diff --git a/Makefile b/Makefile index dc779f7..5c4f4d1 100644 --- a/Makefile +++ b/Makefile @@ -184,6 +184,9 @@ eso-deploy: check-railiance01-kubeconfig ## Install External Secrets Operator on --set serviceAccount.name=external-secrets \ --wait --timeout 5m +forgejo-openbao-eso-token-apply: ## Mint coulombcore OpenBao ESO token + Secret on railiance01 (interactive) + tools/forgejo-openbao-eso-token-apply.sh + forgejo-openbao-store-deploy: check-railiance01-kubeconfig eso-deploy ## Apply openbao-forgejo ClusterSecretStore test -d "$(PLATFORM_REPO)/argocd/platform-addons/openbao-secretstore" KUBECONFIG="$(FORGEJO_KUBECONFIG)" kubectl apply -f "$(PLATFORM_REPO)/argocd/platform-addons/openbao-secretstore/openbao-forgejo.clustersecretstore.yaml" @@ -296,4 +299,4 @@ help: ## Show this help /^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \ /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) -.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status check-railiance01-kubeconfig check-inter-hub-image-tag check-inter-hub-image vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret eso-deploy forgejo-openbao-store-deploy forgejo-mailer-es-deploy forgejo-mailer-es-status forgejo-dry-run forgejo-server-dry-run forgejo-deploy forgejo-ingress-deploy forgejo-ssh-nodeport-deploy forgejo-status forgejo-smoke forgejo-logs forgejo-runner-registration-deploy forgejo-runner-deploy forgejo-runner-status forgejo-runner-logs inter-hub-render-baseline inter-hub-dry-run inter-hub-server-dry-run inter-hub-deploy inter-hub-status inter-hub-release-info inter-hub-smoke inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-smoke reuse-logs help +.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status check-railiance01-kubeconfig check-inter-hub-image-tag check-inter-hub-image vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret eso-deploy forgejo-openbao-eso-token-apply forgejo-openbao-store-deploy forgejo-mailer-es-deploy forgejo-mailer-es-status forgejo-dry-run forgejo-server-dry-run forgejo-deploy forgejo-ingress-deploy forgejo-ssh-nodeport-deploy forgejo-status forgejo-smoke forgejo-logs forgejo-runner-registration-deploy forgejo-runner-deploy forgejo-runner-status forgejo-runner-logs inter-hub-render-baseline inter-hub-dry-run inter-hub-server-dry-run inter-hub-deploy inter-hub-status inter-hub-release-info inter-hub-smoke inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-smoke reuse-logs help diff --git a/docs/forgejo-on-railiance01.md b/docs/forgejo-on-railiance01.md index ef8c967..16d942c 100644 --- a/docs/forgejo-on-railiance01.md +++ b/docs/forgejo-on-railiance01.md @@ -113,13 +113,16 @@ Mailbox password is stored in **OpenBao** and delivered by External Secrets: | ExternalSecret | `manifests/forgejo-mailer-externalsecret.yaml` | | Helm consumption | `gitea.additionalConfigFromEnvs` → `GITEA__mailer__PASSWD` | +**OpenBao note:** `https://bao.coulomb.social` is coulombcore (live, unsealed). +The in-cluster `openbao.openbao.svc` pod on railiance01 is a separate instance +that is **not initialized** yet — ESO uses the coulombcore endpoint interim +until Wave 7 migrates OpenBao custody to railiance01. + Bootstrap (railiance01): ```bash -cd ~/railiance-platform -KUBECONFIG=~/.kube/config-hosteurope make openbao-configure-external-secrets-forgejo - cd ~/railiance-apps +KUBECONFIG=~/.kube/config-hosteurope make forgejo-openbao-eso-token-apply KUBECONFIG=~/.kube/config-hosteurope make forgejo-mailer-es-deploy KUBECONFIG=~/.kube/config-hosteurope make forgejo-mailer-es-status # expect SecretSynced KUBECONFIG=~/.kube/config-hosteurope make forgejo-deploy diff --git a/tools/forgejo-openbao-eso-token-apply.sh b/tools/forgejo-openbao-eso-token-apply.sh new file mode 100755 index 0000000..d6b2f16 --- /dev/null +++ b/tools/forgejo-openbao-eso-token-apply.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# Create/read-limited OpenBao token on coulombcore (bao.coulomb.social) and store it +# on railiance01 for External Secrets (ClusterSecretStore openbao-forgejo). +set -euo pipefail + +POLICY_NAME="${OPENBAO_FORGEJO_POLICY:-workload-kv-read-forgejo-mailer}" +POLICY_FILE="${OPENBAO_FORGEJO_POLICY_FILE:-$HOME/railiance-platform/openbao/policies/workload-kv-read-forgejo-mailer.hcl}" +BAO_ADDR="${BAO_ADDR:-https://bao.coulomb.social}" +RAILIANCE01_KUBECONFIG="${RAILIANCE01_KUBECONFIG:-$HOME/.kube/config-hosteurope}" +SECRET_NAME="${OPENBAO_FORGEJO_ESO_SECRET:-openbao-forgejo-eso-token}" +SECRET_NS="${OPENBAO_FORGEJO_ESO_NAMESPACE:-external-secrets}" + +if ! command -v bao >/dev/null 2>&1; then + echo "ERROR: bao CLI not found" >&2 + exit 1 +fi + +if [[ ! -f "$POLICY_FILE" ]]; then + echo "ERROR: policy file missing: $POLICY_FILE" >&2 + exit 1 +fi + +echo "OpenBao addr: $BAO_ADDR" +echo "Policy: $POLICY_NAME" +read -r -s -p "OpenBao operator token (coulombcore / bao.coulomb.social): " BAO_TOKEN +echo >&2 +export BAO_ADDR BAO_TOKEN + +health="$(curl -fsS "$BAO_ADDR/v1/sys/health")" +if echo "$health" | grep -q '"sealed":true'; then + echo "ERROR: OpenBao at $BAO_ADDR reports sealed" >&2 + exit 1 +fi + +bao policy write "$POLICY_NAME" "$POLICY_FILE" +token_json="$(bao token create -policy="$POLICY_NAME" -display-name="eso-forgejo-mailer" -period=720h -format=json)" +token="$(python3 -c "import json,sys; print(json.load(sys.stdin)['auth']['client_token'])" <<<"$token_json")" + +KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create namespace "$SECRET_NS" --dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f - +KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create secret generic "$SECRET_NAME" \ + --namespace "$SECRET_NS" \ + --from-literal=token="$token" \ + --dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f - + +unset BAO_TOKEN token token_json +echo "ok: applied $SECRET_NS/$SECRET_NAME on railiance01 (token not printed)" \ No newline at end of file