Switch to vault token instead of approle

main
Julius 2022-05-23 12:00:41 +02:00
parent ce139135ed
commit 227c75072c
Signed by: j00lz
GPG Key ID: AF241B0AA237BBA2
3 changed files with 11 additions and 14 deletions

View File

@ -10,17 +10,8 @@ spec:
path: "k8s"
version: "v2"
auth:
# VaultAppRole authenticates with Vault using the
# App Role auth mechanism
# https://www.vaultproject.io/docs/auth/approle
appRole:
# Path where the App Role authentication backend is mounted
path: "approle"
# RoleID configured in the App Role authentication backend
roleId: "48a0e39d-e7e8-4ac2-529c-db99ffa1f6b0"
# Reference to a key in a K8 Secret that contains the App Role SecretId
# (not commited in git)
secretRef:
name: "vault-secret-id"
namespace: "external-secrets"
key: "secret-id"
# points to a secret that contains a vault token
# https://www.vaultproject.io/docs/auth/token
tokenSecretRef:
name: "vault-secret"
key: "vault-token"

View File

@ -22,6 +22,8 @@ let
'';
};
};
k8sProxy = proxy "http://kubernetes.lxd:80/";
in {
imports = [ ../../common ../../common/lxc.nix ];
networking.hostName = "nginx";
@ -47,6 +49,7 @@ in {
virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/";
virtualHosts."whoami.asraphiel.dev" = k8sProxy;
};
security.acme.email = "acme@voidcorp.nl";
security.acme.acceptTerms = true;

3
vault-policies/k8s.hcl Normal file
View File

@ -0,0 +1,3 @@
path "k8s/*" {
capabilities = ["read"]
}