143 lines
6.2 KiB
YAML
143 lines
6.2 KiB
YAML
# services/veles/oneoffs/veles-secrets-ensure-job.yaml
|
|
# One-off job for veles/veles-secrets-ensure-2.
|
|
# Purpose: seed Veles Vault paths before app/Postgres pods are scaled up.
|
|
# Keep suspended until the veles Vault role has reconciled, then unsuspend once.
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: veles-secrets-ensure-2
|
|
namespace: veles
|
|
spec:
|
|
suspend: true
|
|
backoffLimit: 0
|
|
ttlSecondsAfterFinished: 3600
|
|
template:
|
|
spec:
|
|
serviceAccountName: veles-secrets-ensure
|
|
restartPolicy: Never
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: node-role.kubernetes.io/worker
|
|
operator: Exists
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
preference:
|
|
matchExpressions:
|
|
- key: kubernetes.io/arch
|
|
operator: In
|
|
values: ["arm64"]
|
|
containers:
|
|
- name: apply
|
|
image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
|
|
command: ["/bin/bash", "-c"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
|
|
vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
|
|
vault_role="${VAULT_ROLE:-veles-secrets}"
|
|
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
|
|
vault_token="$(curl -sS --request POST --data "${login_payload}" \
|
|
"${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
|
|
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
|
|
echo "vault login failed" >&2
|
|
exit 1
|
|
fi
|
|
|
|
read_secret() {
|
|
path="$1"
|
|
out="$2"
|
|
curl -sS -o "${out}" -w "%{http_code}" \
|
|
-H "X-Vault-Token: ${vault_token}" \
|
|
"${vault_addr}/v1/kv/data/atlas/${path}" || true
|
|
}
|
|
|
|
write_secret() {
|
|
path="$1"
|
|
payload="$2"
|
|
out="$(mktemp)"
|
|
status="$(curl -sS -o "${out}" -w "%{http_code}" -X POST \
|
|
-H "X-Vault-Token: ${vault_token}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "${payload}" \
|
|
"${vault_addr}/v1/kv/data/atlas/${path}")"
|
|
if [ "${status}" != "200" ] && [ "${status}" != "204" ]; then
|
|
echo "Vault write failed for ${path} (status ${status})" >&2
|
|
cat "${out}" >&2 || true
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
rand_b64() {
|
|
bytes="$1"
|
|
openssl rand -base64 "${bytes}" | tr -d '\n'
|
|
}
|
|
|
|
status="$(read_secret veles/veles-db /tmp/veles-db.json)"
|
|
if [ "${status}" = "200" ]; then
|
|
db_password="$(jq -r '.data.data.POSTGRES_PASSWORD // empty' /tmp/veles-db.json)"
|
|
elif [ "${status}" = "404" ]; then
|
|
db_password=""
|
|
else
|
|
echo "Vault read failed for veles-db (status ${status})" >&2
|
|
cat /tmp/veles-db.json >&2 || true
|
|
exit 1
|
|
fi
|
|
if [ -z "${db_password}" ]; then
|
|
db_password="$(rand_b64 36)"
|
|
fi
|
|
db_payload="$(jq -nc \
|
|
--arg host "veles-postgres.veles.svc.cluster.local" \
|
|
--arg port "5432" \
|
|
--arg db "veles" \
|
|
--arg user "veles" \
|
|
--arg password "${db_password}" \
|
|
'{data:{POSTGRES_HOST:$host,POSTGRES_PORT:$port,POSTGRES_DB:$db,POSTGRES_USER:$user,POSTGRES_PASSWORD:$password,DATABASE_URL:("postgresql://"+$user+":"+$password+"@"+$host+":"+$port+"/"+$db+"?sslmode=disable")}}')"
|
|
write_secret veles/veles-db "${db_payload}"
|
|
|
|
status="$(read_secret veles/app-secrets /tmp/app-secrets.json)"
|
|
if [ "${status}" = "200" ]; then
|
|
session_secret="$(jq -r '.data.data.VELES_SESSION_SECRET // empty' /tmp/app-secrets.json)"
|
|
byok_key="$(jq -r '.data.data.VELES_BYOK_ENCRYPTION_KEY // empty' /tmp/app-secrets.json)"
|
|
elif [ "${status}" = "404" ]; then
|
|
session_secret=""
|
|
byok_key=""
|
|
else
|
|
echo "Vault read failed for app-secrets (status ${status})" >&2
|
|
cat /tmp/app-secrets.json >&2 || true
|
|
exit 1
|
|
fi
|
|
if [ -z "${session_secret}" ]; then
|
|
session_secret="$(rand_b64 48)"
|
|
fi
|
|
if [ -z "${byok_key}" ]; then
|
|
byok_key="$(rand_b64 32)"
|
|
fi
|
|
app_payload="$(jq -nc \
|
|
--arg session_secret "${session_secret}" \
|
|
--arg byok_key "${byok_key}" \
|
|
'{data:{VELES_SESSION_SECRET:$session_secret,VELES_BYOK_ENCRYPTION_KEY:$byok_key}}')"
|
|
write_secret veles/app-secrets "${app_payload}"
|
|
|
|
postmark_status="$(read_secret shared/postmark-relay /tmp/postmark.json)"
|
|
if [ "${postmark_status}" = "200" ]; then
|
|
smtp_password="$(jq -r '.data.data.apikey // empty' /tmp/postmark.json)"
|
|
if [ -n "${smtp_password}" ]; then
|
|
smtp_payload="$(jq -nc \
|
|
--arg host "mail.bstein.dev" \
|
|
--arg port "587" \
|
|
--arg user "${smtp_password}" \
|
|
--arg password "${smtp_password}" \
|
|
--arg from "no-reply-veles@bstein.dev" \
|
|
--arg from_name "Veles" \
|
|
'{data:{SMTP_HOST:$host,SMTP_PORT:$port,SMTP_USER:$user,SMTP_PASSWORD:$password,SMTP_FROM:$from,SMTP_FROM_NAME:$from_name,SMTP_STARTTLS:"true"}}')"
|
|
write_secret veles/smtp "${smtp_payload}"
|
|
fi
|
|
fi
|
|
|
|
echo "Veles Vault paths ready: veles-db, app-secrets, smtp when Postmark relay exists"
|