Add interim coulombcore OpenBao token bootstrap for Forgejo mailer ESO
Document two OpenBao instances and add forgejo-openbao-eso-token-apply for ClusterSecretStore openbao-forgejo on bao.coulomb.social.
This commit is contained in:
parent
d5bb4f66f2
commit
844a3503bb
3 changed files with 56 additions and 4 deletions
5
Makefile
5
Makefile
|
|
@ -184,6 +184,9 @@ eso-deploy: check-railiance01-kubeconfig ## Install External Secrets Operator on
|
||||||
--set serviceAccount.name=external-secrets \
|
--set serviceAccount.name=external-secrets \
|
||||||
--wait --timeout 5m
|
--wait --timeout 5m
|
||||||
|
|
||||||
|
forgejo-openbao-eso-token-apply: ## Mint coulombcore OpenBao ESO token + Secret on railiance01 (interactive)
|
||||||
|
tools/forgejo-openbao-eso-token-apply.sh
|
||||||
|
|
||||||
forgejo-openbao-store-deploy: check-railiance01-kubeconfig eso-deploy ## Apply openbao-forgejo ClusterSecretStore
|
forgejo-openbao-store-deploy: check-railiance01-kubeconfig eso-deploy ## Apply openbao-forgejo ClusterSecretStore
|
||||||
test -d "$(PLATFORM_REPO)/argocd/platform-addons/openbao-secretstore"
|
test -d "$(PLATFORM_REPO)/argocd/platform-addons/openbao-secretstore"
|
||||||
KUBECONFIG="$(FORGEJO_KUBECONFIG)" kubectl apply -f "$(PLATFORM_REPO)/argocd/platform-addons/openbao-secretstore/openbao-forgejo.clustersecretstore.yaml"
|
KUBECONFIG="$(FORGEJO_KUBECONFIG)" kubectl apply -f "$(PLATFORM_REPO)/argocd/platform-addons/openbao-secretstore/openbao-forgejo.clustersecretstore.yaml"
|
||||||
|
|
@ -296,4 +299,4 @@ help: ## Show this help
|
||||||
/^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
|
/^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
|
||||||
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
|
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
|
||||||
|
|
||||||
.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status check-railiance01-kubeconfig check-inter-hub-image-tag check-inter-hub-image vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret eso-deploy forgejo-openbao-store-deploy forgejo-mailer-es-deploy forgejo-mailer-es-status forgejo-dry-run forgejo-server-dry-run forgejo-deploy forgejo-ingress-deploy forgejo-ssh-nodeport-deploy forgejo-status forgejo-smoke forgejo-logs forgejo-runner-registration-deploy forgejo-runner-deploy forgejo-runner-status forgejo-runner-logs inter-hub-render-baseline inter-hub-dry-run inter-hub-server-dry-run inter-hub-deploy inter-hub-status inter-hub-release-info inter-hub-smoke inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-smoke reuse-logs help
|
.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status check-railiance01-kubeconfig check-inter-hub-image-tag check-inter-hub-image vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret eso-deploy forgejo-openbao-eso-token-apply forgejo-openbao-store-deploy forgejo-mailer-es-deploy forgejo-mailer-es-status forgejo-dry-run forgejo-server-dry-run forgejo-deploy forgejo-ingress-deploy forgejo-ssh-nodeport-deploy forgejo-status forgejo-smoke forgejo-logs forgejo-runner-registration-deploy forgejo-runner-deploy forgejo-runner-status forgejo-runner-logs inter-hub-render-baseline inter-hub-dry-run inter-hub-server-dry-run inter-hub-deploy inter-hub-status inter-hub-release-info inter-hub-smoke inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-smoke reuse-logs help
|
||||||
|
|
|
||||||
|
|
@ -113,13 +113,16 @@ Mailbox password is stored in **OpenBao** and delivered by External Secrets:
|
||||||
| ExternalSecret | `manifests/forgejo-mailer-externalsecret.yaml` |
|
| ExternalSecret | `manifests/forgejo-mailer-externalsecret.yaml` |
|
||||||
| Helm consumption | `gitea.additionalConfigFromEnvs` → `GITEA__mailer__PASSWD` |
|
| Helm consumption | `gitea.additionalConfigFromEnvs` → `GITEA__mailer__PASSWD` |
|
||||||
|
|
||||||
|
**OpenBao note:** `https://bao.coulomb.social` is coulombcore (live, unsealed).
|
||||||
|
The in-cluster `openbao.openbao.svc` pod on railiance01 is a separate instance
|
||||||
|
that is **not initialized** yet — ESO uses the coulombcore endpoint interim
|
||||||
|
until Wave 7 migrates OpenBao custody to railiance01.
