diff --git a/helm/openbao/kustomization.yaml b/helm/openbao/kustomization.yaml index a2bfa9a..ef27b51 100644 --- a/helm/openbao/kustomization.yaml +++ b/helm/openbao/kustomization.yaml @@ -10,7 +10,6 @@ helmCharts: injector: enabled: false server: - logLevel: debug image: registry: git.janky.solutions repository: jankysolutions/infra/openbao @@ -31,9 +30,9 @@ helmCharts: agent: logLevel: debug image: - # registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17 - repository: git.janky.solutions/jankysolutions/infra/openbao + registry: git.janky.solutions + repository: jankysolutions/infra/openbao tag: latest releaseName: openbao - version: 0.5.0 + version: 0.5.1 repo: https://openbao.github.io/openbao-helm diff --git a/helm/render-all.sh b/helm/render-all.sh index 20fa0b7..15cd0c2 100755 --- a/helm/render-all.sh +++ b/helm/render-all.sh @@ -9,5 +9,6 @@ header="# DO NOT EDIT: This file has been automatically generated by the script for component in openbao external-secrets secrets-store-csi-driver; do mkdir -p ../k8s/operators/${component} echo "${header}" > ../k8s/operators/${component}/bundle.yaml + rm -rf "${component}/charts" # it doesn't seem to update them otherwise kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml done diff --git a/k8s/operators/openbao/bundle.yaml b/k8s/operators/openbao/bundle.yaml index aab7686..e04d20c 100644 --- a/k8s/operators/openbao/bundle.yaml +++ b/k8s/operators/openbao/bundle.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao namespace: openbao --- @@ -52,7 +52,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-discovery-role namespace: openbao rules: @@ -108,7 +108,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-discovery-rolebinding namespace: openbao roleRef: @@ -144,7 +144,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-server-binding roleRef: apiGroup: rbac.authorization.k8s.io @@ -183,7 +183,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-config namespace: openbao --- @@ -206,7 +206,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-csi-provider - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-csi-provider-agent-config namespace: openbao --- @@ -217,7 +217,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao namespace: openbao spec: @@ -241,7 +241,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 openbao-active: "true" name: openbao-active namespace: openbao @@ -267,7 +267,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 openbao-internal: "true" name: openbao-internal namespace: openbao @@ -293,7 +293,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-standby namespace: openbao spec: @@ -318,7 +318,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao-ui - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao-ui namespace: openbao spec: @@ -358,7 +358,7 @@ spec: app.kubernetes.io/instance: openbao app.kubernetes.io/name: openbao component: server - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 spec: affinity: podAntiAffinity: @@ -416,8 +416,6 @@ spec: value: https://$(HOSTNAME).openbao-internal:8201 - name: HOME value: /home/openbao - - name: BAO_LOG_LEVEL - value: debug image: git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent lifecycle: @@ -488,7 +486,7 @@ metadata: app.kubernetes.io/instance: openbao app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openbao - helm.sh/chart: openbao-0.4.0 + helm.sh/chart: openbao-0.5.1 name: openbao namespace: openbao spec: @@ -559,11 +557,11 @@ spec: command: - bao env: - - name: VAULT_LOG_LEVEL + - name: BAO_LOG_LEVEL value: debug - - name: VAULT_LOG_FORMAT + - name: BAO_LOG_FORMAT value: standard - image: git.janky.solutions/jankysolutions/infra/openbao:latest + image: quay.io/git.janky.solutions/jankysolutions/infra/openbao:latest imagePullPolicy: IfNotPresent name: openbao-agent ports: diff --git a/k8s/tofu/kustomization.yaml b/k8s/tofu/kustomization.yaml new file mode 100644 index 0000000..48ef36e --- /dev/null +++ b/k8s/tofu/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml diff --git a/k8s/tofu/namespace.yaml b/k8s/tofu/namespace.yaml new file mode 100644 index 0000000..8a4ff2b --- /dev/null +++ b/k8s/tofu/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tofu diff --git a/tf/bao-auth-backends.tf b/tf/bao-auth-backends.tf index 0925354..ca6d646 100644 --- a/tf/bao-auth-backends.tf +++ b/tf/bao-auth-backends.tf @@ -1,17 +1,12 @@ -resource "vault_jwt_auth_backend" "keycloak" { - description = "Keycloak OIDC auth" - path = "oidc" - type = "oidc" - oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions" - oidc_client_id = "openbao" - oidc_client_secret = "secret123456" - bound_issuer = "https://auth.janky.solutions/realms/janky.solutions" -} - resource "vault_auth_backend" "kubernetes" { type = "kubernetes" } +resource "vault_kubernetes_auth_backend_config" "example" { + backend = vault_auth_backend.kubernetes.path + kubernetes_host = "https://kubernetes.default.svc.cluster.local:443" +} + resource "vault_kubernetes_auth_backend_role" "k8s-default" { backend = vault_auth_backend.kubernetes.path role_name = "kubernetes-default" diff --git a/tf/bao-policies/k8s-default-sa.hcl b/tf/bao-policies/k8s-default-sa.hcl index 7e8ffbb..4b36341 100644 --- a/tf/bao-policies/k8s-default-sa.hcl +++ b/tf/bao-policies/k8s-default-sa.hcl @@ -1,8 +1,3 @@ -path "test-kv/{{identity.entity.service_account_namespace}}/*" { +path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" { capabilities = ["read"] } - -# Allow a token to manage its own cubbyhole -path "cubbyhole/*" { - capabilities = ["create", "read", "update", "delete", "list"] -}