holos

starred/holos

Fork 0

mirror of https://github.com/holos-run/holos.git synced 2026-03-21 17:55:01 +00:00

Commit Graph

Author	SHA1	Message	Date
Jeff McCune	fd306aae76	Pod eso-creds-refresher authenticates to provisioner This patch adds a ConfigMap and Pod to the eso-creds-refresher component. The Pod executes the gcloud container, impersonates the eso-creds-refresher iam service account using workload identity, then authenticates to the remote provisioner cluster. This is the foundation for a script to automatically create Secret API objects in a workload cluster which have a kubernetes service account token ESO SecretStore resources can use to fetch secrets from the provisioner cluster. Once we have that script in place we can turn this Pod into a Job and replace Vault.	2024-02-20 17:45:43 -08:00
Jeff McCune	5bf2b85036	Refactor namespaces separate from eso-creds-refresher Manage namespaces in a separate component so we can easily run the eso-creds-refresher component through kubectl delete -f- without deleting the namespace. For the k2 cluster: ``` ❯ holos build ./platforms/reference/clusters/workload/... \| k apply --server-side=true -f- serviceaccount/eso-creds-refresher serverside-applied clusterrole.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied namespace/holos-system serverside-applied namespace/flux-system serverside-applied namespace/ceph-system serverside-applied namespace/istio-system serverside-applied namespace/istio-ingress serverside-applied namespace/cert-manager serverside-applied namespace/argocd serverside-applied ``` For the provisioner cluster: ``` ❯ holos build ./platforms/reference/clusters/provisioner/... \| k apply --server-side=true -f- clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied serviceaccount/eso-reader serverside-applied role.rbac.authorization.k8s.io/eso-reader serverside-applied rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied serviceaccount/eso-writer serverside-applied role.rbac.authorization.k8s.io/eso-writer serverside-applied namespace/holos-system serverside-applied namespace/flux-system serverside-applied namespace/ceph-system serverside-applied namespace/istio-system serverside-applied namespace/istio-ingress serverside-applied namespace/cert-manager serverside-applied namespace/argocd serverside-applied ```	2024-02-20 15:40:32 -08:00

Author

SHA1

Message

Date

Jeff McCune

fd306aae76

Pod eso-creds-refresher authenticates to provisioner

This patch adds a ConfigMap and Pod to the eso-creds-refresher
component.  The Pod executes the gcloud container, impersonates the
eso-creds-refresher iam service account using workload identity, then
authenticates to the remote provisioner cluster.

This is the foundation for a script to automatically create Secret API
objects in a workload cluster which have a kubernetes service account
token ESO SecretStore resources can use to fetch secrets from the
provisioner cluster.

Once we have that script in place we can turn this Pod into a Job and
replace Vault.

2024-02-20 17:45:43 -08:00

Jeff McCune

5bf2b85036

Refactor namespaces separate from eso-creds-refresher

Manage namespaces in a separate component so we can easily run the
eso-creds-refresher component through kubectl delete -f- without
deleting the namespace.

For the k2 cluster:

```
❯ holos build ./platforms/reference/clusters/workload/... | k apply --server-side=true -f-
serviceaccount/eso-creds-refresher serverside-applied
clusterrole.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
namespace/holos-system serverside-applied
namespace/flux-system serverside-applied
namespace/ceph-system serverside-applied
namespace/istio-system serverside-applied
namespace/istio-ingress serverside-applied
namespace/cert-manager serverside-applied
namespace/argocd serverside-applied
```

For the provisioner cluster:

```
❯ holos build ./platforms/reference/clusters/provisioner/... | k apply --server-side=true -f-
clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
namespace/holos-system serverside-applied
namespace/flux-system serverside-applied
namespace/ceph-system serverside-applied
namespace/istio-system serverside-applied
namespace/istio-ingress serverside-applied
namespace/cert-manager serverside-applied
namespace/argocd serverside-applied
```

2024-02-20 15:40:32 -08:00

2 Commits