From 3bb67fc2c100a7fac01e2a83d604b935289005a6 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Fri, 18 Oct 2024 15:42:31 +0200
Subject: [PATCH] try vault postgres secret engine

---
 .gitea/workflows/vault.yaml             | 57 ++++++++++++++++++++++++
 chart/templates/deployment.yaml         |  1 +
 chart/templates/vaultauth.yaml          |  2 +-
 chart/templates/vaultdynamicsecret.yaml | 25 +++++++++++
 chart/templates/vaultsecret.yaml        |  2 +-
 iac/backend.tf                          |  6 +++
 iac/main.tf                             | 58 +++++++++++++++++++++++++
 iac/providers.tf                        | 16 +++++++
 8 files changed, 165 insertions(+), 2 deletions(-)
 create mode 100644 .gitea/workflows/vault.yaml
 create mode 100644 chart/templates/vaultdynamicsecret.yaml
 create mode 100644 iac/backend.tf
 create mode 100644 iac/main.tf
 create mode 100644 iac/providers.tf

diff --git a/.gitea/workflows/vault.yaml b/.gitea/workflows/vault.yaml
new file mode 100644
index 0000000..c0229a6
--- /dev/null
+++ b/.gitea/workflows/vault.yaml
@@ -0,0 +1,57 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Hashicorp Vault
+
+on: #[push,pull_request]
+  push: &vaultPaths
+    paths:
+      - 'iac/*.tf'
+  pull_request: *vaultPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.duckdns.org
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_webapp
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Vault
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: iac
+          auto_approve: true
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index fb3ec0b..b875d65 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     {{- include "webapp.labels" . | nindent 4 }}
 spec:
+  revisionHistoryLimit: 3
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
diff --git a/chart/templates/vaultauth.yaml b/chart/templates/vaultauth.yaml
index 3e17c03..f0453ad 100644
--- a/chart/templates/vaultauth.yaml
+++ b/chart/templates/vaultauth.yaml
@@ -1,7 +1,7 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
-  name: static-auth
+  name: auth
   namespace: {{ .Release.Namespace }}
 spec:
   method: kubernetes
diff --git a/chart/templates/vaultdynamicsecret.yaml b/chart/templates/vaultdynamicsecret.yaml
new file mode 100644
index 0000000..ce5b39d
--- /dev/null
+++ b/chart/templates/vaultdynamicsecret.yaml
@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: vso-db
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/webapp
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: vso-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: {{ include "webapp.fullname" . }}
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: auth
\ No newline at end of file
diff --git a/chart/templates/vaultsecret.yaml b/chart/templates/vaultsecret.yaml
index 811e851..1e7f599 100644
--- a/chart/templates/vaultsecret.yaml
+++ b/chart/templates/vaultsecret.yaml
@@ -21,4 +21,4 @@ spec:
   refreshAfter: 30s
 
   # Name of the CRD to authenticate to Vault
-  vaultAuthRef: static-auth
\ No newline at end of file
+  vaultAuthRef: auth
\ No newline at end of file
diff --git a/iac/backend.tf b/iac/backend.tf
new file mode 100644
index 0000000..767a85e
--- /dev/null
+++ b/iac/backend.tf
@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket  = "arcodange-tf"
+    prefix  = "webapp/main"
+  }
+}
\ No newline at end of file
diff --git a/iac/main.tf b/iac/main.tf
new file mode 100644
index 0000000..c8afbba
--- /dev/null
+++ b/iac/main.tf
@@ -0,0 +1,58 @@
+data "vault_auth_backend" "kubernetes" {
+  path = "kubernetes"
+}
+variable "name" {
+  type = string
+  default = "webapp"
+}
+variable "database" {
+  type = string
+  nullable = true
+  default = null
+}
+locals {
+  name = lower(var.name)
+  database = var.database == null ? local.name : var.database
+
+  vault_mount_postgres = { path = "postgres" }
+  vault_mount_kvv2 = { path = "kvv2" }
+}
+
+resource "vault_database_secret_backend_role" "role" {
+  backend             = local.vault_mount_postgres.path
+  name                = "${local.name}"
+  db_name             = "postgres"
+  creation_statements = [
+    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
+    "GRANT ${local.name}_role TO \"{{name}}\";",
+  ] 
+  revocation_statements = [
+    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";" # should we drop the role ?
+  ]
+  renew_statements=[]
+  rollback_statements=[]
+}
+
+resource "vault_kv_secret_v2" "webapp_config" {
+  mount                      = local.vault_mount_kvv2.path
+  name                       = "webapp/config"
+  cas                        = 1
+#   delete_all_versions        = true
+  data_json                  = jsonencode(
+  {
+    zip       = "zap",
+    foo       = "bar"
+  }
+  )
+}
+
+resource "vault_kubernetes_auth_backend_role" "role" {
+  backend                          = data.vault_auth_backend.kubernetes.path
+  role_name                        = local.name
+  bound_service_account_names      = [local.name]
+  bound_service_account_namespaces = [local.name]
+  token_ttl                        = 3600
+  token_policies                   = ["default", local.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}
\ No newline at end of file
diff --git a/iac/providers.tf b/iac/providers.tf
new file mode 100644
index 0000000..901cde4
--- /dev/null
+++ b/iac/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+    required_providers {
+      vault = {
+        source = "vault"
+        version = "4.4.0"
+      }
+    }
+}
+
+provider vault {
+    address = "https://vault.arcodange.duckdns.org"
+    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+        mount = "gitea_jwt"
+        role = "gitea_cicd_webapp"
+    }
+}
\ No newline at end of file