From d72868040ab905844165c6a8457b7a7eab44993a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Can=C3=A9vet?= Date: Sun, 22 Nov 2020 10:09:52 +0100 Subject: [PATCH] Generate JWT token in Terraform --- modules/argocd-helm/main.tf | 33 +++++++++++++++++++++++++++++---- modules/argocd-helm/outputs.tf | 5 +++++ modules/argocd-helm/versions.tf | 21 +++++++++++++++++++++ modules/k3os-libvirt/main.tf | 8 ++++++++ modules/k3s-docker/main.tf | 8 ++++++++ 5 files changed, 71 insertions(+), 4 deletions(-) create mode 100644 modules/argocd-helm/versions.tf diff --git a/modules/argocd-helm/main.tf b/modules/argocd-helm/main.tf index 6e202b8eeb..c2fd3b010f 100644 --- a/modules/argocd-helm/main.tf +++ b/modules/argocd-helm/main.tf @@ -1,17 +1,25 @@ locals { - iat = 1605854613 # An arbitrary Unix timestamp before than now + jwt_token_payload = { + jti = random_uuid.jti.result + iat = time_static.iat.unix + iss = "argocd" + nbf = time_static.iat.unix + sub = "pipeline" + } argocd_accounts_pipeline_tokens = jsonencode( [ { - id = random_uuid.accounts_pipeline_token_id.result - iat = local.iat + id = random_uuid.jti.result + iat = time_static.iat.unix } ] ) } -resource "random_uuid" "accounts_pipeline_token_id" {} +resource "time_static" "iat" {} + +resource "random_uuid" "jti" {} resource "helm_release" "argocd" { name = "argocd" @@ -31,3 +39,20 @@ resource "helm_release" "argocd" { EOT ] } + +data "kubernetes_secret" "argocd_secret" { + metadata { + name = "argocd-secret" + namespace = helm_release.argocd.namespace + } + + depends_on = [ + helm_release.argocd, + ] +} + +resource "jwt_hashed_token" "argocd" { + algorithm = "HS256" + secret = lookup(data.kubernetes_secret.argocd_secret.data, "server.secretkey") + claims_json = jsonencode(local.jwt_token_payload) +} diff --git a/modules/argocd-helm/outputs.tf b/modules/argocd-helm/outputs.tf index d3a0a79b64..fcfdce9900 100644 --- a/modules/argocd-helm/outputs.tf +++ b/modules/argocd-helm/outputs.tf @@ -2,3 +2,8 @@ output "argocd_accounts_pipeline_tokens" { description = "The token created for the pipeline." value = local.argocd_accounts_pipeline_tokens } + +output "argocd_auth_token" { + description = "The token to set in ARGOCD_AUTH_TOKEN environment variable." + value = jwt_hashed_token.argocd.token +} diff --git a/modules/argocd-helm/versions.tf b/modules/argocd-helm/versions.tf new file mode 100644 index 0000000000..1af52839c6 --- /dev/null +++ b/modules/argocd-helm/versions.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + helm = { + source = "hashicorp/helm" + } + jwt = { + source = "camptocamp/jwt" + version = "~> 0.0.3" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + random = { + source = "hashicorp/random" + } + time = { + source = "hashicorp/time" + } + } + required_version = ">= 0.13" +} diff --git a/modules/k3os-libvirt/main.tf b/modules/k3os-libvirt/main.tf index dbfc439ee4..c79c93f068 100644 --- a/modules/k3os-libvirt/main.tf +++ b/modules/k3os-libvirt/main.tf @@ -17,6 +17,14 @@ provider "helm" { } } +provider "kubernetes" { + host = local.kubernetes_host + username = local.kubernetes_username + password = local.kubernetes_password + cluster_ca_certificate = local.kubernetes_cluster_ca_certificate + load_config_file = false +} + module "cluster" { source = "camptocamp/k3os/libvirt" version = "0.2.4" diff --git a/modules/k3s-docker/main.tf b/modules/k3s-docker/main.tf index 555a40efc9..4723dbfc6c 100644 --- a/modules/k3s-docker/main.tf +++ b/modules/k3s-docker/main.tf @@ -17,6 +17,14 @@ provider "helm" { } } +provider "kubernetes" { + host = local.kubernetes_host + username = local.kubernetes_username + password = local.kubernetes_password + cluster_ca_certificate = local.kubernetes_cluster_ca_certificate + load_config_file = false +} + module "cluster" { source = "camptocamp/k3s/docker" version = "0.3.2"