dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auth vault with kubernetes

Browse Source
This commit is contained in:
dvirlabs 2025-08-11 03:23:14 +03:00
parent 7cd142ff15
commit 2d99077aa9
8 changed files with 201 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
manifests/cluster-secret-store/vault-cicd.yaml
View File

@ -5,11 +5,13 @@ metadata:
spec: spec:
provider: provider:
vault: vault:
auth:
tokenSecretRef:
key: token
name: vault-eso-token
namespace: dev-tools
path: cicd
server: http://vault.dev-tools.svc.cluster.local:8200 server: http://vault.dev-tools.svc.cluster.local:8200
path: cicd
version: v2 version: v2
auth:
kubernetes:
mountPath: kubernetes # חייב להתאים ל-bootstrap (auth/kubernetes)
role: eso-cicd # כפי שהגדרנו ב-bootstrap-config.yaml
serviceAccountRef:
name: external-secrets # ה-SA של ה-ESO
namespace: dev-tools

14
manifests/cluster-secret-store/vault-general-secrets.yaml
View File

@ -5,11 +5,13 @@ metadata:
spec: spec:
provider: provider:
vault: vault:
auth:
tokenSecretRef:
key: token
name: vault-eso-token
namespace: dev-tools
path: general-secrets
server: http://vault.dev-tools.svc.cluster.local:8200 server: http://vault.dev-tools.svc.cluster.local:8200
path: general-secrets
version: v2 version: v2
auth:
kubernetes:
mountPath: kubernetes
role: eso-general
serviceAccountRef:
name: external-secrets
namespace: dev-tools

14
manifests/cluster-secret-store/vault-internal-users.yaml
View File

@ -5,11 +5,13 @@ metadata:
spec: spec:
provider: provider:
vault: vault:
auth:
tokenSecretRef:
key: token
name: vault-eso-token
namespace: dev-tools
path: internal-users
server: http://vault.dev-tools.svc.cluster.local:8200 server: http://vault.dev-tools.svc.cluster.local:8200
path: internal-users
version: v2 version: v2
auth:
kubernetes:
mountPath: kubernetes
role: eso-internal-users
serviceAccountRef:
name: external-secrets
namespace: dev-tools

14
manifests/cluster-secret-store/vault-oidc-secrets.yaml
View File

@ -5,11 +5,13 @@ metadata:
spec: spec:
provider: provider:
vault: vault:
auth:
tokenSecretRef:
key: token
name: vault-eso-token
namespace: dev-tools
path: oidc-secrets
server: http://vault.dev-tools.svc.cluster.local:8200 server: http://vault.dev-tools.svc.cluster.local:8200
path: oidc-secrets
version: v2 version: v2
auth:
kubernetes:
mountPath: kubernetes
role: eso-oidc
serviceAccountRef:
name: external-secrets
namespace: dev-tools

24
manifests/vault/bootstrap-config.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-bootstrap-config
namespace: dev-tools
annotations:
argocd.argoproj.io/sync-wave: "0"
data:
# mounts: שורה לכל mount בפורמט <path>:<type>
# כאן כולם KV v2
mounts: |
general-secrets:kv2
cicd:kv2
internal-users:kv2
oidc-secrets:kv2
# roles: שורה לכל רול בפורמט
# roleName:serviceAccount:namespace:comma-separated-policies:ttl
# שים לב: אנחנו משתמשים ב-policy הבסיסי client-self + ה-policy הספציפי לכל mount
roles: |
eso-general:external-secrets:dev-tools:client-self,eso-read-general:24h
eso-cicd:external-secrets:dev-tools:client-self,eso-read-cicd:24h
eso-internal-users:external-secrets:dev-tools:client-self,eso-read-internal-users:24h
eso-oidc:external-secrets:dev-tools:client-self,eso-read-oidc:24h

