this repo has no description
refactor!: remove OpenBao
A bit heavy, may revisit later.
Change-Id: Ic026a5031f79685093ad8ffbee95696f32afa4f7
-270
-86
infra/.modules/bootstrap/vault.tf
-86
infra/.modules/bootstrap/vault.tf
···
1
-
resource "kubectl_manifest" "csi_secrets_store" {
2
-
server_side_apply = true
3
-
yaml_body = yamlencode({
4
-
apiVersion = "argoproj.io/v1alpha1"
5
-
kind = "Application"
6
-
metadata = {
7
-
name = "csi-secrets-store"
8
-
namespace = helm_release.argocd.namespace
9
-
finalizers = ["resources-finalizer.argocd.argoproj.io"]
10
-
labels = local.common_labels
11
-
}
12
-
spec = {
13
-
project = "default"
14
-
destination = {
15
-
name = "in-cluster"
16
-
namespace = "kube-system"
17
-
}
18
-
syncPolicy = local.sync_policy
19
-
source = {
20
-
repoURL = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts"
21
-
chart = "secrets-store-csi-driver"
22
-
targetRevision = "1.5.1"
23
-
}
24
-
}
25
-
})
26
-
}
27
-
28
-
# TODO auto unseal
29
-
resource "kubectl_manifest" "vault" {
30
-
server_side_apply = true
31
-
yaml_body = yamlencode({
32
-
apiVersion = "argoproj.io/v1alpha1"
33
-
kind = "Application"
34
-
metadata = {
35
-
name = "vault"
36
-
namespace = helm_release.argocd.namespace
37
-
finalizers = ["resources-finalizer.argocd.argoproj.io"]
38
-
labels = local.common_labels
39
-
}
40
-
spec = {
41
-
project = "default"
42
-
destination = {
43
-
name = "in-cluster"
44
-
namespace = "vault"
45
-
}
46
-
syncPolicy = local.sync_policy
47
-
source = {
48
-
repoURL = "https://openbao.github.io/openbao-helm"
49
-
chart = "openbao"
50
-
targetRevision = "0.15.0"
51
-
helm = {
52
-
valuesObject = {
53
-
injector = {
54
-
enabled = false
55
-
}
56
-
server = {
57
-
ingress = {
58
-
enabled = true
59
-
ingressClassName = "nginx"
60
-
annotations = {
61
-
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
62
-
}
63
-
hosts = [{
64
-
host = "vault.${var.cluster_domain}"
65
-
paths = [
66
-
"/"
67
-
]
68
-
}]
69
-
tls = [{
70
-
hosts = ["vault.${var.cluster_domain}"]
71
-
secretName = "vault-tls-certificate"
72
-
}]
73
-
}
74
-
}
75
-
ui = {
76
-
enabled = true
77
-
}
78
-
csi = {
79
-
enabled = true
80
-
}
81
-
}
82
-
}
83
-
}
84
-
}
85
-
})
86
-
}
-70
infra/.modules/vault-policies/main.tf
-70
infra/.modules/vault-policies/main.tf
···
1
-
################
2
-
# System level #
3
-
################
4
-
5
-
resource "vault_auth_backend" "kubernetes" {
6
-
type = "kubernetes"
7
-
}
8
-
9
-
resource "vault_auth_backend" "userpass" {
10
-
type = "userpass"
11
-
}
12
-
13
-
resource "vault_mount" "secret" {
14
-
path = "secret"
15
-
type = "kv-v2"
16
-
}
17
-
18
-
resource "vault_kubernetes_auth_backend_config" "kubernetes" {
19
-
backend = vault_auth_backend.kubernetes.path
20
-
kubernetes_host = "https://kubernetes.default.svc.cluster.local"
21
-
}
22
-
23
-
########
24
-
# User #
25
-
########
26
-
27
-
# TODO remove, just testing
28
-
# resource "vault_generic_endpoint" "khuedoan" {
29
-
# path = "auth/${vault_auth_backend.userpass.path}/users/khuedoan"
30
-
# ignore_absent_fields = true
31
-
# data_json = jsonencode({
32
-
# token_policies = [
33
-
# "default",
34
-
# ],
35
-
# password = "testing"
36
-
# })
37
-
# }
38
-
39
-
#############
40
-
# App level #
41
-
#############
42
-
43
-
# TODO remove, just testing
44
-
resource "vault_policy" "kubernetes_default" {
45
-
name = "kubernetes-default"
46
-
policy = file("${path.module}/policies/kubernetes_default.hcl")
47
-
}
48
-
resource "vault_kubernetes_auth_backend_role" "kubernetes_default" {
49
-
backend = vault_auth_backend.kubernetes.path
50
-
role_name = "kubernetes-default"
51
-
bound_service_account_names = [
52
-
"webapp-sa"
53
-
]
54
-
bound_service_account_namespaces = [
55
-
"default"
56
-
]
57
-
token_ttl = 60 * 20
58
-
token_policies = [
59
-
vault_policy.kubernetes_default.name
60
-
]
61
-
}
62
-
63
-
resource "vault_kv_secret_v2" "db-pass" {
64
-
mount = vault_mount.secret.path
65
-
name = "default/webapp-sa"
