Initial bao authorization stuff for k8s service accounts working!
This commit is contained in:
parent
e18324dfc4
commit
de602d98f2
7 changed files with 34 additions and 38 deletions
|
|
@ -10,7 +10,6 @@ helmCharts:
|
|||
injector:
|
||||
enabled: false
|
||||
server:
|
||||
logLevel: debug
|
||||
image:
|
||||
registry: git.janky.solutions
|
||||
repository: jankysolutions/infra/openbao
|
||||
|
|
@ -31,9 +30,9 @@ helmCharts:
|
|||
agent:
|
||||
logLevel: debug
|
||||
image:
|
||||
# registry: git.janky.solutions # registry isnt actually used yet: https://github.com/openbao/openbao-helm/pull/17
|
||||
repository: git.janky.solutions/jankysolutions/infra/openbao
|
||||
registry: git.janky.solutions
|
||||
repository: jankysolutions/infra/openbao
|
||||
tag: latest
|
||||
releaseName: openbao
|
||||
version: 0.5.0
|
||||
version: 0.5.1
|
||||
repo: https://openbao.github.io/openbao-helm
|
||||
|
|
|
|||
|
|
@ -9,5 +9,6 @@ header="# DO NOT EDIT: This file has been automatically generated by the script
|
|||
for component in openbao external-secrets secrets-store-csi-driver; do
|
||||
mkdir -p ../k8s/operators/${component}
|
||||
echo "${header}" > ../k8s/operators/${component}/bundle.yaml
|
||||
rm -rf "${component}/charts" # it doesn't seem to update them otherwise
|
||||
kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml
|
||||
done
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao
|
||||
namespace: openbao
|
||||
---
|
||||
|
|
@ -52,7 +52,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-discovery-role
|
||||
namespace: openbao
|
||||
rules:
|
||||
|
|
@ -108,7 +108,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-discovery-rolebinding
|
||||
namespace: openbao
|
||||
roleRef:
|
||||
|
|
@ -144,7 +144,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-server-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
|
@ -183,7 +183,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-config
|
||||
namespace: openbao
|
||||
---
|
||||
|
|
@ -206,7 +206,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao-csi-provider
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-csi-provider-agent-config
|
||||
namespace: openbao
|
||||
---
|
||||
|
|
@ -217,7 +217,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao
|
||||
namespace: openbao
|
||||
spec:
|
||||
|
|
@ -241,7 +241,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
openbao-active: "true"
|
||||
name: openbao-active
|
||||
namespace: openbao
|
||||
|
|
@ -267,7 +267,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
openbao-internal: "true"
|
||||
name: openbao-internal
|
||||
namespace: openbao
|
||||
|
|
@ -293,7 +293,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-standby
|
||||
namespace: openbao
|
||||
spec:
|
||||
|
|
@ -318,7 +318,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao-ui
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao-ui
|
||||
namespace: openbao
|
||||
spec:
|
||||
|
|
@ -358,7 +358,7 @@ spec:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/name: openbao
|
||||
component: server
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
spec:
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
|
|
@ -416,8 +416,6 @@ spec:
|
|||
value: https://$(HOSTNAME).openbao-internal:8201
|
||||
- name: HOME
|
||||
value: /home/openbao
|
||||
- name: BAO_LOG_LEVEL
|
||||
value: debug
|
||||
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
lifecycle:
|
||||
|
|
@ -488,7 +486,7 @@ metadata:
|
|||
app.kubernetes.io/instance: openbao
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: openbao
|
||||
helm.sh/chart: openbao-0.4.0
|
||||
helm.sh/chart: openbao-0.5.1
|
||||
name: openbao
|
||||
namespace: openbao
|
||||
spec:
|
||||
|
|
@ -559,11 +557,11 @@ spec:
|
|||
command:
|
||||
- bao
|
||||
env:
|
||||
- name: VAULT_LOG_LEVEL
|
||||
- name: BAO_LOG_LEVEL
|
||||
value: debug
|
||||
- name: VAULT_LOG_FORMAT
|
||||
- name: BAO_LOG_FORMAT
|
||||
value: standard
|
||||
image: git.janky.solutions/jankysolutions/infra/openbao:latest
|
||||
image: quay.io/git.janky.solutions/jankysolutions/infra/openbao:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: openbao-agent
|
||||
ports:
|
||||
|
|
|
|||
4
k8s/tofu/kustomization.yaml
Normal file
4
k8s/tofu/kustomization.yaml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- namespace.yaml
|
||||
4
k8s/tofu/namespace.yaml
Normal file
4
k8s/tofu/namespace.yaml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: tofu
|
||||
|
|
@ -1,17 +1,12 @@
|
|||
resource "vault_jwt_auth_backend" "keycloak" {
|
||||
description = "Keycloak OIDC auth"
|
||||
path = "oidc"
|
||||
type = "oidc"
|
||||
oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions"
|
||||
oidc_client_id = "openbao"
|
||||
oidc_client_secret = "secret123456"
|
||||
bound_issuer = "https://auth.janky.solutions/realms/janky.solutions"
|
||||
}
|
||||
|
||||
resource "vault_auth_backend" "kubernetes" {
|
||||
type = "kubernetes"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_config" "example" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
kubernetes_host = "https://kubernetes.default.svc.cluster.local:443"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "k8s-default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "kubernetes-default"
|
||||
|
|
|
|||
|
|
@ -1,8 +1,3 @@
|
|||
path "test-kv/{{identity.entity.service_account_namespace}}/*" {
|
||||
path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow a token to manage its own cubbyhole
|
||||
path "cubbyhole/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue