
||||||
|
"zh:40e56199ccd266bffa216e8ebbcdc2e29b6ef5145b39377be766e763cac759c8",
|
||||||
|
"zh:6fad1f073bd2e53e34736e000f98db581137e153ac80bbb5c4f1a1e38b46a1d2",
|
||||||
|
"zh:74564fd4759decccf7f3c952aa2feba1012f103a66ec354aa3b3292a2f1b2412",
|
||||||
|
"zh:7aae012c1a43e6e5dae6f608ec0f08cdb3f95fa121a32e413fe7ee37cb99947f",
|
||||||
|
"zh:7c83f508e164844b1dd9bafe9de0fe60c7be7b55a02e704a6e2f50cff38b7d96",
|
||||||
|
"zh:873a42322b68d9fba4a38217b97ee04a1eb617e811d7f9954016f5c3eb6cb0bc",
|
||||||
|
"zh:9db2b13472cf91a5f18f0a7c6ae532277c05b0980d87f492341426b981679f7b",
|
||||||
|
"zh:ac1cbd2926265db80efe3f1814bed82901f7d8a7d4e5b1e22592e1eef234b1c7",
|
||||||
|
"zh:f465a955cc96f640e7426a648ba672c169a4a2959bad6146fe61583d67642561",
|
||||||
|
]
|
||||||
|
}
|
24
tf/bao-auth-backends.tf
Normal file
24
tf/bao-auth-backends.tf
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
resource "vault_jwt_auth_backend" "keycloak" {
|
||||||
|
description = "Keycloak OIDC auth"
|
||||||
|
path = "oidc"
|
||||||
|
type = "oidc"
|
||||||
|
oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions"
|
||||||
|
oidc_client_id = "openbao"
|
||||||
|
oidc_client_secret = "secret123456"
|
||||||
|
bound_issuer = "https://auth.janky.solutions/realms/janky.solutions"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "vault_auth_backend" "kubernetes" {
|
||||||
|
type = "kubernetes"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "vault_kubernetes_auth_backend_role" "k8s-default" {
|
||||||
|
backend = vault_auth_backend.kubernetes.path
|
||||||
|
role_name = "kubernetes-default"
|
||||||
|
bound_service_account_names = ["default"]
|
||||||
|
bound_service_account_namespaces = ["*"]
|
||||||
|
token_ttl = 3600
|
||||||
|
token_policies = [
|
||||||
|
vault_policy.k8s_default_sa.name
|
||||||
|
]
|
||||||
|
}
|
6
tf/bao-mounts.tf
Normal file
6
tf/bao-mounts.tf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
resource "vault_mount" "test-kv" {
|
||||||
|
path = "test-kv"
|
||||||
|
type = "kv"
|
||||||
|
options = { version = "2" }
|
||||||
|
description = "Testing KV for evaluating how OpenBao works"
|
||||||
|
}
|
5
tf/bao-policies.tf
Normal file
5
tf/bao-policies.tf
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
resource "vault_policy" "k8s_default_sa" {
|
||||||
|
name = "k8s-default-sa"
|
||||||
|
|
||||||
|
policy = file("bao-policies/k8s-default-sa.hcl")
|
||||||
|
}
|
8
tf/bao-policies/k8s-default-sa.hcl
Normal file
8
tf/bao-policies/k8s-default-sa.hcl
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
path "test-kv/{{identity.entity.service_account_namespace}}/*" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to manage its own cubbyhole
|
||||||
|
path "cubbyhole/*" {
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
87
tf/bao-policies/oidc-example.hcl
Normal file
87
tf/bao-policies/oidc-example.hcl
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
|
||||||
|
# Allow tokens to look up their own properties
|
||||||
|
path "auth/token/lookup-self" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow tokens to renew themselves
|
||||||
|
path "auth/token/renew-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow tokens to revoke themselves
|
||||||
|
path "auth/token/revoke-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to look up its own capabilities on a path
|
||||||
|
path "sys/capabilities-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to look up its own entity by id or name
|
||||||
|
path "identity/entity/id/{{identity.entity.id}}" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
path "identity/entity/name/{{identity.entity.name}}" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Allow a token to look up its resultant ACL from all policies. This is useful
|
||||||
|
# for UIs. It is an internal path because the format may change at any time
|
||||||
|
# based on how the internal ACL features and capabilities change.
|
||||||
|
path "sys/internal/ui/resultant-acl" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to renew a lease via lease_id in the request body; old path for
|
||||||
|
# old clients, new path for newer
|
||||||
|
path "sys/renew" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
path "sys/leases/renew" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up lease properties. This requires knowing the lease ID ahead
|
||||||
|
# of time and does not divulge any sensitive information.
|
||||||
|
path "sys/leases/lookup" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to manage its own cubbyhole
|
||||||
|
path "cubbyhole/*" {
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to wrap arbitrary values in a response-wrapping token
|
||||||
|
path "sys/wrapping/wrap" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to look up the creation time and TTL of a given
|
||||||
|
# response-wrapping token
|
||||||
|
path "sys/wrapping/lookup" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to unwrap a response-wrapping token. This is a convenience to
|
||||||
|
# avoid client token swapping since this is also part of the response wrapping
|
||||||
|
# policy.
|
||||||
|
path "sys/wrapping/unwrap" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow general purpose tools
|
||||||
|
path "sys/tools/hash" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
path "sys/tools/hash/*" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow a token to make requests to the Authorization Endpoint for OIDC providers.
|
||||||
|
path "identity/oidc/provider/+/authorize" {
|
||||||
|
capabilities = ["read", "update"]
|
||||||
|
}
|
14
tf/providers.tf
Normal file
14
tf/providers.tf
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
data "terraform_remote_state" "foo" {
|
||||||
|
backend = "kubernetes"
|
||||||
|
config = {
|
||||||
|
secret_suffix = "state"
|
||||||
|
namespace = "tofu"
|
||||||
|
config_path = "../.kubeconfig"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "vault" {
|
||||||
|
# This will default to using $VAULT_ADDR
|
||||||
|
# But can be set explicitly
|
||||||
|
# address = "https://vault.example.net:8200"
|
||||||
|
}
|
Loading…
Reference in a new issue