First steps in Crossplane-Vault integration

app-of-apps/app-definitions.libsonnet

@@ -39,7 +39,8 @@
     localApplication(
         name,
         path="",
-        namespace="") ::
+        namespace="",
+        nonHelmApp=false) ::
     {
         apiVersion: "argoproj.io/v1alpha1",
         kind: "Application",
@@ -56,7 +57,7 @@
                 path: if path == "" then std.join('/', ['charts', name]) else path,
                 // I _think_ every locally-defined chart is going to have a `values.yaml`, but we can make this
                 // parameterized if desired
-                helm: {
+                [if nonHelmApp != true then "helm"]: {
                     valueFiles: ['values.yaml']
                 }
             },

app-of-apps/crossplane.jsonnet

@@ -1,6 +1,49 @@
 // https://docs.crossplane.io/v1.15/software/install/#installed-deployments
 local appDef = import './app-definitions.libsonnet';
 
+// Installation of Vault Provider is left manually, since it relies on secret creation:
+// https://github.com/upbound/provider-vault
+//
+// Also required created a role to bind to the ServiceAccount:
+//
+// apiVersion: rbac.authorization.k8s.io/v1
+// kind: ClusterRoleBinding
+// metadata:
+//   name: vault-provider-role-binding
+//   namespace: crossplane-system
+// roleRef:
+//   apiGroup: rbac.authorization.k8s.io
+//   kind: ClusterRole
+//   name: vault-provider-role
+// subjects:
+//   - kind: ServiceAccount
+//     name: provider-vault-b61923ede364
+//     namespace: crossplane-system
+// ---
+// apiVersion: rbac.authorization.k8s.io/v1
+// kind: ClusterRole
+// metadata:
+//   name: vault-provider-role
+//   namespace: crossplane-system
+// rules:
+//   - apiGroups:
+//       - identity.vault.upbound.io
+//     resources:
+//       - mfaoktas
+//       - groupmembergroupidsidses
+//       - groupmemberentityidsidses
+//     verbs:
+//       - get
+//       - list
+//       - watch
+//   - apiGroups:
+//       - mfa.vault.upbound.io
+//     resources:
+//       - oktas
+//     verbs:
+//       - get
+//       - list
+//       - watch
 appDef.helmApplication(
   name="crossplane",
   sourceRepoUrl="https://charts.crossplane.io/stable",

app-of-apps/vault-crossplane-integration.jsonnet

@@ -0,0 +1,3 @@
+local appDef = import './app-definitions.libsonnet';
+
+appDef.localApplication(name="vault-crossplane-integration", nonHelmApp=true)

charts/ombi/templates/deployment.yaml

@@ -132,7 +132,28 @@ spec:
               name: nzbget-config
             - mountPath: /data/usenet
               name: usenet-truenas-downloads
-      {{ end }}
+        {{ end }}
+        {{ if .Values.sabnzbd.enabled }}
+        - name: sabnzbd
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "lscr.io/linuxserver/sabnzbd:latest"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+            - name: TZ
+              value: "America/Los_Angeles"
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /config
+              name: sabnzbd-config
+            - mountPath: /data/usenet
+              name: usenet-truenas-downloads
+        {{ end }}
       volumes:
         - name: ombi-config
           persistentVolumeClaim:
@@ -158,6 +179,9 @@ spec:
         - name: nzbget-config
           persistentVolumeClaim:
             claimName: {{include "ombi.fullname" .}}-nzbget-config-pvc
+        - name: sabnzbd-config
+          persistentVolumeClaim:
+            claimName: {{include "ombi.fullname" .}}-sabnzbd-config-pvc
         - name: usenet-truenas-downloads
           persistentVolumeClaim:
             claimName: {{ include "ombi.fullname" . }}-truenas-usenet-downloads-pvc

charts/ombi/templates/ingress.yaml

@@ -98,4 +98,14 @@ spec:
                 name: {{ include "ombi.fullname" . }}-nzbget
                 port:
                   number: {{ .Values.service.nzbgetWebPort }}
+    - host: sabnzbd.avril
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ include "ombi.fullname" . }}-sabnzbd
+                port:
+                  number: {{ .Values.service.sabnzbdWebPort }}
 {{- end }}

