configure vault secrets operator

2024-10-16 09:09:02 +02:00
parent 3a506543ce
commit bbb0bc7d5f
10 changed files with 438 additions and 74 deletions
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -5,11 +5,6 @@ terraform {
  }
 }

-variable "vault_address" {
-  type = string
-  default = "http://127.0.0.1:8200"
-}
-
 terraform {
    required_providers {
      vault = {
@@ -20,20 +15,97 @@ terraform {
 }

 provider vault {
-    address = var.vault_address
+    address = "https://vault.arcodange.duckdns.org"
    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-        role = "admin"
+        mount = "gitea_jwt"
+        role = "gitea_cicd"
    }
 }

-data "vault_policy_document" "admin" {
-  rule {
-    path         = "*"
-    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-    description  = "admin privileges"
+resource "vault_auth_backend" "kubernetes" {
+  type = "kubernetes"
+}
+resource "vault_kubernetes_auth_backend_config" "config" {
+  backend                = vault_auth_backend.kubernetes.path
+  kubernetes_host        = "https://kubernetes.default.svc:443"
+}
+
+resource "vault_mount" "kvv2" {
+  path        = "kvv2"
+  type        = "kv"
+  options     = { version = "2" }
+  description = "KV Version 2 secret engine mount"
+}
+
+
+resource "vault_mount" "postgres" {
+  path = "postgres"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "postgres" {
+  backend       = vault_mount.postgres.path
+  name          = "postgres"
+  allowed_roles = ["*"]
+  root_rotation_statements = [
+    "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
+  ]
+
+  postgresql {
+    connection_url = "postgresql://{{username}}:{{password}}@pgbouncer.tools:5432/postgres?sslmode=disable"
+    username = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
+    password = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
  }
 }
-resource "vault_policy" "admin" {
-    name = "admin"
-    policy = data.vault_policy_document.admin.hcl
+
+
+resource "vault_mount" "transit" {
+  path                      = "transit"
+  type                      = "transit"
+  description               = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
+#   default_lease_ttl_seconds = 3600
+#   max_lease_ttl_seconds     = 86400
+}
+resource "vault_transit_secret_backend_key" "vso_client_cache" {
+  backend = vault_mount.transit.path
+  name    = "vso-client-cache"
+}
+
+data "vault_policy_document" "vso_client_cache" {
+  rule {
+    path = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
+    capabilities = ["create", "update"]
+  }
+  rule {
+    path = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
+    capabilities = ["create", "update"]
+  }
+}
+resource "vault_policy" "vso_client_cache" {
+    name = "edit-vso-client-cache"
+    policy = data.vault_policy_document.vso_client_cache.hcl
+}
+
+resource "vault_kubernetes_auth_backend_role" "vso" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "vault-secret-operator"
+  bound_service_account_names      = ["hashicorp-vault-vault-secrets-operator-controller-manager"]
+  bound_service_account_namespaces = ["tools"]
+  token_ttl                        = 0
+  token_period                     = 120
+  token_policies                   = ["default", vault_policy.vso_client_cache.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}
+
+locals { # turn into *.tfvars ?
+  apps = toset([
+    "webapp",
+  ])
+}
+module "app_policies" {
+  source = "./modules/app_policy"
+  for_each = local.apps
+  name = each.value
+  gitea_app_id = var.gitea_app_id
 }
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -0,0 +1,138 @@
+
+# jwt cicd app ops
+# allow creating
+# - vault role
+# - backend k8s
+# - postgres role
+
+locals {
+  name = lower(var.name)
+}
+
+data "vault_policy_document" "ops" {
+
+  # use terraform vault provider
+  rule {
+    path = "auth/token/create"
+    capabilities = ["create","update"]
+  }
+
+  # check on mounted auth backend (such as k8s)
+  rule {
+    path = "sys/mounts/auth/*"
+    capabilities = [ "read" ]
+  }
+  # read google credentials for terraform gcs backend
+  rule {
+    path = "kvv1/google/credentials"
+    capabilities = [ "read" ]
+  }
+
+  # edit postgres credentials access permissions
+  rule {
+    path = "postgres/roles/${local.name}*"
+    capabilities = [ "read", "list", "create", "update", "delete" ]
+  }
+  # edit k8s role
+  rule {
+    path = "auth/kubernetes/role/${local.name}*"
+    capabilities = [ "read", "list", "create", "update", "delete" ]
+    allowed_parameter {
+      key = "*"
+      value = []
+    }
+    allowed_parameter {
+      key = "bound_service_account_names"
+      value = [ jsonencode([local.name]) ]
+    }
+    allowed_parameter {
+      key = "bound_service_account_namespaces"
+      value = [ jsonencode([local.name]) ]
+    }
+    allowed_parameter {
+      key = "token_policies"
+      value = [
+        jsonencode(["default", local.name]),
+        jsonencode([local.name, "default"])
+      ]
+    }
+    
+  }
+  # allow editing app secrets
+  rule {
+    path = "kvv2/data/${local.name}/*"
+    capabilities = [ "create", "update", "read", "delete" ]
+  }
+  rule {
+    path = "kvv2/delete/${local.name}/*"
+    capabilities = [ "update" ]
+  }
+  rule {
+    path = "kvv2/undelete/${local.name}/*"
+    capabilities = [ "update" ]
+  }
+  rule {
+    path = "kvv2/destroy/${local.name}/*"
+    capabilities = [ "update" ]
+  }
+  rule {
+    path = "kvv2/metadata/${local.name}/*"
+    capabilities = [ "read", "list", "delete" ]
+  }
+  # allow edit vault role (risky ?)
+}
+resource "vault_policy" "ops" {
+  name = "${local.name}-ops"
+  /*
+    allowed_parameters = {
+  -   "bound_service_account_names" = ["["webapp"]"]
+  +   "bound_service_account_names" = [["webapp"]]
+    }
+  */
+  
+  policy = replace(
+    replace(
+      data.vault_policy_document.ops.hcl,
+      "\"[\"", "[\""
+    ),
+    "\"]\"", "\"]"
+  )
+}
+
+resource "vault_identity_group" "ops" {
+  name     = "${local.name}-ops"
+  type     = "internal"
+  external_member_entity_ids = true
+  policies = [vault_policy.ops.name]
+}
+
+data "vault_auth_backend" "gitea_jwt" {
+  path = "gitea_jwt"
+}
+resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
+  backend         = data.vault_auth_backend.gitea_jwt.path
+  role_name       = "gitea_cicd_${local.name}"
+  token_policies  = ["default"] # give "${local.name}-ops" role to group of entities
+
+  bound_audiences = [
+    var.gitea_app_id,
+  ]
+  
+  user_claim      = "email"
+  role_type       = "jwt"
+}
+
+data "vault_policy_document" "app" {
+  rule {
+    path         = "kvv2/data/${local.name}/*"
+    capabilities = ["read", "list"]
+  }
+  rule {
+    path         = "postgres/creds/${local.name}*"
+    capabilities = ["read"]
+  }
+}
+resource "vault_policy" "app" {
+    name = "${local.name}"
+    policy = data.vault_policy_document.app.hcl
+}
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -0,0 +1,6 @@
+variable "name" {
+  type = string
+}
+variable "gitea_app_id" {
+  type = string
+}
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -0,0 +1,11 @@
+variable "gitea_app_id" {
+  type = string
+}
+variable "POSTGRES_CREDENTIALS_EDITOR_USERNAME" {
+  type = string
+  sensitive = true
+}
+variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
+  type = string
+  sensitive = true
+}