diff --git a/.taskfiles/vault/Taskfile.yaml b/.taskfiles/vault/Taskfile.yaml index ce480cb78..16bc09019 100644 --- a/.taskfiles/vault/Taskfile.yaml +++ b/.taskfiles/vault/Taskfile.yaml @@ -5,8 +5,9 @@ version: '3' tasks: oicd-setup: desc: Configure k8s auth for Vault External Secrets - vars: - cluster: genmachine + requires: + vars: + - cluster cmds: - task: enable-vault-oidc vars: @@ -14,8 +15,9 @@ tasks: eso-auth-setup: desc: Configure k8s auth for Vault External Secrets - vars: - cluster: genmachine + requires: + vars: + - cluster cmds: - task: enable-vault-k8s vars: @@ -35,8 +37,9 @@ tasks: certmanager-auth-setup: desc: Configure k8s auth for Vault Certmanager - vars: - cluster: genmachine + requires: + vars: + - cluster cmds: - task: enable-vault-k8s vars: @@ -84,10 +87,11 @@ tasks: sleep 5 done kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 --decode > ca.crt + K8S_HOST="$(kubectl config view --raw --minify -o jsonpath='{.clusters[0].cluster.server}')" TOKEN="$(kubectl get secret -n {{.namespace}} {{.service_account}} -o jsonpath='{.data.token}' | base64 -d)" vault write -tls-skip-verify -address={{.VAULT_ENDPOINT}} \ auth/{{.cluster}}-k8s/config token_reviewer_jwt="$TOKEN" \ - kubernetes_host="https://{{.K8S_API}}:6443" \ + kubernetes_host="$K8S_HOST" \ kubernetes_ca_cert=@ca.crt rm ca.crt requires: diff --git a/Taskfile.yaml b/Taskfile.yaml index 995a67b47..b0f80b49a 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -17,7 +17,6 @@ vars: VAULT_ENDPOINT: 'https://vault.k0s-fullstack.fredcorp.com' AUTHENTIK_ENDPOINT_GENMACHINE: 'https://authentik.talos-genmachine.fredcorp.com' AUTHENTIK_ENDPOINT_BEELINK: 'https://authentik.k0s-fullstack.fredcorp.com' - K8S_API: 'talos-cluster.genmachine.fredcorp.com' MINIO_API: 'minio-api.talos-genmachine.fredcorp.com' includes: diff --git a/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml b/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml index 97b4f579e..1879ade5a 100644 --- a/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml +++ b/gitops/manifests/cert-manager/k0s/templates/clusterIssuer.yaml @@ -47,10 +47,10 @@ spec: name: root-ca-chain auth: kubernetes: - mountPath: /v1/auth/kubernetes - role: certmanager-vault-auth-k0s + mountPath: /v1/auth/beelink-k8s + role: certmanager secretRef: - name: certmanager-vault-auth-k0s + name: certmanager-auth key: token --- apiVersion: rbac.authorization.k8s.io/v1 @@ -63,18 +63,18 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: certmanager-vault-auth-k0s + name: certmanager-auth namespace: cert-manager --- apiVersion: v1 kind: ServiceAccount metadata: - name: certmanager-vault-auth-k0s + name: certmanager-auth --- apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: - name: certmanager-vault-auth-k0s + name: certmanager-auth annotations: - kubernetes.io/service-account.name: 'certmanager-vault-auth-k0s' + kubernetes.io/service-account.name: 'certmanager-auth' diff --git a/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml b/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml index 1864f5c40..2c09220ae 100644 --- a/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml +++ b/gitops/manifests/external-secrets/beelink/templates/clusterSecretStore.yaml @@ -16,8 +16,8 @@ spec: key: fredcorp-ca-chain.pem auth: kubernetes: - mountPath: kubernetes - role: external-secrets + mountPath: beelink-k8s + role: eso serviceAccountRef: name: eso-auth namespace: external-secrets