From 13870390a3f6a917e01a3307f2165e549bcfced8 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 16 Oct 2024 14:02:58 +0200 Subject: [PATCH] try vault kvv2 secret engine --- chart/templates/vaultauth.yaml | 13 +++++++++++++ chart/templates/vaultsecret.yaml | 24 ++++++++++++++++++++++++ chart/values.yaml | 2 +- main.go | 5 ++++- 4 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 chart/templates/vaultauth.yaml create mode 100644 chart/templates/vaultsecret.yaml diff --git a/chart/templates/vaultauth.yaml b/chart/templates/vaultauth.yaml new file mode 100644 index 0000000..3e17c03 --- /dev/null +++ b/chart/templates/vaultauth.yaml @@ -0,0 +1,13 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: static-auth + namespace: {{ .Release.Namespace }} +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: webapp + serviceAccount: {{ include "webapp.serviceAccountName" . }} + audiences: + - vault \ No newline at end of file diff --git a/chart/templates/vaultsecret.yaml b/chart/templates/vaultsecret.yaml new file mode 100644 index 0000000..811e851 --- /dev/null +++ b/chart/templates/vaultsecret.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-kv-app + namespace: {{ .Release.Namespace }} +spec: + type: kv-v2 + + # mount path + mount: kvv2 + + # path of the secret + path: webapp/config + + # dest k8s secret + destination: + name: secretkv + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: static-auth \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 45877c6..8d6417c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -16,7 +16,7 @@ fullnameOverride: "" serviceAccount: # Specifies whether a service account should be created - create: false + create: true # Automatically mount a ServiceAccount's API credentials? automount: true # Annotations to add to the service account diff --git a/main.go b/main.go index a848c7e..d0b100a 100644 --- a/main.go +++ b/main.go @@ -153,6 +153,10 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) { authorityHeader := r.Header.Get(":authority") if oauthAllowedHttp2Authority != "" && authorityHeader != oauthAllowedHttp2Authority { fmt.Println(":authority: "+authorityHeader) + fmt.Println("received headers") + for key, value := range r.Header { + fmt.Printf("%s='%s'\n", key, value) + } http.Error(w, "Access denied: invalid referer or origin", http.StatusForbidden) return } @@ -409,7 +413,6 @@ func main() { // Start the HTTP server port := ":8080" log.Printf("Server starting on port %s\n", port) - fmt.Println("new version indeed") err = http.ListenAndServe(port, nil) if err != nil { log.Fatalf("Server failed to start: %v", err)