151 lines
6.2 KiB
Markdown
151 lines
6.2 KiB
Markdown
# Vault
|
|
|
|
1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
|
|
2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
|
|
3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
|
|
|
|
```mermaid
|
|
flowchart LR
|
|
|
|
classDef playbook stroke:#0f0,fill:#440,stroke-width: 1px
|
|
classDef tofu stroke:#f00,fill:#404,stroke-width: 2px
|
|
classDef argocd stroke:#00f,fill:#044,stroke-width: 3px
|
|
classDef database stroke:#bb0,fill:#ff0,stroke-width: 5px,color: black
|
|
classDef secret stroke:#f00,fill:#f00,stroke-width: 5px,color: yellow
|
|
classDef secretOperator stroke:#f00,fill:DarkRed,stroke-width: 5px,color: Orange
|
|
|
|
subgraph git_code[factory.git]
|
|
subgraph ansible_collection
|
|
setup_playbook[playbook arcodange.factory.setup]:::playbook
|
|
tools_playbook[playbook arcodange.factory.tools]:::playbook
|
|
end
|
|
git_code_tofu_vault{{tofu}}:::tofu
|
|
end
|
|
|
|
subgraph git_tools[tools.git]
|
|
argocd_tools{{Argo CD Apps}}:::argocd
|
|
git_tools_tofu_vault{{tofu}}:::tofu
|
|
end
|
|
|
|
subgraph git_webapp[webapp.git]
|
|
webapp["Go(lang) web app"]
|
|
argocd_webapp{{Argo CD App}}:::argocd
|
|
git_webapp_tofu_vault{{tofu}}:::tofu
|
|
end
|
|
|
|
subgraph servers
|
|
subgraph k3s
|
|
subgraph k3s_ns_tools[ns:tools]
|
|
argocd{{Argo CD}}:::argocd
|
|
pgbouncer
|
|
subgraph vault
|
|
subgraph vault_auth[auth]
|
|
subgraph vault_auth_openid[openid]
|
|
end
|
|
vault_auth_jwt[jwt]
|
|
vault_auth_k8s[kubernetes]
|
|
vault_auth_jwt_role_gitea_cicd[gitea_cicd role]
|
|
vault_auth_jwt_role_gitea_cicd_webapp_ops[gitea_cicd_webapp ops role]
|
|
vault_auth_k8s_role_vso[vault-secret-operator role]
|
|
vault_auth_k8s_role_webapp[webapp role]
|
|
subgraph policies
|
|
policy_default[default]
|
|
policy_webapp[webapp]
|
|
policy_webapp_ops[webapp ops]
|
|
policy_admin[admin]
|
|
policy_vso[edit-vso-client-cache]
|
|
end
|
|
end
|
|
subgraph vault_secrets[secrets]
|
|
subgraph kvv2
|
|
google/credentials
|
|
webapp/config
|
|
end
|
|
end
|
|
subgraph vault_postgres[postgres]
|
|
creds/creds-editor
|
|
creds/webapp
|
|
end
|
|
subgraph vault_transit[transit]
|
|
end
|
|
end
|
|
vault-secret-operator:::secretOperator
|
|
end
|
|
subgraph k3s_ns_webapp[ns:webapp]
|
|
webapp_deployment[deployment:webapp]
|
|
webapp_postgres_creds_secret[secret:postgres creds]:::secret
|
|
webapp_config_secret[secret:config]:::secret
|
|
webapp_service_account[sa:webapp]
|
|
end
|
|
end
|
|
subgraph postgres
|
|
root_credentials
|
|
postgres_db[(postgres)]:::database
|
|
webapp_credentials:::secret
|
|
webapp_db[(webpp)]:::database
|
|
|
|
vault_creds_editor_role{{credentials_editor}}
|
|
end
|
|
end
|
|
|
|
setup_playbook -. setup postgres .-> postgres
|
|
|
|
tools_playbook -.-o git_code_tofu_vault
|
|
git_code_tofu_vault -..-> vault_auth_openid
|
|
git_code_tofu_vault -..-> vault_auth_jwt -- tofu:factory --- vault_auth_jwt_role_gitea_cicd
|
|
git_code_tofu_vault -..-> kvv2
|
|
git_code_tofu_vault -..-> google/credentials
|
|
|
|
linkStyle 0,1 stroke:#ff3,stroke-width:1px,color:DarkKhaki;
|
|
linkStyle 2,3,5,6 stroke:#f3f,stroke-width:2px,color:DarkOrange;
|
|
|
|
git_tools -.-o argocd_tools
|
|
argocd_tools -.-> pgbouncer
|
|
argocd_tools -.-> vault
|
|
argocd_tools -.-> vault-secret-operator
|
|
argocd_tools o--o argocd
|
|
|
|
linkStyle 7,8,9,10,11 stroke:#3ff,stroke-width:3px,color:DarkSlateBlue;
|
|
|
|
git_tools_tofu_vault -..-> vault_auth_k8s -- sa:vso --- vault_auth_k8s_role_vso
|
|
git_tools_tofu_vault -..-> webapp/config
|
|
git_tools_tofu_vault -..-> vault_transit
|
|
git_tools_tofu_vault -..-> vault_postgres
|
|
vault_auth_k8s ---> k3s
|
|
vault_postgres --> pgbouncer x==> postgres; webapp_deployment --> pgbouncer
|
|
|
|
linkStyle 12,14,15,16 stroke:#f3f,stroke-width:2px,color:DarkOrange;
|
|
linkStyle 18,19,20 stroke:gold,stroke-width:2px;
|
|
|
|
vault_transit x---x vault-secret-operator
|
|
vault-secret-operator x---x vault_auth_k8s_role_vso
|
|
|
|
vault_auth_jwt_role_gitea_cicd x--x policy_default
|
|
vault_auth_k8s_role_vso x--x policy_vso
|
|
|
|
creds/webapp -.-> webapp_credentials
|
|
creds/webapp -.-> vault-secret-operator
|
|
vault-secret-operator -.-> webapp_postgres_creds_secret
|
|
webapp/config -.-> vault-secret-operator
|
|
vault-secret-operator -.-> webapp_config_secret
|
|
|
|
argocd_webapp -.-> k3s_ns_webapp
|
|
webapp --o webapp_deployment
|
|
webapp_postgres_creds_secret --o webapp_deployment
|
|
webapp_deployment --> webapp_service_account
|
|
|
|
vault_auth_jwt -- tofu:tools --- vault_auth_jwt_role_gitea_cicd_webapp_ops
|
|
vault_auth_jwt_role_gitea_cicd_webapp_ops x--x policy_webapp_ops
|
|
vault_auth_k8s -- sa:webapp --- vault_auth_k8s_role_webapp x-- tofu:webapp --x policy_webapp
|
|
|
|
git_webapp_tofu_vault -.-> vault_auth_k8s_role_webapp
|
|
git_webapp_tofu_vault -.-> creds/webapp
|
|
|
|
|
|
root_credentials x--x postgres_db
|
|
webapp_credentials x--x webapp_db
|
|
|
|
tools_playbook --> vault_creds_editor_role
|
|
vault_creds_editor_role -. change password .-> webapp_credentials
|
|
vault_postgres x--x vault_creds_editor_role
|
|
``` |