🔒 fix(ci): add tofu_module_reader SSH key to vault.yaml secrets (mirrors erp pattern) (#100)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

.gitea/workflows/vault.yaml

@@ -0,0 +1,60 @@
+---
+name: Hashicorp Vault
+
+on:
+  workflow_dispatch: {}
+  push: &vaultPaths
+    paths:
+      - 'iac/*.tf'
+  pull_request: *vaultPaths
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_dance-lessons-coach
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest-ca
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Vault
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest-ca
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: iac
+          auto_approve: true

chart/templates/vaultauth.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.vault.enabled }}
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: auth
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: {{ .Values.vault.role }}
+    serviceAccount: {{ include "dance-lessons-coach.serviceAccountName" . }}
+    audiences:
+      - vault
+{{- end }}

chart/templates/vaultdynamicsecret.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.vault.enabled }}
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: vso-db
+  namespace: {{ .Release.Namespace }}
+spec:
+  mount: postgres
+  path: {{ .Values.vault.postgresPath }}
+  destination:
+    create: true
+    name: vso-db-credentials
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: {{ include "dance-lessons-coach.fullname" . }}
+  vaultAuthRef: auth
+{{- end }}

chart/templates/vaultsecret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.vault.enabled }}
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: vault-kv-app
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: kv-v2
+  mount: kvv2
+  path: {{ .Values.vault.kvv2Path }}
+  destination:
+    name: secretkv
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: auth
+{{- end }}

chart/values.yaml

@@ -47,8 +47,12 @@ ingress:
   enabled: true
   className: ""
   annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-crowdsec@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
+    traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
+    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: dancecoachlessons.arcodange.lab
+    traefik.ingress.kubernetes.io/router.middlewares: localIp@file
   hosts:
     - host: dancecoachlessons.arcodange.lab
       paths:
@@ -104,6 +108,15 @@ tolerations: []
 
 affinity: {}
 
+# Vault Secrets Operator integration. Disabled by default ; set vault.enabled=true
+# to render the VaultAuth / VaultStaticSecret / VaultDynamicSecret CRDs (requires
+# VSO operator + Vault prereqs, cf. iac/ once shipped).
+vault:
+  enabled: false
+  role: dance-lessons-coach              # k8s auth backend role name (matches iac/main.tf)
+  kvv2Path: dance-lessons-coach/config   # KVv2 secret path
+  postgresPath: creds/dance-lessons-coach # postgres dynamic creds path
+
 # DLC-specific configuration
 config:
   DLC_LOGGING_JSON: "true"

iac/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "arcodange-tf"
+    prefix = "dance-lessons-coach/main"
+  }
+}

iac/main.tf

@@ -0,0 +1,10 @@
+locals {
+  app = {
+    name = "dance-lessons-coach"
+  }
+}
+
+module "app_roles" {
+  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
+  name   = local.app.name
+}

iac/providers.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "https://vault.arcodange.lab"
+  auth_login_jwt {
+    # TERRAFORM_VAULT_AUTH_JWT environment variable, set by the gitea OIDC step
+    mount = "gitea_jwt"
+    role  = "gitea_cicd_dance-lessons-coach"
+  }
+}