charts/ombi/templates/service.yaml

@@ -72,3 +72,18 @@ spec:
       protocol: TCP
   selector:
     {{- include "ombi.selectorLabels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ombi.fullname" . }}-sabnzbd
+  labels:
+    {{- include "ombi.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.sabnzbdWebPort }}
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    {{- include "ombi.selectorLabels" . | nindent 4 }}

charts/ombi/templates/volumes.yaml

@@ -188,6 +188,32 @@ spec:
 ---
 apiVersion: v1
 kind: PersistentVolume
+metadata:
+  name: {{ include "ombi.fullname" . }}-sabnzbd-config-pv
+spec:
+  capacity:
+    storage: 10M
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: {{ $.Values.volume.configNFSServer }}
+    path: /mnt/BERTHA/etc/sabnzbd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "ombi.fullname" . }}-sabnzbd-config-pvc
+spec:
+  storageClassName: ""
+  volumeName: {{ include "ombi.fullname" . }}-sabnzbd-config-pv
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10M
+---
+apiVersion: v1
+kind: PersistentVolume
 metadata:
   name: {{ include "ombi.fullname" . }}-truenas-usenet-downloads-pv
 spec:

charts/ombi/values.yaml

@@ -43,6 +43,7 @@ service:
   radarrPort: 7878
   prowlarrPort: 9696
   nzbgetWebPort: 6789
+  sabnzbdWebPort: 8080
 
 ingress:
   enabled: true
@@ -107,6 +108,9 @@ prowlarr:
 nzbget:
   enabled: true
 
+sabnzbd:
+  enabled: true
+
 volume:
   configNFSServer: rassigma.avril
   dataNFSServer: rasnu2.avril

charts/vault-crossplane-integration/base-app-infra.yaml

@@ -0,0 +1,109 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata: 
+  name: xbaseapplicationinfrastructures.scubbo.org
+spec:
+  group: scubbo.org
+  names:
+    kind: xBaseApplicationInfrastructure
+    plural: xbaseapplicationinfrastructures
+  claimNames:
+    kind: BaseAppInfra
+    plural: baseappinfras
+  versions:
+  - name: v1alpha1
+    served: true
+    referenceable: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              appName:
+                type: string
+---
+# Sources for the Vault resources are here:
+# https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator#configure-vault
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: base-application-infrastructure
+spec:
+  compositeTypeRef:
+    apiVersion: scubbo.org/v1alpha1
+    kind: xBaseApplicationInfrastructure
+  resources:
+    - name: vault-role
+      base:
+        apiVersion: kubernetes.vault.upbound.io/v1alpha1
+        kind: AuthBackendRole
+        spec:
+          providerConfigRef:
+            name: vault-provider-config
+          forProvider:
+            audience: vault
+            boundServiceAccountNames:
+              - default
+            # boundServiceAccountNamespaces, roleName, and tokenPolicies provided by patch
+            tokenTtl: 86400
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: metadata.namespace
+          toFieldPath: spec.forProvider.boundServiceAccountNamespaces
+          transforms:
+            - type: string
+              string:
+                type: Format
+                # fmt: "[\"%s\"]"
+                fmt: "[\"hard-coded namespace\"]"
+            - type: convert
+              convert:
+                toType: array
+                format: json
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.roleName
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "vault-secrets-operator-%s-role"
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.tokenPolicies
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "[\"vault-secrets-operator-%s-policy\"]"
+            - type: convert
+              convert:
+                toType: array
+                format: json
+    - name: vault-policy
+      base:
+        apiVersion: vault.vault.upbound.io/v1alpha1
+        kind: Policy
+        spec:
+          providerConfigRef:
+            name: vault-provider-config
+          forProvider: {}
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.name
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "vault-secrets-operator-%s-policy"
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.appName
+          toFieldPath: spec.forProvider.policy
+          transforms:
+            - type: string
+              string:
+                type: Format
+                fmt: "path \"app-%s-kv/*\" {capabilities=[\"read\"]}"