Skip to content

Instantly share code, notes, and snippets.

@thomas-maurice

thomas-maurice/cert.sh Secret

Last active October 21, 2021 18:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thomas-maurice/8cb53af8b33f399186a2174db827a50a to your computer and use it in GitHub Desktop.
Save thomas-maurice/8cb53af8b33f399186a2174db827a50a to your computer and use it in GitHub Desktop.
Download ZIP
The Vault OIDC blog article thingy
Raw
cert.sh
#!/bin/bash
if ! [ -d ./ssl ]; then mkdir ./ssl; fi;
openssl \
req \
-new \
-nodes \
-days 365 \
-x509 \
-newkey rsa:4096 \
-keyout ./ssl/cert.key \
-out ./ssl/cert.crt \
-subj "/CN=vault.example.com" \
-addext "subjectAltName = DNS:vault.example.com"
Raw
cluster.yaml
---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
image: kindest/node:v1.21.2
extraMounts:
# CHANGE THIS ONE TO MATCH YOUR OWN PATH
- hostPath: /home/thomas/vaultarticle/ssl
containerPath: /etc/ssl/certs/oidc
readOnly: true
propagation: HostToContainer
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
# vault read identity/oidc/token/k8saas-devel
# CHANGE THIS TO MATCH YOUR CONFIG
oidc-client-id: exzTAUtyhNQ5MQ79buAcJbIZ6X
oidc-groups-claim: groups
oidc-groups-prefix: "vault:"
oidc-issuer-url: "https://vault.example.com/v1/identity/oidc"
oidc-username-claim: sub
oidc-username-prefix: "vault:"
oidc-signing-algs: "ES256,RS256"
oidc-ca-file: "/etc/ssl/certs/oidc/cert.crt"
- role: worker
image: kindest/node:v1.21.2
Raw
traefik.sh
#!/bin/bash
docker run \
--net host \
-v ${PWD}/traefik.toml:/etc/traefik/traefik.toml \
-v ${PWD}/ssl:/etc/traefik/ssl \
-it traefik
Raw
traefik.toml
[log]
level = "debug"
[providers]
[providers.file]
directory = "/etc/traefik"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[http.services]
[http.services.vault.loadBalancer]
[[http.services.vault.loadBalancer.servers]]
url = "http://127.0.0.1:8200/"
[http.routers]
[http.routers.vault]
rule = "Host(`vault.example.com`)"
service = "vault"
[http.routers.vault.tls]
[[tls.certificates]]
certFile = "/etc/traefik/ssl/cert.crt"
keyFile = "/etc/traefik/ssl/cert.key"
Raw
vault.sh
#!/bin/bash
docker run --net host -it vault vault server -dev -dev-root-token-id=devtoken
Raw
vault.tf
terraform {
backend "local" {
path = "terraform.tfstate"
}
}
provider "vault" {
address = "http://127.0.0.1:8200"
token = "devtoken"
}
resource "vault_auth_backend" "userpass" {
type = "userpass"
path = "userpass"
}
resource "vault_generic_endpoint" "user1" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/user1"
data_json = <<EOT
{
"password": "password1"
}
EOT
}
resource "vault_generic_endpoint" "user2" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/user2"
data_json = <<EOT
{
"password": "password2"
}
EOT
}
resource "vault_identity_entity" "user1" {
name = "user1"
policies = ["kubernetes-policy-test"]
}
resource "vault_identity_entity" "user2" {
name = "user2"
policies = ["kubernetes-policy-test"]
}
resource "vault_identity_entity_alias" "user1" {
name = "user1"
mount_accessor = vault_auth_backend.userpass.accessor
canonical_id = vault_identity_entity.user1.id
}
resource "vault_identity_entity_alias" "user2" {
name = "user2"
mount_accessor = vault_auth_backend.userpass.accessor
canonical_id = vault_identity_entity.user2.id
}
resource "vault_identity_group" "kubernetes-admin" {
name = "kubernetes-admin"
type = "internal"
policies = ["kubernetes-access"]
member_entity_ids = [
vault_identity_entity.user1.id,
]
}
resource "vault_identity_group" "kubernetes-user-readonly" {
name = "kubernetes-user-readonly"
type = "internal"
policies = ["kubernetes-access"]
member_entity_ids = [
vault_identity_entity.user2.id,
]
}
resource "vault_identity_oidc" "oidc_server" {
issuer = "https://vault.example.com"
}
resource "vault_identity_oidc_key" "key" {
name = "key"
algorithm = "ES256"
rotation_period = 24 * 3600
verification_ttl = 24 * 3600
}
# will create a path at v1/identity/oidc/token/k8s-token
resource "vault_identity_oidc_role" "k8s-token" {
name = "k8s-token"
key = vault_identity_oidc_key.key.name
template = <<EOF
{
"groups": {{identity.entity.groups.names}},
"nbf": {{time.now}}
}
EOF
}
# Allow the role "k8s-token" to use the key
resource "vault_identity_oidc_key_allowed_client_id" "oidc_key" {
key_name = vault_identity_oidc_key.key.name
allowed_client_id = vault_identity_oidc_role.k8s-token.client_id
}
resource "vault_policy" "kubernetes-access" {
name = "kubernetes-access"
policy = <<EOT
path "identity/oidc/token/k8s-token" {
capabilities = ["read"]
}
EOT
}
# Few output variables
output "oidc_client_id" {
value = vault_identity_oidc_role.k8s-token.client_id
}
output "k8s_command_token" {
value = "vault read identity/oidc/token/${vault_identity_oidc_role.k8s-token.name}"
}
output "user1_sub" {
value = vault_identity_entity.user1.id
}
output "user2_sub" {
value = vault_identity_entity.user2.id
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment