bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

longhorn: read oauth2-proxy secrets from vault

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 17:48:12 -03:00
parent fb671865e5
commit bb9a4e6d8b
4 changed files with 22 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
infrastructure/longhorn/ui-ingress/kustomization.yaml
View File

@ -2,6 +2,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- serviceaccount.yaml
- oauth2-proxy-longhorn.yaml
- middleware.yaml - middleware.yaml
- ingress.yaml - ingress.yaml
- oauth2-proxy-longhorn.yaml

28
infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml
View File

@ -32,7 +32,18 @@ spec:
metadata: metadata:
labels: labels:
app: oauth2-proxy-longhorn app: oauth2-proxy-longhorn
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "longhorn"
vault.hashicorp.com/agent-inject-secret-oidc-config: "kv/data/atlas/longhorn/oauth2-proxy"
vault.hashicorp.com/agent-inject-template-oidc-config: |
{{- with secret "kv/data/atlas/longhorn/oauth2-proxy" -}}
client_id = "{{ .Data.data.client_id }}"
client_secret = "{{ .Data.data.client_secret }}"
cookie_secret = "{{ .Data.data.cookie_secret }}"
{{- end -}}
spec: spec:
serviceAccountName: longhorn-vault
nodeSelector: nodeSelector:
node-role.kubernetes.io/worker: "true" node-role.kubernetes.io/worker: "true"
affinity: affinity:
@ -50,6 +61,7 @@ spec:
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: args:
- --provider=oidc - --provider=oidc
- --config=/vault/secrets/oidc-config
- --redirect-url=https://longhorn.bstein.dev/oauth2/callback - --redirect-url=https://longhorn.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email groups - --scope=openid profile email groups
@ -69,22 +81,6 @@ spec:
- --skip-jwt-bearer-tokens=true - --skip-jwt-bearer-tokens=true
- --oidc-groups-claim=groups - --oidc-groups-claim=groups
- --cookie-domain=longhorn.bstein.dev - --cookie-domain=longhorn.bstein.dev
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-longhorn-oidc
key: client_id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-longhorn-oidc
key: client_secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-longhorn-oidc
key: cookie_secret
ports: ports:
- containerPort: 4180 - containerPort: 4180
name: http name: http

6
infrastructure/longhorn/ui-ingress/serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# infrastructure/longhorn/ui-ingress/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: longhorn-vault
namespace: longhorn-system

2
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -107,6 +107,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
"crypto/* harbor-pull/crypto" "" "crypto/* harbor-pull/crypto" ""
write_policy_and_role "health" "health" "health-vault-sync" \ write_policy_and_role "health" "health" "health-vault-sync" \
"health/*" "" "health/*" ""
write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \
"longhorn/*" ""
write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \ write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
"shared/keycloak-admin" \ "shared/keycloak-admin" \