feat(catalog): Allow CronJob to write secrets to vault (#2388)

* feat(catalog): Fix cronjob for uplading tokens to vault This includes: * Saving the final vault token to an env variable instead of a file by default * Changing role to one that allows writing of secrets * Switch from jq to yq which is installed in toolbox image * Add config map for moc/smaug to kustomization file Signed-off-by: SamoKopecky <[email protected]> * feat(catalog): Create SA to write secrets to vault Signed-off-by: SamoKopecky <[email protected]> * feat(catalog): Remove read-only SA from clusters other them smaug Signed-off-by: SamoKopecky <[email protected]> Signed-off-by: SamoKopecky <[email protected]>
operate-first · Sep 7, 2022 · 5c3770d · 5c3770d
1 parent d177103
commit 5c3770d
Show file tree

Hide file tree

Showing 14 changed files with 11 additions and 30 deletions.
diff --git a/cluster-scope/base/batch/cronjobs/service-catalog-k8s-plugin/cronjob.yaml b/cluster-scope/base/batch/cronjobs/service-catalog-k8s-plugin/cronjob.yaml
@@ -25,8 +25,8 @@ spec:
             - |
               echo "Authenticating with vault using SA JWT token ..."
               VAULT_AUTH_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-              VAULT_CLIENT_TOKEN=$(vault write auth/$CLUSTER-k8s/login role=$ENV-ops jwt="$VAULT_AUTH_TOKEN" -format=json | jq -r '.auth.client_token')
-              vault login -no-print $VAULT_CLIENT_TOKEN
+              VAULT_CLIENT_TOKEN=$(vault write auth/$CLUSTER-k8s/login role=$ENV-ops-rw jwt="$VAULT_AUTH_TOKEN" -format=json | yq e '.auth.client_token' -)
+              VAULT_TOKEN=$(vault login -token-only $VAULT_CLIENT_TOKEN)
 
               echo "Pushing k8s plugin SA token to vault ..."
               vault kv put -mount=k8s_secrets moc/smaug/service-catalog/k8s-plugin-tokens $ENV_$CLUSTER_token=$token
@@ -45,5 +45,5 @@ spec:
               requests:
                 cpu: 50m
                 memory: 128Mi
-          serviceAccountName: vault-secret-fetcher
+          serviceAccountName: vault-secret-writer
           restartPolicy: OnFailure
diff --git a/...ice-catalog-k8s-plugin/kustomization.yaml → ...ts/vault-secret-writer/kustomization.yaml b/...ice-catalog-k8s-plugin/kustomization.yaml → ...ts/vault-secret-writer/kustomization.yaml
@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: service-catalog-k8s-plugin
 resources:
-  - ../base
+- serviceaccount.yaml
diff --git a/cluster-scope/base/core/serviceaccounts/vault-secret-writer/serviceaccount.yaml b/cluster-scope/base/core/serviceaccounts/vault-secret-writer/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-secret-writer
+  namespace: service-catalog-k8s-plugin
diff --git a/cluster-scope/overlays/prod/common/kustomization.yaml b/cluster-scope/overlays/prod/common/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
 - ../../../base/core/secrets/service-catalog-k8s-plugin-token
 - ../../../base/core/serviceaccounts/service-catalog-k8s-plugin
 - ../../../base/core/serviceaccounts/schemastore-ci
+- ../../../base/core/serviceaccounts/vault-secret-writer
 - ../../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-rb
 - ../../../base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners
 - ../../../base/rbac.authorization.k8s.io/clusterrolebindings/sre

diff --git a/cluster-scope/overlays/prod/emea/balrog/secret-mgmt/kustomization.yaml b/cluster-scope/overlays/prod/emea/balrog/secret-mgmt/kustomization.yaml
@@ -7,4 +7,3 @@ resources:
   - openshift-logging
   - openshift-monitoring
   - openshift-user-workload-monitoring
-  - service-catalog-k8s-plugin
diff --git a/cluster-scope/overlays/prod/moc/curator/secret-mgmt/kustomization.yaml b/cluster-scope/overlays/prod/moc/curator/secret-mgmt/kustomization.yaml
@@ -4,4 +4,3 @@ resources:
   - openshift-config
   - openshift-ingress
   - openshift-monitoring
-  - service-catalog-k8s-plugin
diff --git a/...scope/overlays/prod/moc/curator/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml b/...scope/overlays/prod/moc/curator/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml
diff --git a/cluster-scope/overlays/prod/moc/infra/secret-mgmt/kustomization.yaml b/cluster-scope/overlays/prod/moc/infra/secret-mgmt/kustomization.yaml
@@ -10,4 +10,3 @@ resources:
   - openshift-monitoring
   - openshift-storage
   - opf-alertreceiver
-  - service-catalog-k8s-plugin
diff --git a/...r-scope/overlays/prod/moc/infra/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml b/...r-scope/overlays/prod/moc/infra/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml
diff --git a/cluster-scope/overlays/prod/moc/smaug/kustomization.yaml b/cluster-scope/overlays/prod/moc/smaug/kustomization.yaml
@@ -161,6 +161,7 @@ resources:
 - bucketclasses/noobaa-default-bucket-class.yaml
 - clusterversion.yaml
 - configmaps
+- configmaps/service-catalog-k8s-plugin.yaml
 - externalsecrets
 - groups
 - ingresscontrollers/default.yaml

diff --git a/cluster-scope/overlays/prod/osc/osc-cl1/secret-mgmt/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl1/secret-mgmt/kustomization.yaml
@@ -12,4 +12,3 @@ resources:
   - openshift-ingress
   - openshift-monitoring
   - opf-monitoring
-  - service-catalog-k8s-plugin
diff --git a/...scope/overlays/prod/osc/osc-cl1/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml b/...scope/overlays/prod/osc/osc-cl1/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml
diff --git a/cluster-scope/overlays/prod/osc/osc-cl2/secret-mgmt/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl2/secret-mgmt/kustomization.yaml
@@ -14,4 +14,3 @@ resources:
   - openshift-monitoring
   - opf-monitoring
   - pachyderm
-  - service-catalog-k8s-plugin
diff --git a/...scope/overlays/prod/osc/osc-cl2/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml b/...scope/overlays/prod/osc/osc-cl2/secret-mgmt/service-catalog-k8s-plugin/kustomization.yaml