|
||||||
|
|
||||||
Bootstrap (railiance01):
|
Bootstrap (railiance01):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/railiance-platform
|
|
||||||
KUBECONFIG=~/.kube/config-hosteurope make openbao-configure-external-secrets-forgejo
|
|
||||||
|
|
||||||
cd ~/railiance-apps
|
cd ~/railiance-apps
|
||||||
|
KUBECONFIG=~/.kube/config-hosteurope make forgejo-openbao-eso-token-apply
|
||||||
KUBECONFIG=~/.kube/config-hosteurope make forgejo-mailer-es-deploy
|
KUBECONFIG=~/.kube/config-hosteurope make forgejo-mailer-es-deploy
|
||||||
KUBECONFIG=~/.kube/config-hosteurope make forgejo-mailer-es-status # expect SecretSynced
|
KUBECONFIG=~/.kube/config-hosteurope make forgejo-mailer-es-status # expect SecretSynced
|
||||||
KUBECONFIG=~/.kube/config-hosteurope make forgejo-deploy
|
KUBECONFIG=~/.kube/config-hosteurope make forgejo-deploy
|
||||||
|
|
|
||||||
46
tools/forgejo-openbao-eso-token-apply.sh
Executable file
46
tools/forgejo-openbao-eso-token-apply.sh
Executable file
|
|
@ -0,0 +1,46 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# Create/read-limited OpenBao token on coulombcore (bao.coulomb.social) and store it
|
||||||
|
# on railiance01 for External Secrets (ClusterSecretStore openbao-forgejo).
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
POLICY_NAME="${OPENBAO_FORGEJO_POLICY:-workload-kv-read-forgejo-mailer}"
|
||||||
|
POLICY_FILE="${OPENBAO_FORGEJO_POLICY_FILE:-$HOME/railiance-platform/openbao/policies/workload-kv-read-forgejo-mailer.hcl}"
|
||||||
|
BAO_ADDR="${BAO_ADDR:-https://bao.coulomb.social}"
|
||||||
|
RAILIANCE01_KUBECONFIG="${RAILIANCE01_KUBECONFIG:-$HOME/.kube/config-hosteurope}"
|
||||||
|
SECRET_NAME="${OPENBAO_FORGEJO_ESO_SECRET:-openbao-forgejo-eso-token}"
|
||||||
|
SECRET_NS="${OPENBAO_FORGEJO_ESO_NAMESPACE:-external-secrets}"
|
||||||
|
|
||||||
|
if ! command -v bao >/dev/null 2>&1; then
|
||||||
|
echo "ERROR: bao CLI not found" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! -f "$POLICY_FILE" ]]; then
|
||||||
|
echo "ERROR: policy file missing: $POLICY_FILE" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "OpenBao addr: $BAO_ADDR"
|
||||||
|
echo "Policy: $POLICY_NAME"
|
||||||
|
read -r -s -p "OpenBao operator token (coulombcore / bao.coulomb.social): " BAO_TOKEN
|
||||||
|
echo >&2
|
||||||
|
export BAO_ADDR BAO_TOKEN
|
||||||
|
|
||||||
|
health="$(curl -fsS "$BAO_ADDR/v1/sys/health")"
|
||||||
|
if echo "$health" | grep -q '"sealed":true'; then
|
||||||
|
echo "ERROR: OpenBao at $BAO_ADDR reports sealed" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
bao policy write "$POLICY_NAME" "$POLICY_FILE"
|
||||||
|
token_json="$(bao token create -policy="$POLICY_NAME" -display-name="eso-forgejo-mailer" -period=720h -format=json)"
|
||||||
|
token="$(python3 -c "import json,sys; print(json.load(sys.stdin)['auth']['client_token'])" <<<"$token_json")"
|
||||||
|
|
||||||
|
KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create namespace "$SECRET_NS" --dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f -
|
||||||
|
KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl create secret generic "$SECRET_NAME" \
|
||||||
|
--namespace "$SECRET_NS" \
|
||||||
|
--from-literal=token="$token" \
|
||||||
|
--dry-run=client -o yaml | KUBECONFIG="$RAILIANCE01_KUBECONFIG" kubectl apply -f -
|
||||||
|
|
||||||
|
unset BAO_TOKEN token token_json
|
||||||
|
echo "ok: applied $SECRET_NS/$SECRET_NAME on railiance01 (token not printed)"
|
||||||
Loading…
Add table
Add a link
Reference in a new issue