From 4c82c014f83020bad95cb81bc34767fef2c232c1 Mon Sep 17 00:00:00 2001 From: Jack Jackson Date: Sun, 21 Apr 2024 13:40:11 -0700 Subject: [PATCH] Add vault-sourced secret in Drone setup --- README.md | 6 ++++++ app-of-apps/drone.jsonnet | 45 ++++++++++++++++++++++++++++++++++++++- charts/drone/README.md | 2 +- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 49882ca..9c591fb 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,12 @@ Note that you need to have manually connected the source Repository _in_ ArgoCD TODO - when we have a better secrets management system, export Gitea user password so that it can be used by ArgoCD to initialize that repository directly (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) +## Jsonnet + +As of 2024, I started using Jsonnet to define apps in a less repetitious way. + +To check the output before submitting, use `jsonnet -J app-of-apps app-of-apps/.jsonnet` + ## Other links * [General documentation on repositories](https://helm.sh/docs/topics/chart_repository/) diff --git a/app-of-apps/drone.jsonnet b/app-of-apps/drone.jsonnet index 8d57434..12214b0 100644 --- a/app-of-apps/drone.jsonnet +++ b/app-of-apps/drone.jsonnet @@ -1,3 +1,46 @@ local appDef = import './app-definitions.libsonnet'; -appDef.localApplication(name="drone") \ No newline at end of file +[ +appDef.localApplication(name="drone"), + +// TODO - maybe extract this, too? +{ + apiVersion: "secrets.hashicorp.com/v1beta1", + kind: "VaultAuth", + metadata: { + name: "static-auth", + namespace: "drone" + }, + spec: { + method: "kubernetes", + mount: "kubernetes", + kubernetes: { + role: "vault-secrets-operator", + serviceAccount: "default", + audiences: ["vault"] + } + } +}, + +// Note that currently this secret is created manually and statically. It'd be really cool for cold-start setup if OAuth +// App creation could be triggered at Gitea startup, and a secret automatically created! +{ + apiVersion: "secrets.hashicorp.com/v1beta1", + kind: "VaultStaticSecret", + metadata: { + name: "gitea-oauth-creds", + namespace: "drone" + }, + spec: { + type: "kv-v2", + mount: "shared-secrets", + path: "gitea/oauth-creds", + destination: { + name: "gitea-oauth-creds", + create: true + }, + refreshAfter: "30s", + vaultAuthRef: "static-auth" + } +} +] \ No newline at end of file diff --git a/charts/drone/README.md b/charts/drone/README.md index 57c3ba0..98848d6 100644 --- a/charts/drone/README.md +++ b/charts/drone/README.md @@ -4,7 +4,7 @@ TODO: * The Prometheus user (https://cogarius.medium.com/3-3-complete-guide-to-ci-cd-pipelines-with-drone-io-on-kubernetes-drone-metrics-with-prometheus-c2668e42b03f) - probably by mounting the volume, using sqlite3 to parse out admin password, then using that to make API call * Create `gitea_password` Organization Secret at init. -Create secret named `gitea-oauth-creds`, with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET`. Remember also to create an Organization Secret named `gitea_password` for pulling. +Ensure that Vault has a secret at `shared-secrets/gitea/oauth-creds` with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET` (see the application definition in `app-of-apps/drone.jsonnet` to see how the secret is injected from Vault into k8s). Remember also to create an Organization Secret named `gitea_password` for pulling. For MTU problem diagnosis: