First steps in Crossplane-Vault integration

2 weeks ago · 080671a3cf
parent 4c82c014f8
commit 080671a3cf
4 changed files with 154 additions and 2 deletions
--- a/app-of-apps/app-definitions.libsonnet
+++ b/app-of-apps/app-definitions.libsonnet
@ -39,7 +39,8 @@
    localApplication(
        name,
        path="",
-        namespace="") ::
+        namespace="",
+        nonHelmApp=false) ::
    {
        apiVersion: "argoproj.io/v1alpha1",
        kind: "Application",
@ -56,7 +57,7 @@
                path: if path == "" then std.join('/', ['charts', name]) else path,
                // I _think_ every locally-defined chart is going to have a `values.yaml`, but we can make this
                // parameterized if desired
-                helm: {
+                [if nonHelmApp != true then "helm"]: {
                    valueFiles: ['values.yaml']
                }
            },
--- a/app-of-apps/crossplane.jsonnet
+++ b/app-of-apps/crossplane.jsonnet
@ -1,6 +1,49 @@
 // https://docs.crossplane.io/v1.15/software/install/#installed-deployments
 local appDef = import './app-definitions.libsonnet';

+// Installation of Vault Provider is left manually, since it relies on secret creation:
+// https://github.com/upbound/provider-vault
+//
+// Also required created a role to bind to the ServiceAccount:
+//
+// apiVersion: rbac.authorization.k8s.io/v1
+// kind: ClusterRoleBinding
+// metadata:
+//   name: vault-provider-role-binding
+//   namespace: crossplane-system
+// roleRef:
+//   apiGroup: rbac.authorization.k8s.io
+//   kind: ClusterRole
+//   name: vault-provider-role
+// subjects:
+//   - kind: ServiceAccount
+//     name: provider-vault-b61923ede364
+//     namespace: crossplane-system
+// ---
+// apiVersion: rbac.authorization.k8s.io/v1
+// kind: ClusterRole
+// metadata:
+//   name: vault-provider-role
+//   namespace: crossplane-system
+// rules:
+//   - apiGroups:
+//       - identity.vault.upbound.io
+//     resources:
+//       - mfaoktas
+//       - groupmembergroupidsidses
+//       - groupmemberentityidsidses
+//     verbs:
+//       - get
+//       - list
+//       - watch
+//   - apiGroups:
+//       - mfa.vault.upbound.io
+//     resources:
+//       - oktas
+//     verbs:
+//       - get
+//       - list
+//       - watch
 appDef.helmApplication(
  name="crossplane",
  sourceRepoUrl="https://charts.crossplane.io/stable",
--- a/app-of-apps/vault-crossplane-integration.jsonnet
+++ b/app-of-apps/vault-crossplane-integration.jsonnet
@ -0,0 +1,3 @@
+local appDef = import './app-definitions.libsonnet';
+
+appDef.localApplication(name="vault-crossplane-integration", nonHelmApp=true)
--- a/charts/vault-crossplane-integration/base-app-infra.yaml
+++ b/charts/vault-crossplane-integration/base-app-infra.yaml
@ -0,0 +1,105 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata: 
+  name: xbaseapplicationinfrastructures.scubbo.org
+spec:
+  group: scubbo.org
+  names:
+    kind: xBaseApplicationInfrastructure
+    plural: xbaseapplicationinfrastructures
+  claimNames:
+    kind: BaseAppInfra
+    plural: baseappinfras
+  versions:
+  - name: v1alpha1
+    served: true
+    referenceable: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              appName:
+                type: string
+---
+# Sources for the Vault resources are here:
+# https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator#configure-vault
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: base-application-infrastructure
+spec:
+  compositeTypeRef:
+    apiVersion: scubbo.org/v1alpha1
+    kind: xBaseApplicationInfrastructure
+  resources:
+    - name: vault-role
+      base:
+        apiVersion: kubernetes.vault.upbound.io/v1alpha1
+        kind: AuthBackendRole
+        spec:
+          providerConfigRef:
+            name: vault-provider-config
+          forProvider:
+            audience: vault
+            boundServiceAccountNames:
+              - default
+            boundServiceAccountNamespaces: []
+            # boundServiceAccountNamespaces, roleName, and tokenPolicies provided by patch
+            tokenTtl: 86400
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: metadata.namespace
+          toFieldPath: spec.forProvider.boundServiceAccountNamespaces[0]
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "%s"
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.roleName
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "vault-secrets-operator-%s-role"
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.tokenPolicies
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "[\"vault-secrets-operator-%s-policy\"]"
+            - type: convert
+              convert:
+                toType: array
+                format: json
+    - name: vault-policy
+      base:
+        apiVersion: vault.vault.upbound.io/v1alpha1
+        kind: Policy
+        spec:
+          providerConfigRef:
+            name: vault-provider-config
+          forProvider: {}
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.name
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "vault-secrets-operator-%s-policy"
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.policy
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "path \"app-%s-kv/*\" {capabilities=[\"read\"]}"