feat: vault agent injector for nextauth_secret

SocialGouv · Dec 19, 2023 · cbe3dcf · cbe3dcf
1 parent 65f1aff
commit cbe3dcf
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/.kontinuous/env/preprod/templates/app.sealed.secret.yaml b/.kontinuous/env/preprod/templates/app.sealed.secret.yaml
@@ -6,7 +6,7 @@ metadata:
  name: app
 spec:
  encryptedData:
- NEXTAUTH_SECRET: AgBdDOpKTwHKWU2g0+hGyGZpP0LC6f3sEtw1ejLkk72Rhip/Soia+/4gKzXHb938u0YE1FQsz8tntM2/mmCv6+hmtgvsE+aaNWEBqTMkOby/bbChrxhw50es06cWBK7ts0m6NGNvyNfdEWHWWrOTDmO7m/4f0oS9KAaXjeFdNlOEU8kq7Fe5W5/hdNpH7u8MF7MwWwGrQyO9QHHNp3Ojyc5i/PIEBjE4VgxnLlX/B3i+sPjymIQhI8bsd9HXwvqM3V8TK/AI5JceYodz7UkBlPipgS4Bg2ldmK8xgXkYuRrehh+sTo8faiuMwVAYmdFYJYRwhMMg04IZ4yGsHu0NxmFuVAUvQL+5ksoDoJTGjWxrwR4+LT7NiGPRma65ARpFD0iDj/n+pKODkXA/ol+2p9I4gEHzWVwECIEjKMXVuOGAfHVjklZWj6+qYY74w9yF/P+QsWsK68p2igjFb1RfXszeujAQyF25vhNB5MXCFkeuLaEyU1yNFULc6vyc0HJO1Y/8zNWXmqqDSUMlc/mGrO/TojkMKwDrfbMhIhegW0JcgcHJSpPnXpReYKp77PH8ElavbqmjVN1SXXlA1kCHX9QzERHvoIMzJFXCryOSXIVq3LkYiNeKCNJKEHpIB9exuOdwqJXBb/lnPponkZOh4JpyGgjARc6HoQsGr0mzpYkIIRYny/tSvW6vrIT1Yak+VWcNTlw+1+nu7av1dax7HDVkZ3AnepD6zsHSEnoNp0zy7ZkZPJZtN7E8vEEf8Q==
+# NEXTAUTH_SECRET: AgBdDOpKTwHKWU2g0+hGyGZpP0LC6f3sEtw1ejLkk72Rhip/Soia+/4gKzXHb938u0YE1FQsz8tntM2/mmCv6+hmtgvsE+aaNWEBqTMkOby/bbChrxhw50es06cWBK7ts0m6NGNvyNfdEWHWWrOTDmO7m/4f0oS9KAaXjeFdNlOEU8kq7Fe5W5/hdNpH7u8MF7MwWwGrQyO9QHHNp3Ojyc5i/PIEBjE4VgxnLlX/B3i+sPjymIQhI8bsd9HXwvqM3V8TK/AI5JceYodz7UkBlPipgS4Bg2ldmK8xgXkYuRrehh+sTo8faiuMwVAYmdFYJYRwhMMg04IZ4yGsHu0NxmFuVAUvQL+5ksoDoJTGjWxrwR4+LT7NiGPRma65ARpFD0iDj/n+pKODkXA/ol+2p9I4gEHzWVwECIEjKMXVuOGAfHVjklZWj6+qYY74w9yF/P+QsWsK68p2igjFb1RfXszeujAQyF25vhNB5MXCFkeuLaEyU1yNFULc6vyc0HJO1Y/8zNWXmqqDSUMlc/mGrO/TojkMKwDrfbMhIhegW0JcgcHJSpPnXpReYKp77PH8ElavbqmjVN1SXXlA1kCHX9QzERHvoIMzJFXCryOSXIVq3LkYiNeKCNJKEHpIB9exuOdwqJXBb/lnPponkZOh4JpyGgjARc6HoQsGr0mzpYkIIRYny/tSvW6vrIT1Yak+VWcNTlw+1+nu7av1dax7HDVkZ3AnepD6zsHSEnoNp0zy7ZkZPJZtN7E8vEEf8Q==