66
-
67
-
data_json = jsonencode({
68
-
password = "db-secret-password"
69
-
})
70
-
}
-3
infra/.modules/vault-policies/policies/kubernetes_default.hcl
-3
infra/.modules/vault-policies/policies/kubernetes_default.hcl
-42
infra/.modules/vault-policies/test.yaml
-42
infra/.modules/vault-policies/test.yaml
···
1
-
apiVersion: secrets-store.csi.x-k8s.io/v1
2
-
kind: SecretProviderClass
3
-
metadata:
4
-
name: vault-database
5
-
namespace: default
6
-
spec:
7
-
provider: vault
8
-
parameters:
9
-
vaultAddress: "http://vault-openbao.vault.svc.cluster.internal:8200"
10
-
roleName: "kubernetes-default"
11
-
objects: |
12
-
- objectName: "db-password"
13
-
secretPath: "secret/data/default/webapp-sa"
14
-
secretKey: "password"
15
-
---
16
-
apiVersion: v1
17
-
kind: ServiceAccount
18
-
metadata:
19
-
name: webapp-sa
20
-
namespace: default
21
-
---
22
-
kind: Pod
23
-
apiVersion: v1
24
-
metadata:
25
-
name: webapp
26
-
namespace: default
27
-
spec:
28
-
serviceAccountName: webapp-sa
29
-
containers:
30
-
- image: stefanprodan/podinfo
31
-
name: webapp
32
-
volumeMounts:
33
-
- name: secrets-store-inline
34
-
mountPath: "/mnt/secrets"
35
-
readOnly: true
36
-
volumes:
37
-
- name: secrets-store-inline
38
-
csi:
39
-
driver: secrets-store.csi.k8s.io
40
-
readOnly: true
41
-
volumeAttributes:
42
-
secretProviderClass: "vault-database"
-14
infra/.modules/vault-policies/versions.tf
-14
infra/.modules/vault-policies/versions.tf
-43
infra/production/oracle/vault-policies/.terraform.lock.hcl
-43
infra/production/oracle/vault-policies/.terraform.lock.hcl
···
1
-
# This file is maintained automatically by "tofu init".
2
-
# Manual edits may be lost in future updates.
3
-
4
-
provider "registry.opentofu.org/hashicorp/oci" {
5
-
version = "7.10.0"
6
-
hashes = [
7
-
"h1:XMhePV+ntXrfaI0Yq7mTCgziQ2YJzvt4x1SzcjDh754=",
8
-
"h1:fte2iarPJxuqm8S5AJTgY/eEQnH6LS/qVRxmDkBie4s=",
9
-
"zh:03ad7ab20c4aa4a496cedb29cc439cb6e6c6eadcce964a44c227d605a30aec0f",
10
-
"zh:08184bf3df20ab6f2bc764f28cefc356090d34bdf02c41ab91939d91f7462c3c",
11
-
"zh:0bafa208306be66d0f92d17da7eed0f981543d7d0720462da167795e54f9a1c5",
12
-
"zh:14204946c0e462544961eaf8cf07e069c2543c34559efca6a6b8df297c2b9195",
13
-
"zh:19c1e56a372167a1a85accc5d0dc9d5db4cbec9e980928d1914c278a8216150c",
14
-
"zh:43a10dc7af9ea197a869d24b15013f833c3dc8fa7b90ce0716629df5ee18ef29",
15
-
"zh:5bac0be19c09b6537f3db92c60226510b550a074bf1add49b0a8af5314f345e0",
16
-
"zh:614d30d3ade2eeda2c2d0e3a03d50b754d48c6f29d952f8a88bc036bdeeccfd5",
17
-
"zh:7050fa97d107812799e4c1f708c92fb6e7f2af11f646184937acc8d006a9e911",
18
-
"zh:7b6803021b83a39283d06942a349bf6ba5d04107de620f39a3e41730ac303cda",
19
-
"zh:85b583aef078998ff5e1b4a147e1c672fd9ce2da3581440c374dbe6fc88217e5",
20
-
"zh:8f09b98d0650af0ea1c124ab00d359cc1864f947e6e990f1f51275188ade072f",
21
-
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
22
-
"zh:a239d6c426ea34c41e22ef9d997592c0afebebb8154252e6ed0ab0e3e12a0b56",
23
-
"zh:ee23f693a06359b453d4a988e21bfd8df96ef82c2403ad7458d2b6b59a114359",
24
-
]
25
-
}
26
-
27
-
provider "registry.opentofu.org/hashicorp/vault" {
28
-
version = "5.1.0"
29
-
constraints = "~> 5.1.0"
30
-
hashes = [
31
-
"h1:HowJiGUcCWi5ehR57XUeObOF94CT1wFco7JTuZzycr4=",
32
-
"h1:s1muvkI/r+MsuA3nzENAPPO/U+Q6rhXqpcScxDpUgFo=",
33
-
"zh:014bb39a4987b0f89cadb764912f868f5da9e7696e6086ea62031ae221e60450",
34
-
"zh:03e57b259ca3d546704775c1ec5fa47818bcb25dfadee6f7ef64eb43fa203894",
35
-
"zh:15f1e48f94aadfb9234992215cb0d1aab6c82a9085684e9120149fa631f8e9d9",
36
-
"zh:5d0b5a70c711209c2267e75ca64a73768497fdc800aed1a2f65b44ee72d39f07",
37
-
"zh:5edc8671054cd38bbe74b95845cae114e98c15da7d36fad709ba05ac253b7b49",
38
-
"zh:6a2cb411887a75b526d3f739a5815205e522864990e38ad199399bb356c92319",
39
-
"zh:78d5eb7b2b697aa8482421997c57fee8c1e6a1e602117f888dff2d011308b3d0",
40
-
"zh:b50a90b525c7d56c06fff26c4b5ad5a06beec0f5f7e064fdea0cff91e3f74bca",
41
-
"zh:c6bcca38ae8d3db7351b7bd513b1716c0fc84d0f13f7a3916be5c1adaac7a972",
42
-
]
43
-
}