diff --git a/services/keycloak/scripts/vault_oidc_secret_ensure.sh b/services/keycloak/scripts/vault_oidc_secret_ensure.sh index 20d39c1..3c7d4a5 100755 --- a/services/keycloak/scripts/vault_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/vault_oidc_secret_ensure.sh @@ -116,21 +116,3 @@ payload="$(jq -nc \ '{data:{discovery_url:$discovery_url,client_id:$client_id,client_secret:$client_secret,default_role:$default_role,scopes:$scopes,user_claim:$user_claim,groups_claim:$groups_claim,redirect_uris:$redirect_uris,bound_audiences:$bound_audiences,admin_group:$admin_group,admin_policies:$admin_policies,dev_group:$dev_group,dev_policies:$dev_policies,user_group:$user_group,user_policies:$user_policies}}')" curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/vault/vault-oidc-config" >/dev/null - -kubectl -n vault create secret generic vault-oidc-config \ - --from-literal=discovery_url="https://sso.bstein.dev/realms/atlas" \ - --from-literal=client_id="vault-oidc" \ - --from-literal=client_secret="${CLIENT_SECRET}" \ - --from-literal=default_role="admin" \ - --from-literal=scopes="openid profile email groups" \ - --from-literal=user_claim="preferred_username" \ - --from-literal=groups_claim="groups" \ - --from-literal=redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \ - --from-literal=bound_audiences="vault-oidc" \ - --from-literal=admin_group="admin" \ - --from-literal=admin_policies="default,vault-admin" \ - --from-literal=dev_group="dev" \ - --from-literal=dev_policies="default,dev-kv" \ - --from-literal=user_group="dev" \ - --from-literal=user_policies="default,dev-kv" \ - --dry-run=client -o yaml | kubectl -n vault apply -f - >/dev/null diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 9643894..6381404 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -23,3 +23,6 @@ configMapGenerator: - name: vault-k8s-auth-config-script files: - vault_k8s_auth_configure.sh=scripts/vault_k8s_auth_configure.sh + - name: vault-entrypoint + files: + - vault-entrypoint.sh=scripts/vault-entrypoint.sh diff --git a/services/vault/oidc-config-cronjob.yaml b/services/vault/oidc-config-cronjob.yaml index 3ea7b53..efe5fee 100644 --- a/services/vault/oidc-config-cronjob.yaml +++ b/services/vault/oidc-config-cronjob.yaml @@ -13,6 +13,32 @@ spec: spec: backoffLimit: 1 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "vault" + vault.hashicorp.com/agent-inject-secret-vault-oidc-env.sh: "kv/data/atlas/vault/vault-oidc-config" + vault.hashicorp.com/agent-inject-template-vault-oidc-env.sh: | + {{ with secret "kv/data/atlas/vault/vault-oidc-config" }} + export VAULT_OIDC_DISCOVERY_URL="{{ .Data.data.discovery_url }}" + export VAULT_OIDC_CLIENT_ID="{{ .Data.data.client_id }}" + export VAULT_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}" + export VAULT_OIDC_DEFAULT_ROLE="{{ .Data.data.default_role }}" + export VAULT_OIDC_SCOPES="{{ .Data.data.scopes }}" + export VAULT_OIDC_USER_CLAIM="{{ .Data.data.user_claim }}" + export VAULT_OIDC_GROUPS_CLAIM="{{ .Data.data.groups_claim }}" + export VAULT_OIDC_TOKEN_POLICIES="{{ .Data.data.token_policies }}" + export VAULT_OIDC_ADMIN_GROUP="{{ .Data.data.admin_group }}" + export VAULT_OIDC_ADMIN_POLICIES="{{ .Data.data.admin_policies }}" + export VAULT_OIDC_DEV_GROUP="{{ .Data.data.dev_group }}" + export VAULT_OIDC_DEV_POLICIES="{{ .Data.data.dev_policies }}" + export VAULT_OIDC_USER_GROUP="{{ .Data.data.user_group }}" + export VAULT_OIDC_USER_POLICIES="{{ .Data.data.user_policies }}" + export VAULT_OIDC_REDIRECT_URIS="{{ .Data.data.redirect_uris }}" + export VAULT_OIDC_BOUND_AUDIENCES="{{ .Data.data.bound_audiences }}" + export VAULT_OIDC_BOUND_CLAIMS="{{ .Data.data.bound_claims }}" + export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}" + {{ end }} spec: serviceAccountName: vault restartPolicy: Never @@ -24,6 +50,8 @@ spec: image: hashicorp/vault:1.17.6 imagePullPolicy: IfNotPresent