Add ESO OpenBao GitOps add-ons
This commit is contained in:
137
scripts/openbao-apply-external-secrets-issue-core.sh
Executable file
137
scripts/openbao-apply-external-secrets-issue-core.sh
Executable file
@@ -0,0 +1,137 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
|
||||
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
|
||||
KUBECTL="${KUBECTL:-kubectl}"
|
||||
TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
|
||||
ROLE_NAME="${OPENBAO_ESO_ROLE:-external-secrets-issue-core}"
|
||||
POLICY_NAME="${OPENBAO_ESO_POLICY:-external-secrets-issue-core}"
|
||||
ESO_NAMESPACE="${ESO_NAMESPACE:-external-secrets}"
|
||||
ESO_SERVICE_ACCOUNT="${ESO_SERVICE_ACCOUNT:-external-secrets}"
|
||||
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
POLICY_FILE="${POLICY_FILE:-$REPO_DIR/openbao/policies/external-secrets-issue-core.hcl}"
|
||||
DRY_RUN=0
|
||||
|
||||
usage() {
|
||||
cat <<'USAGE'
|
||||
Usage: scripts/openbao-apply-external-secrets-issue-core.sh [--dry-run]
|
||||
|
||||
Configures OpenBao for the issue-core External Secrets Operator pilot:
|
||||
- refreshes Kubernetes auth config for in-cluster short-lived tokens
|
||||
- writes the external-secrets-issue-core read policy
|
||||
- writes the Kubernetes auth role bound to external-secrets/external-secrets
|
||||
|
||||
The script reads an OpenBao operator token from OPENBAO_TOKEN_FILE or an
|
||||
interactive hidden prompt. It never prints or stores the token.
|
||||
USAGE
|
||||
}
|
||||
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case "$1" in
|
||||
--dry-run)
|
||||
DRY_RUN=1
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: unknown argument: $1" >&2
|
||||
usage >&2
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
pod="${OPENBAO_RELEASE}-0"
|
||||
|
||||
read_token() {
|
||||
if [ "$DRY_RUN" -eq 1 ]; then
|
||||
printf 'dry-run-token\n'
|
||||
return
|
||||
fi
|
||||
if [ -n "$TOKEN_FILE" ]; then
|
||||
if [ ! -f "$TOKEN_FILE" ]; then
|
||||
echo "ERROR: OPENBAO_TOKEN_FILE does not exist: $TOKEN_FILE" >&2
|
||||
exit 1
|
||||
fi
|
||||
head -n 1 "$TOKEN_FILE"
|
||||
return
|
||||
fi
|
||||
local token
|
||||
read -r -s -p "OpenBao token: " token
|
||||
printf '\n' >&2
|
||||
printf '%s\n' "$token"
|
||||
}
|
||||
|
||||
kubectl_exec() {
|
||||
# shellcheck disable=SC2086
|
||||
$KUBECTL "$@"
|
||||
}
|
||||
|
||||
remote_bao() {
|
||||
local token="$1"
|
||||
shift
|
||||
if [ "$DRY_RUN" -eq 1 ]; then
|
||||
printf 'DRY-RUN: bao %s\n' "$*"
|
||||
return 0
|
||||
fi
|
||||
printf '%s\n' "$token" | kubectl_exec exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
|
||||
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"' sh "$@"
|
||||
}
|
||||
|
||||
remote_sh() {
|
||||
local token="$1"
|
||||
local script="$2"
|
||||
if [ "$DRY_RUN" -eq 1 ]; then
|
||||
printf 'DRY-RUN: remote shell: %s\n' "$script"
|
||||
return 0
|
||||
fi
|
||||
printf '%s\n%s\n' "$token" "$script" | kubectl_exec exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
|
||||
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; sh'
|
||||
}
|
||||
write_policy() {
|
||||
local token="$1"
|
||||
if [ ! -f "$POLICY_FILE" ]; then
|
||||
echo "ERROR: missing policy file: $POLICY_FILE" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ "$DRY_RUN" -eq 1 ]; then
|
||||
printf 'DRY-RUN: bao policy write %s %s\n' "$POLICY_NAME" "$POLICY_FILE"
|
||||
return 0
|
||||
fi
|
||||
{ printf '%s\n' "$token"; cat "$POLICY_FILE"; } | kubectl_exec exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
|
||||
sh -c 'read -r BAO_TOKEN; export BAO_TOKEN; bao policy write "$1" -' sh "$POLICY_NAME"
|
||||
}
|
||||
|
||||
token="$(read_token)"
|
||||
if [ -z "$token" ]; then
|
||||
echo "ERROR: empty token" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
remote_bao "$token" status
|
||||
remote_sh "$token" 'bao write auth/kubernetes/config \
|
||||
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
|
||||
disable_iss_validation=true'
|
||||
write_policy "$token"
|
||||
remote_bao "$token" write "auth/kubernetes/role/${ROLE_NAME}" \
|
||||
"bound_service_account_names=${ESO_SERVICE_ACCOUNT}" \
|
||||
"bound_service_account_namespaces=${ESO_NAMESPACE}" \
|
||||
"policies=${POLICY_NAME}" \
|
||||
ttl=15m
|
||||
|
||||
remote_bao "$token" read "auth/kubernetes/role/${ROLE_NAME}"
|
||||
|
||||
cat <<'NEXT'
|
||||
|
||||
External Secrets OpenBao role configured.
|
||||
|
||||
Next steps:
|
||||
1. Sync the external-secrets and openbao-secretstore ArgoCD Applications.
|
||||
2. Provision platform/workloads/issue-core/issue-core/issue-core-runtime
|
||||
with ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN without printing values.
|
||||
3. Confirm ExternalSecret/issue-core-runtime becomes Ready.
|
||||
NEXT
|
||||
@@ -188,8 +188,7 @@ enable_optional "$token" "kubernetes/ auth method is already enabled." auth enab
|
||||
|
||||
remote_sh "$token" 'bao write auth/kubernetes/config \
|
||||
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
|
||||
token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \
|
||||
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
|
||||
disable_iss_validation=true'
|
||||
|
||||
write_policy "$token" platform-admin "$POLICY_DIR/platform-admin.hcl"
|
||||
write_policy "$token" platform-readonly "$POLICY_DIR/platform-readonly.hcl"
|
||||
|
||||
Reference in New Issue
Block a user