Switch to vault token instead of approle

2022-05-23 12:00:41 +02:00 · 2022-05-23 12:00:41 +02:00 · 227c75072c
parent ce139135ed
commit 227c75072c
3 changed files with 11 additions and 14 deletions
--- a/flux/cluster/core/external-secrets/vault-secret-store.yaml
+++ b/flux/cluster/core/external-secrets/vault-secret-store.yaml
@ -10,17 +10,8 @@ spec:
      path: "k8s"
      version: "v2"
      auth:
-        # VaultAppRole authenticates with Vault using the
-        # App Role auth mechanism
-        # https://www.vaultproject.io/docs/auth/approle
-        appRole:
-          # Path where the App Role authentication backend is mounted
-          path: "approle"
-          # RoleID configured in the App Role authentication backend
-          roleId: "48a0e39d-e7e8-4ac2-529c-db99ffa1f6b0"
-          # Reference to a key in a K8 Secret that contains the App Role SecretId
-          # (not commited in git)
-          secretRef:
-            name: "vault-secret-id"
-            namespace: "external-secrets"
-            key: "secret-id"
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "vault-secret"
+          key: "vault-token"
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@ -22,6 +22,8 @@ let
      '';
    };
  };
+
+  k8sProxy = proxy "http://kubernetes.lxd:80/";
 in {
  imports = [ ../../common ../../common/lxc.nix ];
  networking.hostName = "nginx";
@ -47,6 +49,7 @@ in {
    virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
    virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
    virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/";
+    virtualHosts."whoami.asraphiel.dev" = k8sProxy;
  };
  security.acme.email = "acme@voidcorp.nl";
  security.acme.acceptTerms = true;
--- a/vault-policies/k8s.hcl
+++ b/vault-policies/k8s.hcl
@ -0,0 +1,3 @@
+path "k8s/*" {
+    capabilities = ["read"]
+}