command: + - /entrypoint.sh + args: - sh - /scripts/vault_oidc_configure.sh env: @@ -34,116 +62,20 @@ spec: secretKeyRef: name: vault-oidc-admin-token key: token - - name: VAULT_OIDC_DISCOVERY_URL - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: discovery_url - - name: VAULT_OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: client_id - - name: VAULT_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: client_secret - - name: VAULT_OIDC_DEFAULT_ROLE - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: default_role - optional: true - - name: VAULT_OIDC_SCOPES - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: scopes - optional: true - - name: VAULT_OIDC_USER_CLAIM - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: user_claim - optional: true - - name: VAULT_OIDC_GROUPS_CLAIM - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: groups_claim - optional: true - - name: VAULT_OIDC_TOKEN_POLICIES - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: token_policies - optional: true - - name: VAULT_OIDC_ADMIN_GROUP - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: admin_group - optional: true - - name: VAULT_OIDC_ADMIN_POLICIES - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: admin_policies - optional: true - - name: VAULT_OIDC_DEV_GROUP - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: dev_group - optional: true - - name: VAULT_OIDC_DEV_POLICIES - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: dev_policies - optional: true - - name: VAULT_OIDC_USER_GROUP - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: user_group - optional: true - - name: VAULT_OIDC_USER_POLICIES - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: user_policies - optional: true - - name: VAULT_OIDC_REDIRECT_URIS - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: redirect_uris - optional: true - - name: VAULT_OIDC_BOUND_AUDIENCES - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: bound_audiences - optional: true - - name: VAULT_OIDC_BOUND_CLAIMS - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: bound_claims - optional: true - - name: VAULT_OIDC_BOUND_CLAIMS_TYPE - valueFrom: - secretKeyRef: - name: vault-oidc-config - key: bound_claims_type - optional: true + - name: VAULT_ENV_FILE + value: /vault/secrets/vault-oidc-env.sh volumeMounts: + - name: vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh - name: oidc-config-script mountPath: /scripts readOnly: true volumes: + - name: vault-entrypoint + configMap: + name: vault-entrypoint + defaultMode: 493 - name: oidc-config-script configMap: name: vault-oidc-config-script diff --git a/services/vault/scripts/vault-entrypoint.sh b/services/vault/scripts/vault-entrypoint.sh new file mode 100644 index 0000000..fa3b791 --- /dev/null +++ b/services/vault/scripts/vault-entrypoint.sh @@ -0,0 +1,34 @@ +#!/bin/sh +set -eu + +if [ -n "${VAULT_ENV_FILE:-}" ]; then + if [ -f "${VAULT_ENV_FILE}" ]; then + # shellcheck disable=SC1090 + . "${VAULT_ENV_FILE}" + else + echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2 + exit 1 + fi +fi + +if [ -n "${VAULT_COPY_FILES:-}" ]; then + old_ifs="$IFS" + IFS=',' + for pair in ${VAULT_COPY_FILES}; do + src="${pair%%:*}" + dest="${pair#*:}" + if [ -z "${src}" ] || [ -z "${dest}" ]; then + echo "Vault copy entry malformed: ${pair}" >&2 + exit 1 + fi + if [ ! -f "${src}" ]; then + echo "Vault file not found: ${src}" >&2 + exit 1 + fi + mkdir -p "$(dirname "${dest}")" + cp "${src}" "${dest}" + done + IFS="$old_ifs" +fi + +exec "$@" diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index eb78aed..f0d7833 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -109,6 +109,8 @@ write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \ "longhorn/*" "" +write_policy_and_role "vault" "vault" "vault" \ + "vault/*" "" write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \ "shared/keycloak-admin" \