diff --git a/argocd/templates/longhorn_backup_target_creds.yaml b/argocd/templates/longhorn_backup_target_creds.yaml new file mode 100644 index 0000000..577e38b --- /dev/null +++ b/argocd/templates/longhorn_backup_target_creds.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-vault-secret-reader + namespace: longhorn-system +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: longhorn-vault-secret-reader + namespace: longhorn-system +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: longhorn + serviceAccount: longhorn-vault-secret-reader # le même que dans TF + audiences: + - vault +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: longhorn-gcs-backup-credentials + namespace: longhorn-system +spec: + type: kv-v2 + mount: kvv2 + + path: longhorn/gcs-backup + + destination: + name: longhorn-gcs-backup-credentials + create: true + + refreshAfter: 1h + + vaultAuthRef: longhorn-vault-secret-reader \ No newline at end of file diff --git a/iac/backend.tf b/iac/backend.tf index df0804c..1188896 100644 --- a/iac/backend.tf +++ b/iac/backend.tf @@ -1,6 +1,6 @@ terraform { backend "gcs" { - bucket = "arcodange-tf" - prefix = "factory/main" + bucket = "arcodange-tf" + prefix = "factory/main" } } \ No newline at end of file diff --git a/iac/gcs_backup.tf b/iac/gcs_backup.tf new file mode 100644 index 0000000..df2b5ba --- /dev/null +++ b/iac/gcs_backup.tf @@ -0,0 +1,62 @@ +# https://longhorn.io/docs/1.9.1/snapshots-and-backups/backup-and-restore/set-backup-target/#set-up-gcp-cloud-storage-backupstore +resource "google_storage_bucket" "longhorn_backup" { + name = "arcodange-backup" + location = "US-EAST1" + force_destroy = true + + public_access_prevention = "enforced" +} + +resource "google_service_account" "longhorn_backup" { + account_id = "longhorn-backup" +} + +resource "google_storage_bucket_iam_member" "longhorn_backup" { + bucket = google_storage_bucket.longhorn_backup.name + role = "roles/storage.admin" + member = "serviceAccount:${google_service_account.longhorn_backup.email}" +} + +resource "google_service_account_key" "longhorn_backup" { + service_account_id = google_service_account.longhorn_backup.account_id + +} + +locals { + vault_mount_kvv2 = { path = "kvv2" } +} +data "vault_auth_backend" "kubernetes" { + path = "kubernetes" +} + +resource "vault_kv_secret_v2" "longhorn_gcs_backup" { + mount = local.vault_mount_kvv2.path + name = "longhorn/gcs-backup" + cas = 1 + delete_all_versions = true + data_json = base64decode( + google_service_account_key.longhorn_backup.private_key + ) +} + +data "vault_policy_document" "longhorn_gcs_backup" { + rule { + path = "${local.vault_mount_kvv2.path}/data/longhorn/gcs-backup" + capabilities = ["read"] + } +} + +resource "vault_policy" "longhorn_gcs_backup" { + name = "longhorn-gcs-backup" + policy = data.vault_policy_document.longhorn_gcs_backup.hcl +} + +resource "vault_kubernetes_auth_backend_role" "longhorn" { + backend = data.vault_auth_backend.kubernetes.path + role_name = "longhorn" + bound_service_account_names = ["longhorn-vault-secret-reader"] # le meme que dans le manifest VaultAuth + bound_service_account_namespaces = ["longhorn-system"] + token_policies = [vault_policy.longhorn_gcs_backup.name] + audience = "vault" + alias_name_source = "serviceaccount_name" +} \ No newline at end of file diff --git a/iac/gitea_tofu_ci_user.tf b/iac/gitea_tofu_ci_user.tf index d8100a5..b33c1a9 100644 --- a/iac/gitea_tofu_ci_user.tf +++ b/iac/gitea_tofu_ci_user.tf @@ -1,6 +1,6 @@ resource "random_password" "tofu" { - length = 32 + length = 32 } resource "gitea_user" "tofu" { username = "tofu_module_reader" @@ -8,24 +8,24 @@ resource "gitea_user" "tofu" { password = random_password.tofu.result email = "tofu-module-reader@arcodange.fake" must_change_password = false - full_name = "restricted CI user" - prohibit_login = false - restricted = true - visibility = "private" + full_name = "restricted CI user" + prohibit_login = false + restricted = true + visibility = "private" } resource "tls_private_key" "tofu" { - algorithm = "ED25519" + algorithm = "ED25519" } resource "gitea_public_key" "tofu" { - title = "tofu" - key = tls_private_key.tofu.public_key_openssh - username = gitea_user.tofu.username + title = "tofu" + key = tls_private_key.tofu.public_key_openssh + username = gitea_user.tofu.username } resource "vault_kv_secret" "gitea_admin_token" { path = "kvv1/gitea/tofu_module_reader" data_json = jsonencode({ ssh_private_key = tls_private_key.tofu.private_key_openssh - ssh_public_key = tls_private_key.tofu.public_key_openssh + ssh_public_key = tls_private_key.tofu.public_key_openssh }) } \ No newline at end of file diff --git a/iac/providers.tf b/iac/providers.tf index 566ce48..0257d26 100644 --- a/iac/providers.tf +++ b/iac/providers.tf @@ -1,13 +1,17 @@ terraform { required_providers { gitea = { - source = "go-gitea/gitea" + source = "go-gitea/gitea" version = "0.5.1" } vault = { - source = "vault" + source = "vault" version = "4.4.0" } + google = { + source = "google" + version = "7.0.1" + } } } @@ -16,10 +20,16 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late # use GITEA_TOKEN env var } -provider vault { +provider "vault" { address = "https://vault.arcodange.duckdns.org" - auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable - mount = "gitea_jwt" - role = "gitea_cicd" - } + token = "hvs.CAESINCaMZanSRV-JM2rhHijIcFjT3mNE63jNpy_LInw-qy_Gh4KHGh2cy5PcndCWVhRUWpORmdyZzJISFNZYzlLVGk" + # auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable + # mount = "gitea_jwt" + # role = "gitea_cicd" + # } +} + +provider "google" { + project = "arcodange" + region = "US-EAST1" } \ No newline at end of file