starred/holos
1
0
Fork 0
mirror of https://github.com/holos-run/holos.git synced 2026-03-19 16:54:58 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity
68 Commits 25 Branches 180 Tags
4de9f77fbfe4ddbd9c97c39b0c19202201397e39
Commit Graph

14 Commits

Author SHA1 Message Date
Jeff McCune
4c5429b64a (#22) Ceph CSI for Metal clusters 
This patch adds the ceph-csi-rbd helm chart component to the metal
cluster type.  The purpose is to enable PersistentVolumeClaims on ois
metal clusters.

Cloud clusters like GKE and EKS are expected to skip rendering the metal
type.

Helm values are handled with CUE.  The ceph secret is managed as an
ExternalSecret resource, appended to the rendered output by cue and the
holos cli.

Use:

    ❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/metal/...
    2:45PM INF render.go:40 rendered prod-metal-ceph version=0.47.0 status=ok action=rendered name=prod-metal-ceph
 2024-02-28 14:46:03 -08:00
Jeff McCune
6090ab224e (#14) Validate secrets fetched from provisioner cluster 
This patch validates secrets are synced from the provisioner cluster to
a workload cluster.  This verifies the eso-creds-refresher job, external
secrets operator, etc...

Refer to
0ae58858f5
for the corresponding commit on the k2 cluster.
 2024-02-27 15:55:17 -08:00
Jeff McCune
10e140258d (#15) Report multiple cue errors 
This patch prints out the cue file and line numbers when a cue error
contains multiple go errors to unwrap.

For example:

```
❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/workload/...
3:31PM ERR could not execute version=0.46.0 err="could not decode: content: error in call to encoding/yaml.MarshalStream: incomplete value string (and 1 more errors)" loc=builder.go:212
content: error in call to encoding/yaml.MarshalStream: incomplete value string:
    /home/jeff/workspace/holos-run/holos/docs/examples/schema.cue:199:11
    /home/jeff/workspace/holos-run/holos/docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue:83:14
```
 2024-02-27 15:32:11 -08:00
Jeff McCune
b4ad6425e5 (#14) Validate SecretStore works 
This patch validates a SecretStore in the holos-system namespace works
after provisioner credentials are refreshed.
 2024-02-27 11:25:00 -08:00
Jeff McCune
3343d226e5 (#14) Fix namespaces "external-secrets" not found 
Needed for the `prod-secrets-eso` component to reconcile with flux.

NAME                                    REVISION                SUSPENDED       READY   MESSAGE
flux-system                             main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
prod-secrets-eso                        main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
prod-secrets-eso-creds-refresher        main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
prod-secrets-namespaces                 main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
 2024-02-26 20:53:43 -08:00
Jeff McCune
51f22443f3 Move secrets project components to the workload cluster 
Goal is to render all of the flux kustomization components with:

```
❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/workload/...
4:47PM INF render.go:39 rendered prod-secrets-eso version=0.42.1 status=ok action=rendered name=prod-secrets-eso
4:47PM INF render.go:39 rendered prod-secrets-eso-creds-refresher version=0.42.1 status=ok action=rendered name=prod-secrets-eso-creds-refresher
4:47PM INF render.go:39 rendered prod-secrets-namespaces version=0.42.1 status=ok action=rendered name=prod-secrets-namespaces
```
 2024-02-21 16:45:48 -08:00
Jeff McCune
e98ee28f74 Add eso-creds-refresher CronJob 
This patch adds the `eso-creds-refresher` CronJob which executes every 8
hours in the holos-system namespace of each workload cluster.  The job
creates Secrets with a `token` field representing the id token
credential for a SecretStore to use when synchronizing secrets to and
from the provisioner cluster.

Service accounts in the provisioner cluster are selected with
selector=holos.run/job.name=eso-creds-refresher.

Each selected service account has a token issued with a 12 hour
expiration ttl and is stored in a Secret matching the service account
name in the same namespace in the workload cluster.

