Deploy reuse-surface runtime secrets via OpenBao External Secrets
Add openbao-reuse ClusterSecretStore handoff, reuse-surface-runtime ExternalSecret, ESO token bootstrap script, and Makefile targets for CCR-2026-0005 / RAILIANCE-WP-0011.
This commit is contained in:
parent
3a9236148a
commit
40f0cb741d
5 changed files with 130 additions and 15 deletions
59
tools/reuse-openbao-eso-token-apply.sh
Executable file
59
tools/reuse-openbao-eso-token-apply.sh
Executable file
|
|
@ -0,0 +1,59 @@
|
|||
#!/usr/bin/env bash
|
||||
# Create/read-limited OpenBao token on coulombcore (bao.coulomb.social) and store it
|
||||
# on railiance01 for External Secrets (ClusterSecretStore openbao-reuse).
|
||||
set -euo pipefail
|
||||
|
||||
POLICY_NAME="${OPENBAO_REUSE_POLICY:-workload-kv-read-reuse-surface-runtime}"
|
||||
POLICY_FILE="${OPENBAO_REUSE_POLICY_FILE:-$HOME/railiance-platform/openbao/policies/workload-kv-read-reuse-surface-runtime.hcl}"
|
||||
BAO_ADDR="${BAO_ADDR:-https://bao.coulomb.social}"
|
||||
RAILIANCE01_KUBECONFIG="${RAILIANCE01_KUBECONFIG:-$HOME/.kube/config-hosteurope}"
|
||||
SECRET_NAME="${OPENBAO_REUSE_ESO_SECRET:-openbao-reuse-eso-token}"
|
||||
SECRET_NS="${OPENBAO_REUSE_ESO_NAMESPACE:-external-secrets}"
|
||||
|
||||
if ! command -v bao >/dev/null 2>&1; then
|
||||
echo "ERROR: bao CLI not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f "$POLICY_FILE" ]]; then
|
||||
echo "ERROR: policy file missing: $POLICY_FILE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "OpenBao addr: $BAO_ADDR"
|
||||
echo "Policy: $POLICY_NAME"
|
||||
|
||||
if [[ -n "${BAO_TOKEN:-}" ]]; then
|
||||
:
|
||||
elif [[ -n "${OPENBAO_TOKEN_FILE:-}" && -f "${OPENBAO_TOKEN_FILE}" ]]; then
|
||||
BAO_TOKEN="$(head -n 1 "${OPENBAO_TOKEN_FILE}")"
|
||||
else
|
||||
read -r -s -p "OpenBao operator token (coulombcore / bao.coulomb.social): " BAO_TOKEN
|
||||
echo >&2
|
||||
fi
|
||||
|
||||
if [[ -z "${BAO_TOKEN:-}" ]]; then
|
||||
echo "ERROR: empty OpenBao token" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export BAO_ADDR BAO_TOKEN
|
||||
|
||||
health="$(curl -fsS "$BAO_ADDR/v1/sys/health")"
|
||||
if echo "$health" | grep -q '"sealed":true'; then
|
||||
echo "ERROR: OpenBao at $BAO_ADDR reports sealed" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
bao policy write "$POLICY_NAME" "$POLICY_FILE"
|
||||
token_json="$(bao token create -policy="$POLICY_NAME" -display-name="eso-reuse-surface-runtime" -period=720h -format=json)"
|
||||
token="$(python3 -c "import json,sys; print(json.load(sys.stdin)['auth']['client_token'])" <<<"$token_json")"
|
||||
|
||||
KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create namespace "$SECRET_NS" --dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f -
|
||||
KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create secret generic "$SECRET_NAME" \
|
||||
--namespace "$SECRET_NS" \
|
||||
--from-literal=token="$token" \
|
||||
--dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f -
|
||||
|
||||
unset BAO_TOKEN token token_json
|
||||
echo "ok: applied $SECRET_NS/$SECRET_NAME on railiance01 (token not printed)"
|
||||
Loading…
Add table
Add a link
Reference in a new issue