JankySolutions/infra
2
0
Fork 0
Code Issues Pull requests 5 Projects Releases Packages 12 Wiki Activity Actions

Initial bao authorization stuff for k8s service accounts working!

Browse source
This commit is contained in:
Finn 2024-09-10 09:19:25 -07:00
parent e18324dfc4
commit de602d98f2
7 changed files with 34 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
helm/openbao/kustomization.yaml
View file

@ -10,7 +10,6 @@ helmCharts:
injector: injector:
enabled: false enabled: false
server: server:
logLevel: debug
image: image:
registry: git.janky.solutions registry: git.janky.solutions
repository: jankysolutions/infra/openbao repository: jankysolutions/infra/openbao
@ -31,9 +30,9 @@ helmCharts:
agent: agent:
logLevel: debug logLevel: debug
image: image:
# registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17 registry: git.janky.solutions
repository: git.janky.solutions/jankysolutions/infra/openbao repository: jankysolutions/infra/openbao
tag: latest tag: latest
releaseName: openbao releaseName: openbao
version: 0.5.0 version: 0.5.1
repo: https://openbao.github.io/openbao-helm repo: https://openbao.github.io/openbao-helm

1
helm/render-all.sh
View file

@ -9,5 +9,6 @@ header="# DO NOT EDIT: This file has been automatically generated by the script
for component in openbao external-secrets secrets-store-csi-driver; do for component in openbao external-secrets secrets-store-csi-driver; do
mkdir -p ../k8s/operators/${component} mkdir -p ../k8s/operators/${component}
echo "${header}" > ../k8s/operators/${component}/bundle.yaml echo "${header}" > ../k8s/operators/${component}/bundle.yaml
rm -rf "${component}/charts" # it doesn't seem to update them otherwise
kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml
done done

34
k8s/operators/openbao/bundle.yaml
View file

@ -6,7 +6,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao name: openbao
namespace: openbao namespace: openbao
--- ---
@ -52,7 +52,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-discovery-role name: openbao-discovery-role
namespace: openbao namespace: openbao
rules: rules:
@ -108,7 +108,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-discovery-rolebinding name: openbao-discovery-rolebinding
namespace: openbao namespace: openbao
roleRef: roleRef:
@ -144,7 +144,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-server-binding name: openbao-server-binding
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@ -183,7 +183,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-config name: openbao-config
namespace: openbao namespace: openbao
--- ---
@ -206,7 +206,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider app.kubernetes.io/name: openbao-csi-provider
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-csi-provider-agent-config name: openbao-csi-provider-agent-config
namespace: openbao namespace: openbao
--- ---
@ -217,7 +217,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao name: openbao
namespace: openbao namespace: openbao
spec: spec:
@ -241,7 +241,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
openbao-active: "true" openbao-active: "true"
name: openbao-active name: openbao-active
namespace: openbao namespace: openbao
@ -267,7 +267,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
openbao-internal: "true" openbao-internal: "true"
name: openbao-internal name: openbao-internal
namespace: openbao namespace: openbao
@ -293,7 +293,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-standby name: openbao-standby
namespace: openbao namespace: openbao
spec: spec:
@ -318,7 +318,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-ui app.kubernetes.io/name: openbao-ui
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao-ui name: openbao-ui
namespace: openbao namespace: openbao
spec: spec:
@ -358,7 +358,7 @@ spec:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
component: server component: server
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
spec: spec:
affinity: affinity:
podAntiAffinity: podAntiAffinity:
@ -416,8 +416,6 @@ spec:
value: https://$(HOSTNAME).openbao-internal:8201 value: https://$(HOSTNAME).openbao-internal:8201
- name: HOME - name: HOME
value: /home/openbao value: /home/openbao
- name: BAO_LOG_LEVEL
value: debug
image: git.janky.solutions/jankysolutions/infra/openbao:latest image: git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
@ -488,7 +486,7 @@ metadata:
app.kubernetes.io/instance: openbao app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao app.kubernetes.io/name: openbao
helm.sh/chart: openbao-0.4.0 helm.sh/chart: openbao-0.5.1
name: openbao name: openbao
namespace: openbao namespace: openbao
spec: spec:
@ -559,11 +557,11 @@ spec:
command: command:
- bao - bao
env: env:
- name: VAULT_LOG_LEVEL - name: BAO_LOG_LEVEL
value: debug value: debug
- name: VAULT_LOG_FORMAT - name: BAO_LOG_FORMAT
value: standard value: standard
image: git.janky.solutions/jankysolutions/infra/openbao:latest image: quay.io/git.janky.solutions/jankysolutions/infra/openbao:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: openbao-agent name: openbao-agent
ports: ports:

4
k8s/tofu/kustomization.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml

4
k8s/tofu/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: tofu

15
tf/bao-auth-backends.tf
View file

@ -1,17 +1,12 @@
resource "vault_jwt_auth_backend" "keycloak" {
description = "Keycloak OIDC auth"
path = "oidc"
type = "oidc"
oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions"
oidc_client_id = "openbao"
oidc_client_secret = "secret123456"
bound_issuer = "https://auth.janky.solutions/realms/janky.solutions"
}
resource "vault_auth_backend" "kubernetes" { resource "vault_auth_backend" "kubernetes" {
type = "kubernetes" type = "kubernetes"
} }
resource "vault_kubernetes_auth_backend_config" "example" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://kubernetes.default.svc.cluster.local:443"
}
resource "vault_kubernetes_auth_backend_role" "k8s-default" { resource "vault_kubernetes_auth_backend_role" "k8s-default" {
backend = vault_auth_backend.kubernetes.path backend = vault_auth_backend.kubernetes.path
role_name = "kubernetes-default" role_name = "kubernetes-default"

7
tf/bao-policies/k8s-default-sa.hcl
View file

@ -1,8 +1,3 @@
path "test-kv/{{identity.entity.service_account_namespace}}/*" { path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
capabilities = ["read"] capabilities = ["read"]
} }
# Allow a token to manage its own cubbyhole
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}