The job takes about 25 seconds to run once the image is cached on the
node.
 2024-02-21 15:09:26 -08:00
Jeff McCune
b16d3459f7 Allow eso-creds-refresher iam service account to list ksas 
Without this patch the Job on a workload cluster fails with:

```
+ kubectl get serviceaccount -A --selector=holos.run/job.name=eso-creds-refresher --output=json
Error from server (Forbidden): serviceaccounts is forbidden: User
"eso-creds-refresher@holos-run.iam.gserviceaccount.com" cannot list
resource "serviceaccounts" in API group "" at the cluster scope:
requires one of ["container.serviceAccounts.list"] permission(s).
```
 2024-02-21 11:13:04 -08:00
Jeff McCune
f41b883dce Add holos.run/job.name=eso-creds-refresher label to ksa 
This label is intended for the Job to select which service accounts to
issue tokens for.  For example:

  kubectl get serviceaccount -A --selector=holos.run/job.name=eso-creds-refresher --output=json
 2024-02-21 11:03:33 -08:00
Jeff McCune
572281914c Remove view role from eso-creds-refresher 
Listing namespaces is sufficient, viewing all resources isn't necessary.
 2024-02-21 10:32:41 -08:00
Jeff McCune
4cdf9d2dae Refactor eso-reader and eso-writer provisioner service accounts 
Without this patch it is difficult to navigate the structure of the
configuration of the api objects because they're positional elements in
a list.

This patch extracts the configuration of the eso-reader and eso-writer
ServiceAccount, Role, and RoleBinding structs into a definition that
behaves like a function.  The individual objects are fields of the
struct instead of positional elements in a list.
 2024-02-21 10:08:39 -08:00
Jeff McCune
fd306aae76 Pod eso-creds-refresher authenticates to provisioner 
This patch adds a ConfigMap and Pod to the eso-creds-refresher
component.  The Pod executes the gcloud container, impersonates the
eso-creds-refresher iam service account using workload identity, then
authenticates to the remote provisioner cluster.

This is the foundation for a script to automatically create Secret API
objects in a workload cluster which have a kubernetes service account
token ESO SecretStore resources can use to fetch secrets from the
provisioner cluster.

Once we have that script in place we can turn this Pod into a Job and
replace Vault.
 2024-02-20 17:45:43 -08:00
Jeff McCune
5bf2b85036 Refactor namespaces separate from eso-creds-refresher 
Manage namespaces in a separate component so we can easily run the
eso-creds-refresher component through kubectl delete -f- without
deleting the namespace.

For the k2 cluster:

```
❯ holos build ./platforms/reference/clusters/workload/... | k apply --server-side=true -f-
serviceaccount/eso-creds-refresher serverside-applied
clusterrole.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
namespace/holos-system serverside-applied
namespace/flux-system serverside-applied
namespace/ceph-system serverside-applied
namespace/istio-system serverside-applied
namespace/istio-ingress serverside-applied
namespace/cert-manager serverside-applied
namespace/argocd serverside-applied
```

For the provisioner cluster:

```
❯ holos build ./platforms/reference/clusters/provisioner/... | k apply --server-side=true -f-
clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
namespace/holos-system serverside-applied
namespace/flux-system serverside-applied
namespace/ceph-system serverside-applied
namespace/istio-system serverside-applied
namespace/istio-ingress serverside-applied
namespace/cert-manager serverside-applied
namespace/argocd serverside-applied
```
 2024-02-20 15:40:32 -08:00
Jeff McCune
0771bd6b6c Configure namespaces in the provisioner cluster 
The provisioner cluster is a worker-less autopilot cluster that provides
secrets to other clusters in the platform.  The `eso-creds-refresher`
Job in the holos-system namespace of each other cluster refreshes
service account tokens for SecretStores.

This patch adds the IAM structure for the Job implemented by Namespace,
ServiceAccount, Role, and RoleBinding api objects.
 2024-02-19 21:37:13 -08:00