Switch to vault token instead of approle

This commit is contained in:
Julius 2022-05-23 12:00:41 +02:00
parent ce139135ed
commit 227c75072c
Signed by: j00lz
GPG key ID: AF241B0AA237BBA2
3 changed files with 11 additions and 14 deletions

View file

@ -10,17 +10,8 @@ spec:
path: "k8s" path: "k8s"
version: "v2" version: "v2"
auth: auth:
# VaultAppRole authenticates with Vault using the # points to a secret that contains a vault token
# App Role auth mechanism # https://www.vaultproject.io/docs/auth/token
# https://www.vaultproject.io/docs/auth/approle tokenSecretRef:
appRole: name: "vault-secret"
# Path where the App Role authentication backend is mounted key: "vault-token"
path: "approle"
# RoleID configured in the App Role authentication backend
roleId: "48a0e39d-e7e8-4ac2-529c-db99ffa1f6b0"
# Reference to a key in a K8 Secret that contains the App Role SecretId
# (not commited in git)
secretRef:
name: "vault-secret-id"
namespace: "external-secrets"
key: "secret-id"

View file

@ -22,6 +22,8 @@ let
''; '';
}; };
}; };
k8sProxy = proxy "http://kubernetes.lxd:80/";
in { in {
imports = [ ../../common ../../common/lxc.nix ]; imports = [ ../../common ../../common/lxc.nix ];
networking.hostName = "nginx"; networking.hostName = "nginx";
@ -47,6 +49,7 @@ in {
virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/"; virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/"; virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/"; virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/";
virtualHosts."whoami.asraphiel.dev" = k8sProxy;
}; };
security.acme.email = "acme@voidcorp.nl"; security.acme.email = "acme@voidcorp.nl";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;

3
vault-policies/k8s.hcl Normal file
View file

@ -0,0 +1,3 @@
path "k8s/*" {
capabilities = ["read"]
}