Automated connection between OpenBAO and ESO
This commit is contained in:
parent
f67bc40d1e
commit
d0388bcd20
5 changed files with 42 additions and 0 deletions
|
|
@ -28,3 +28,6 @@ spec:
|
||||||
- repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
|
- repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
ref: values
|
ref: values
|
||||||
|
- repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests"
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,9 @@ spec:
|
||||||
- repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
|
- repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
ref: values
|
ref: values
|
||||||
|
- repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/ref-implementation/openbao/manifests"
|
||||||
ignoreDifferences:
|
ignoreDifferences:
|
||||||
- group: admissionregistration.k8s.io
|
- group: admissionregistration.k8s.io
|
||||||
kind: MutatingWebhookConfiguration
|
kind: MutatingWebhookConfiguration
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: vault-token-role
|
||||||
|
namespace: openbao
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""] # "" indicates the core API group
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: vault-token-rolebinding
|
||||||
|
namespace: openbao
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: vault-token-role
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: openbao
|
||||||
|
namespace: openbao
|
||||||
|
|
@ -3,6 +3,8 @@ server:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
- |
|
- |
|
||||||
|
set -e
|
||||||
|
|
||||||
sleep 10
|
sleep 10
|
||||||
bao operator init >> /tmp/init.txt
|
bao operator init >> /tmp/init.txt
|
||||||
cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
|
cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
|
||||||
|
|
@ -13,5 +15,17 @@ server:
|
||||||
echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
|
echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
|
||||||
echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
|
echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
|
||||||
rm /tmp/init.txt
|
rm /tmp/init.txt
|
||||||
|
|
||||||
|
if [[ "$(uname -m)" == "x86_64" ]]; then
|
||||||
|
wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/amd64/kubectl" -O /tmp/kubectl_eso
|
||||||
|
else
|
||||||
|
wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -q -O -)/bin/linux/arm64/kubectl" -O /tmp/kubectl_eso
|
||||||
|
fi
|
||||||
|
chmod +x /tmp/kubectl_eso
|
||||||
|
|
||||||
|
kubectl create secret generic vault-token --from-literal=token="$(cat /openbao/data/initial_token.txt)" -n openbao
|
||||||
|
|
||||||
|
rm /tmp/kubectl_eso
|
||||||
|
|
||||||
ui:
|
ui:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue