use opentofu to configure openbao + other bao fixes

This commit is contained in:
Finn 2024-09-10 00:32:41 -07:00
parent 8f7fa85bb8
commit 3acaaf6d09
15 changed files with 225 additions and 8 deletions

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
/secrets
secrets.yaml
bao-root.json
.kubeconfig

View file

@ -10,6 +10,7 @@ helmCharts:
injector:
enabled: false
server:
logLevel: debug
image:
registry: git.janky.solutions
repository: jankysolutions/infra/openbao
@ -23,9 +24,16 @@ helmCharts:
csi:
enabled: true
debug: true
agent:
image:
repository: quay.io/openbao/openbao
registry: git.janky.solutions
repository: jankysolutions/infra/openbao-csi-provider
tag: latest
agent:
logLevel: debug
image:
# registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17
repository: git.janky.solutions/jankysolutions/infra/openbao
tag: latest
releaseName: openbao
version: 0.5.0
repo: https://openbao.github.io/openbao-helm

View file

@ -1,6 +1,8 @@
#!/bin/bash
set -exuo pipefail
cd -- "$( dirname -- "${BASH_SOURCE[0]}" )"
header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
# operators

View file

@ -6,6 +6,9 @@ helmCharts:
valuesInline:
syncSecret:
enabled: true
linux:
registrar:
logVerbosity: 1
releaseName: secrets-store-csi-driver
version: v1.4.5
repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

View file

@ -3,14 +3,15 @@ kind: Kustomization
resources:
- operators
- system
# - adsb
- forgejo
- generic-device-plugin
- invoiceninja
- keycloak
- matrix
- miniflux
- monitoring
- s3staticsites
- shlink
- snipeit
- system-upgrade-controller
- keycloak
- miniflux
- tofu

View file

@ -416,6 +416,8 @@ spec:
value: https://$(HOSTNAME).openbao-internal:8201
- name: HOME
value: /home/openbao
- name: BAO_LOG_LEVEL
value: debug
image: git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent
lifecycle:
@ -525,7 +527,7 @@ spec:
env:
- name: VAULT_ADDR
value: unix:///var/run/vault/agent.sock
image: docker.io/hashicorp/vault-csi-provider:1.4.1
image: git.janky.solutions/jankysolutions/infra/openbao-csi-provider:latest
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 2
@ -558,10 +560,10 @@ spec:
- bao
env:
- name: VAULT_LOG_LEVEL
value: info
value: debug
- name: VAULT_LOG_FORMAT
value: standard
image: quay.io/openbao/openbao:2.0.0-alpha20240329
image: git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent
name: openbao-agent
ports:

View file

@ -388,7 +388,7 @@ spec:
- virtual-kubelet
containers:
- args:
- --v=5
- --v=1
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1

37
tf/.gitignore vendored Normal file
View file

@ -0,0 +1,37 @@
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore transient lock info files created by terraform apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc

19
tf/.terraform.lock.hcl Normal file
View file

@ -0,0 +1,19 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/hashicorp/vault" {
version = "4.4.0"
hashes = [
"h1:s0t6P9ZfUQnHLxtUcnpPWpME68KwO/OxZqHAKSIvOoo=",
"zh:0309ea8f81386e17ab13c06c5991ca959708c55c815b0cfba2bbcd865e0d606e",
"zh:40e56199ccd266bffa216e8ebbcdc2e29b6ef5145b39377be766e763cac759c8",
"zh:6fad1f073bd2e53e34736e000f98db581137e153ac80bbb5c4f1a1e38b46a1d2",
"zh:74564fd4759decccf7f3c952aa2feba1012f103a66ec354aa3b3292a2f1b2412",
"zh:7aae012c1a43e6e5dae6f608ec0f08cdb3f95fa121a32e413fe7ee37cb99947f",
"zh:7c83f508e164844b1dd9bafe9de0fe60c7be7b55a02e704a6e2f50cff38b7d96",
"zh:873a42322b68d9fba4a38217b97ee04a1eb617e811d7f9954016f5c3eb6cb0bc",
"zh:9db2b13472cf91a5f18f0a7c6ae532277c05b0980d87f492341426b981679f7b",
"zh:ac1cbd2926265db80efe3f1814bed82901f7d8a7d4e5b1e22592e1eef234b1c7",
"zh:f465a955cc96f640e7426a648ba672c169a4a2959bad6146fe61583d67642561",
]
}

