Initial bao authorization stuff for k8s service accounts working!

This commit is contained in:
Finn 2024-09-10 09:19:25 -07:00
parent e18324dfc4
commit de602d98f2
7 changed files with 34 additions and 38 deletions

View file

@ -10,7 +10,6 @@ helmCharts:
injector:
enabled: false
server:
logLevel: debug
image:
registry: git.janky.solutions
repository: jankysolutions/infra/openbao
@ -31,9 +30,9 @@ helmCharts:
agent:
logLevel: debug
image:
# registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17
repository: git.janky.solutions/jankysolutions/infra/openbao
registry: git.janky.solutions
repository: jankysolutions/infra/openbao
tag: latest
releaseName: openbao
version: 0.5.0
version: 0.5.1
repo: https://openbao.github.io/openbao-helm

View file

@ -9,5 +9,6 @@ header="# DO NOT EDIT: This file has been automatically generated by the script
for component in openbao external-secrets secrets-store-csi-driver; do
mkdir -p ../k8s/operators/${component}
echo "${header}" > ../k8s/operators/${component}/bundle.yaml
rm -rf "${component}/charts" # it doesn't seem to update them otherwise
kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml
done

View file

@ -6,7 +6,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao
namespace: openbao
---
@ -52,7 +52,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-discovery-role
namespace: openbao
rules:
@ -108,7 +108,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-discovery-rolebinding
namespace: openbao
roleRef:
@ -144,7 +144,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-server-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -183,7 +183,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-config
namespace: openbao
---
@ -206,7 +206,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-csi-provider-agent-config
namespace: openbao
---
@ -217,7 +217,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao
namespace: openbao
spec:
@ -241,7 +241,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
openbao-active: "true"
name: openbao-active
namespace: openbao
@ -267,7 +267,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
openbao-internal: "true"
name: openbao-internal
namespace: openbao
@ -293,7 +293,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-standby
namespace: openbao
spec:
@ -318,7 +318,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-ui
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao-ui
namespace: openbao
spec:
@ -358,7 +358,7 @@ spec:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
component: server
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
spec:
affinity:
podAntiAffinity:
@ -416,8 +416,6 @@ spec:
value: https://$(HOSTNAME).openbao-internal:8201
- name: HOME
value: /home/openbao
- name: BAO_LOG_LEVEL
value: debug
image: git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent
lifecycle:
@ -488,7 +486,7 @@ metadata:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0
helm.sh/chart: openbao-0.5.1
name: openbao
namespace: openbao
spec:
@ -559,11 +557,11 @@ spec:
command:
- bao
env:
- name: VAULT_LOG_LEVEL
- name: BAO_LOG_LEVEL
value: debug
- name: VAULT_LOG_FORMAT
- name: BAO_LOG_FORMAT
value: standard
image: git.janky.solutions/jankysolutions/infra/openbao:latest
image: quay.io/git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent
name: openbao-agent
ports:

View file

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml

4
k8s/tofu/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: tofu

View file

@ -1,17 +1,12 @@
resource "vault_jwt_auth_backend" "keycloak" {
description = "Keycloak OIDC auth"
path = "oidc"
type = "oidc"
oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions"
oidc_client_id = "openbao"
oidc_client_secret = "secret123456"
bound_issuer = "https://auth.janky.solutions/realms/janky.solutions"
}
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
}
resource "vault_kubernetes_auth_backend_config" "example" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://kubernetes.default.svc.cluster.local:443"
}
resource "vault_kubernetes_auth_backend_role" "k8s-default" {
backend = vault_auth_backend.kubernetes.path
role_name = "kubernetes-default"

View file

@ -1,8 +1,3 @@
path "test-kv/{{identity.entity.service_account_namespace}}/*" {
path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
capabilities = ["read"]
}
# Allow a token to manage its own cubbyhole
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}