diff --git a/flux/cluster/core/external-secrets/vault-secret-store.yaml b/flux/cluster/core/external-secrets/vault-secret-store.yaml index d513f90..5077840 100644 --- a/flux/cluster/core/external-secrets/vault-secret-store.yaml +++ b/flux/cluster/core/external-secrets/vault-secret-store.yaml @@ -10,17 +10,8 @@ spec: path: "k8s" version: "v2" auth: - # VaultAppRole authenticates with Vault using the - # App Role auth mechanism - # https://www.vaultproject.io/docs/auth/approle - appRole: - # Path where the App Role authentication backend is mounted - path: "approle" - # RoleID configured in the App Role authentication backend - roleId: "48a0e39d-e7e8-4ac2-529c-db99ffa1f6b0" - # Reference to a key in a K8 Secret that contains the App Role SecretId - # (not commited in git) - secretRef: - name: "vault-secret-id" - namespace: "external-secrets" - key: "secret-id" + # points to a secret that contains a vault token + # https://www.vaultproject.io/docs/auth/token + tokenSecretRef: + name: "vault-secret" + key: "vault-token" diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix index 02a9544..7020da0 100644 --- a/nixos/machines/nginx/default.nix +++ b/nixos/machines/nginx/default.nix @@ -22,6 +22,8 @@ let ''; }; }; + + k8sProxy = proxy "http://kubernetes.lxd:80/"; in { imports = [ ../../common ../../common/lxc.nix ]; networking.hostName = "nginx"; @@ -47,6 +49,7 @@ in { virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/"; virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/"; virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/"; + virtualHosts."whoami.asraphiel.dev" = k8sProxy; }; security.acme.email = "acme@voidcorp.nl"; security.acme.acceptTerms = true; diff --git a/vault-policies/k8s.hcl b/vault-policies/k8s.hcl new file mode 100644 index 0000000..4b6f409 --- /dev/null +++ b/vault-policies/k8s.hcl @@ -0,0 +1,3 @@ +path "k8s/*" { + capabilities = ["read"] +} \ No newline at end of file