24
tf/bao-auth-backends.tf Normal file
View file

@ -0,0 +1,24 @@
resource "vault_jwt_auth_backend" "keycloak" {
description = "Keycloak OIDC auth"
path = "oidc"
type = "oidc"
oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions"
oidc_client_id = "openbao"
oidc_client_secret = "secret123456"
bound_issuer = "https://auth.janky.solutions/realms/janky.solutions"
}
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
}
resource "vault_kubernetes_auth_backend_role" "k8s-default" {
backend = vault_auth_backend.kubernetes.path
role_name = "kubernetes-default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["*"]
token_ttl = 3600
token_policies = [
vault_policy.k8s_default_sa.name
]
}

6
tf/bao-mounts.tf Normal file
View file

@ -0,0 +1,6 @@
resource "vault_mount" "test-kv" {
path = "test-kv"
type = "kv"
options = { version = "2" }
description = "Testing KV for evaluating how OpenBao works"
}

5
tf/bao-policies.tf Normal file
View file

@ -0,0 +1,5 @@
resource "vault_policy" "k8s_default_sa" {
name = "k8s-default-sa"
policy = file("bao-policies/k8s-default-sa.hcl")
}

View file

@ -0,0 +1,8 @@
path "test-kv/{{identity.entity.service_account_namespace}}/*" {
capabilities = ["read"]
}
# Allow a token to manage its own cubbyhole
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}

View file

@ -0,0 +1,87 @@
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}
# Allow a token to look up its own capabilities on a path
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow a token to look up its own entity by id or name
path "identity/entity/id/{{identity.entity.id}}" {
capabilities = ["read"]
}
path "identity/entity/name/{{identity.entity.name}}" {
capabilities = ["read"]
}
# Allow a token to look up its resultant ACL from all policies. This is useful
# for UIs. It is an internal path because the format may change at any time
# based on how the internal ACL features and capabilities change.
path "sys/internal/ui/resultant-acl" {
capabilities = ["read"]
}
# Allow a token to renew a lease via lease_id in the request body; old path for
# old clients, new path for newer
path "sys/renew" {
capabilities = ["update"]
}
path "sys/leases/renew" {
capabilities = ["update"]
}
# Allow looking up lease properties. This requires knowing the lease ID ahead
# of time and does not divulge any sensitive information.
path "sys/leases/lookup" {
capabilities = ["update"]
}
# Allow a token to manage its own cubbyhole
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Allow a token to wrap arbitrary values in a response-wrapping token
path "sys/wrapping/wrap" {
capabilities = ["update"]
}
# Allow a token to look up the creation time and TTL of a given
# response-wrapping token
path "sys/wrapping/lookup" {
capabilities = ["update"]
}
# Allow a token to unwrap a response-wrapping token. This is a convenience to
# avoid client token swapping since this is also part of the response wrapping
# policy.
path "sys/wrapping/unwrap" {
capabilities = ["update"]
}
# Allow general purpose tools
path "sys/tools/hash" {
capabilities = ["update"]
}
path "sys/tools/hash/*" {
capabilities = ["update"]
}
# Allow a token to make requests to the Authorization Endpoint for OIDC providers.
path "identity/oidc/provider/+/authorize" {
capabilities = ["read", "update"]
}

14
tf/providers.tf Normal file
View file

@ -0,0 +1,14 @@
data "terraform_remote_state" "foo" {
backend = "kubernetes"
config = {
secret_suffix = "state"
namespace = "tofu"
config_path = "../.kubeconfig"
}
}
provider "vault" {
# This will default to using $VAULT_ADDR
# But can be set explicitly
# address = "https://vault.example.net:8200"
}