28
manifests/vault/policy-cm.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-policies
namespace: dev-tools
annotations:
argocd.argoproj.io/sync-wave: "0"
data:
client-self.hcl: |
path "auth/token/lookup-self" { capabilities = ["read"] }
path "auth/token/renew-self" { capabilities = ["update"] }
eso-read-general.hcl: |
path "general-secrets/data/*" { capabilities = ["read"] }
path "general-secrets/metadata/*" { capabilities = ["list"] }
eso-read-cicd.hcl: |
path "cicd/data/*" { capabilities = ["read"] }
path "cicd/metadata/*" { capabilities = ["list"] }
eso-read-internal-users.hcl: |
path "internal-users/data/*" { capabilities = ["read"] }
path "internal-users/metadata/*" { capabilities = ["list"] }
eso-read-oidc.hcl: |
path "oidc-secrets/data/*" { capabilities = ["read"] }
path "oidc-secrets/metadata/*" { capabilities = ["list"] }

29
manifests/vault/rbac-tokenreview.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
namespace: dev-tools
annotations:
argocd.argoproj.io/sync-wave: "0"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vault-tokenreviewer
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-auth-tokenreviewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vault-tokenreviewer
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: dev-tools

88
manifests/vault/vault-bootstrap.job.yaml Normal file
View File

@ -0,0 +1,88 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap
namespace: dev-tools
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
argocd.argoproj.io/sync-wave: "1"
spec:
template:
spec:
serviceAccountName: vault-auth
restartPolicy: OnFailure
containers:
- name: bootstrap
image: hashicorp/vault:1.15
envFrom:
- secretRef:
name: vault-admin # מספק VAULT_ADDR + VAULT_TOKEN (אדמין)
volumeMounts:
- name: bootstrap-config
mountPath: /config # מכיל mounts + roles
- name: policies
mountPath: /policies # כל *.hcl יהפוך ל-policy
command: ["/bin/sh","-c"]
args:
- |
set -eu
echo "== Ensure mounts =="
while IFS= read -r line; do
[ -z "$line" ] && continue
PATH_NAME="${line%%:*}"
TYPE="${line##*:}"
if vault secrets list -format=json | grep -q "\"${PATH_NAME}/\""; then
echo "Mount exists: ${PATH_NAME}/"
continue
fi
case "$TYPE" in
kv2) vault secrets enable -path="${PATH_NAME}" -version=2 kv ;;
kv1) vault secrets enable -path="${PATH_NAME}" kv ;;
*) echo "Unknown type '$TYPE' for ${PATH_NAME}"; exit 1 ;;
esac
done < /config/mounts
echo "== Write/Update policies =="
for f in /policies/*.hcl; do
[ -f "$f" ] || continue
NAME="$(basename "$f" .hcl)"
vault policy write "$NAME" "$f"
done
echo "== Enable & configure kubernetes auth =="
if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
vault auth enable -path=kubernetes kubernetes
fi
TOKEN_REVIEWER_JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_HOST="https://${KUBERNETES_PORT_443_TCP_ADDR}:443"
CA_CERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
vault write auth/kubernetes/config \
token_reviewer_jwt="$TOKEN_REVIEWER_JWT" \
kubernetes_host="$KUBE_HOST" \
kubernetes_ca_cert=@"$CA_CERT"
echo "== Create/Update roles =="
while IFS= read -r line; do
[ -z "$line" ] && continue
ROLENAME="${line%%:*}"; REST="${line#*:}"
SA="${REST%%:*}"; REST="${REST#*:}"
NS="${REST%%:*}"; REST="${REST#*:}"
POLICIES="${REST%%:*}"; TTL="${REST#*:}"
vault write "auth/kubernetes/role/${ROLENAME}" \
bound_service_account_names="$SA" \
bound_service_account_namespaces="$NS" \
policies="$POLICIES" \
ttl="$TTL"
done < /config/roles
securityContext:
runAsNonRoot: true
runAsUser: 100
volumes:
- name: bootstrap-config
configMap:
name: vault-bootstrap-config
- name: policies
configMap:
name: vault-policies