Add vault-sourced secret in Drone setup

2024-04-21 13:40:11 -07:00 · 2024-04-21 13:40:11 -07:00 · 4c82c014f8
commit 4c82c014f8
parent 1926560274
3 changed files with 51 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -24,6 +24,12 @@ Note that you need to have manually connected the source Repository _in_ ArgoCD

 TODO - when we have a better secrets management system, export Gitea user password so that it can be used by ArgoCD to initialize that repository directly (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories)

+## Jsonnet
+
+As of 2024, I started using Jsonnet to define apps in a less repetitious way.
+
+To check the output before submitting, use `jsonnet -J app-of-apps app-of-apps/<filename>.jsonnet`
+
 ## Other links

 * [General documentation on repositories](https://helm.sh/docs/topics/chart_repository/)
--- a/app-of-apps/drone.jsonnet
+++ b/app-of-apps/drone.jsonnet
@ -1,3 +1,46 @@
 local appDef = import './app-definitions.libsonnet';

-appDef.localApplication(name="drone")
+[
+appDef.localApplication(name="drone"),
+
+// TODO - maybe extract this, too?
+{
+    apiVersion: "secrets.hashicorp.com/v1beta1",
+    kind: "VaultAuth",
+    metadata: {
+        name: "static-auth",
+        namespace: "drone"
+    },
+    spec: {
+        method: "kubernetes",
+        mount: "kubernetes",
+        kubernetes: {
+            role: "vault-secrets-operator",
+            serviceAccount: "default",
+            audiences: ["vault"]
+        }
+    }
+},
+
+// Note that currently this secret is created manually and statically. It'd be really cool for cold-start setup if OAuth
+// App creation could be triggered at Gitea startup, and a secret automatically created!
+{
+    apiVersion: "secrets.hashicorp.com/v1beta1",
+    kind: "VaultStaticSecret",
+    metadata: {
+        name: "gitea-oauth-creds",
+        namespace: "drone"
+    },
+    spec: {
+        type: "kv-v2",
+        mount: "shared-secrets",
+        path: "gitea/oauth-creds",
+        destination: {
+            name: "gitea-oauth-creds",
+            create: true
+        },
+        refreshAfter: "30s",
+        vaultAuthRef: "static-auth"
+    }
+}
+]
--- a/charts/drone/README.md
+++ b/charts/drone/README.md
@ -4,7 +4,7 @@ TODO:
  * The Prometheus user (https://cogarius.medium.com/3-3-complete-guide-to-ci-cd-pipelines-with-drone-io-on-kubernetes-drone-metrics-with-prometheus-c2668e42b03f) - probably by mounting the volume, using sqlite3 to parse out admin password, then using that to make API call
 * Create `gitea_password` Organization Secret at init.

-Create secret named `gitea-oauth-creds`, with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET`. Remember also to create an Organization Secret named `gitea_password` for pulling.
+Ensure that Vault has a secret at `shared-secrets/gitea/oauth-creds` with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET` (see the application definition in `app-of-apps/drone.jsonnet` to see how the secret is injected from Vault into k8s). Remember also to create an Organization Secret named `gitea_password` for pulling.

 For MTU problem diagnosis: