Skip to content

Commit 2e294e2

Browse files
rafaeltuelhocodekow
rafaeltuelho
authored and
codekow
committed
specify vault auth ServiceAccount name
1 parent 3bb87d4 commit 2e294e2

17 files changed

+35
-41
lines changed

ansible-automation/playbooks/vault-setup/files/vault-cluster-role-binding-role-token-review.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
apiVersion: rbac.authorization.k8s.io/v1
22
kind: ClusterRoleBinding
33
metadata:
4-
name: role-tokenreview-binding
4+
name: vault-role-token-review
55
namespace: vault-admin
66
roleRef:
77
apiGroup: rbac.authorization.k8s.io
88
kind: ClusterRole
99
name: system:auth-delegator
1010
subjects:
1111
- kind: ServiceAccount
12-
name: vault-auth
12+
name: default
1313
namespace: vault-admin

ansible-automation/playbooks/vault-setup/files/vault-git-secret-engine-mount.yml

Lines changed: 0 additions & 10 deletions
This file was deleted.

ansible-automation/playbooks/vault-setup/files/vault-kv-secret-engine-mount.yml

Lines changed: 0 additions & 10 deletions
This file was deleted.

ansible-automation/playbooks/vault-setup/files/vault-quay-secret-engine-mount.yml

Lines changed: 0 additions & 10 deletions
This file was deleted.

ansible-automation/playbooks/vault-setup/setup_vault.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,9 @@
3232
state: present
3333
definition: "{{ lookup('file', item) | from_yaml }}"
3434
loop:
35-
- vault-auth-service-account.yml
35+
#- vault-auth-service-account.yml
3636
- vault-cluster-role-binding-role-token-review.yml
37-
- vault-auth-secret.yml
37+
#- vault-auth-secret.yml
3838

3939
- name: Create vault-admin policy
4040
ansible.builtin.shell: |
@@ -49,7 +49,7 @@
4949
- name: Enable kubernetes auth for the Dev Cluster
5050
ansible.builtin.shell: |
5151
export SA_SECRET_NAME=$(oc get secrets -n vault-admin --output=json \
52-
| jq -r '.items[].metadata | select(.name|startswith("vault-auth-token")).name')
52+
| jq -r '.items[].metadata | select(.name|startswith("default-token")).name')
5353
export SA_JWT_TOKEN=$(oc get secret $SA_SECRET_NAME -n vault-admin \
5454
--output 'go-template={{ "{{" }} .data.token {{ "}}" }}' | base64 --decode)
5555
export SA_CA_CRT=$(oc config view --raw --minify --flatten \
@@ -67,21 +67,21 @@
6767
kubernetes_ca_cert="$SA_CA_CRT" \
6868
issuer="https://kubernetes.default.svc.cluster.local"
6969
70-
- name: Create role and service account authentication
70+
- name: Create vault-admin Role for Kubernetes authentication
7171
ansible.builtin.shell: |
7272
oc exec vault-0 -c vault -n {{ vault_namespace
7373
}} -- vault write -address https://vault.vault.svc:8200 auth/{{ vault_cluster_name }}-admin/role/vault-admin \
74-
bound_service_account_names=vault-auth \
74+
bound_service_account_names=default \
7575
bound_service_account_namespaces=vault-admin \
7676
token_policies=vault-admin \
7777
ttl=160h
7878
7979
export SA_SECRET_NAME=$(oc get secrets -n vault-admin --output=json \
80-
| jq -r '.items[].metadata | select(.name|startswith("vault-auth-token")).name')
80+
| jq -r '.items[].metadata | select(.name|startswith("default-token")).name')
8181
export SA_JWT_TOKEN=$(oc get secret $SA_SECRET_NAME -n vault-admin \
8282
--output 'go-template={{ "{{" }} .data.token {{ "}}" }}' | base64 --decode)
8383
84-
#try to login into Vault using the Kubernetes auth endpoint and the vault-auth Service Account...
84+
#try to login into Vault using the Kubernetes auth endpoint and the default Service Account...
8585
oc exec vault-0 -c vault -n vault -- \
8686
vault write -address https://vault.vault.svc:8200 auth/{{ vault_cluster_name }}-admin/login role=vault-admin jwt=$SA_JWT_TOKEN
8787

ansible-automation/playbooks/vault-setup/templates/vault-git-webhook-password-policy.yml.j2

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,9 @@ metadata:
66
spec:
77
authentication:
88
path: kubernetes
9-
role: policy-admin
9+
role: policy-admin
10+
serviceAccount:
11+
name: default
1012
passwordPolicy: |
1113
length = 8
1214
rule "charset" {

ansible-automation/playbooks/vault-setup/templates/vault-github-secret-engine-config.yml.j2

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ spec:
77
authentication:
88
path: kubernetes
99
role: policy-admin
10+
serviceAccount:
11+
name: default
1012
sSHKeyReference:
1113
vaultSecret:
1214
path: "kv/secrets/{{ idp_instance_name }}/github-plugin"

ansible-automation/playbooks/vault-setup/templates/vault-github-secret-engine-role.yml.j2

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ spec:
77
authentication:
88
path: kubernetes
99
role: policy-admin
10+
serviceAccount:
11+
name: default
1012
path: github
1113
organizationName: {{ github_org }}
1214
repositories: []

ansible-automation/playbooks/vault-setup/templates/vault-quay-secret-engine-config.yml.j2

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ spec:
77
authentication:
88
path: kubernetes
99
role: policy-admin
10+
serviceAccount:
11+
name: default
1012
disableSslVerification: true
1113
rootCredentials:
1214
vaultSecret:

ansible-automation/playbooks/vault-setup/templates/vault-quay-secret-engine-role.yml.j2

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ spec:
77
authentication:
88
path: kubernetes
99
role: policy-admin
10+
serviceAccount:
11+
name: default
1012
path: quay
1113
namespaceName: {{ quay_org }}
1214
createRepositories: true

0 commit comments

Comments
 (0)