  KEYCLOAK_CLIENT_ID: AgB8KATkspkNplsty+H4bBjm7Ce4pxmy3/s0h0KFnO69dFj5Xwy36nJ5H7g4oTE8xQBDEPWX/YyF5/rqFGTeN5Btybk3yRRQoS+j5OyMruUOdvwthN2RQlma6IMeHp65UwIFuOrYn44w4kZBYbXM9teinH3qI/IvLs+8s5D3NxbD6TYTPcUVOxfiuI21atN35qgVCrMtWBy7w1VjcA9Trjwv3nc0fOUkKWZNNmc7S5zh/UneJJC0Wlf96x1OkYNbSm1GB6H5T80ayPDB1d5nT2598Hz1BFhsxbsqfoABQYcQIOULggMkQaAGHkgGk4lCF4U83b4m3lIb7il6W7UmANMW4ZdFUsftA3o37WUq2rfasIjHLrZuNka97SkU9ZJKm4axb5bNRz+xCxwv6FaWQTfvrI/qYUAsuFpgMPRphEyxngOoHLqyrBa2fN+ahNYyniIXBp2TmUhzfjybXt56QWwNUEDeMGesk9FTw3ssCAgu3PwrJv4REYpMKzdszuGlCd9v21XtWxnABDLIme9WxapM9AXZhWm+ftJTHbSSlHwDdJPHCulh05dLrJ63C3AtsnncyeMNl0nkMHqN51yB2cus6qeE4LL5zErK/f4fmp31HuzfAveR6zzZKJ+tXPvkg//mABaFhfMMHpvPo4oqU8wOyqKFZU6mDfA5DsYWgsMiU4kpePkaXbAUUxYw8N5CY/s7ic8+wT+lGWwO
  KEYCLOAK_CLIENT_SECRET: AgAiI7KGxjFjhjSY3hYrlQ30oQ7eNE2jkaEcO3gOAQhlWMFvSu1b51rhl3htkPO5YTkAsfbC7EIZkdSTEjjF6eFUKua5Z51jbKf8wmmW3VfWky26yzzyazUJ7Sv/rAPwr4ialLUivvoYLrJECE49GasHm9mosBEuvuqpFYYmiJlSOrG9kM8RdybaZmGLiUZBUIRN1bIrC9ix7kdndaCQ8ysRVH76xQ2wpXYJU4rVn2bOJgbvR4T4q/pe6TeT/H7yUZ9ritgVPH9tFCuGK0xZ3CXFnUFwQsdsB9c0aB2jwoi2YmsK0XRasRAmu7PxsqD34xGkwtopVTvLsuKhCcN/V1x81gB/8+pW1Ox6yhQKH06GNsIruamhVxeIOXP7vt0/B93+cnZQUuFL7xt7rxnZEKq/1Ja0av/2UkxAUNYNc+kdRvLJbm8TVkWUuoWbMLUrsg3S6fItRHMG1M1t9MvdeihVlTyBThadnIfKSS3RiBKi/7Maozpa2g/ATsYX15qbDeONMgRZmo6itKGtmm6RBJpluSsGmPjBBO30oSdIV8gNEzdQuboSB86XjrDgQbGPj4Mn2aeQSEoNlxS0pjXB8/jOzp68YIh7by0LVrTA8su60oNrQCA5SVXTrO/PQJpXsC998iuohL1CvWIbxkP+GxXptwoRbrNy4lYPtxYGSCFH/rdEgPElLlHy4EMpfnVr+1NWvTWsusg6fgJXtcovXz+2aYQ42yhYVg5dS26xeX6cAg==
  template:

diff --git a/.kontinuous/patches/secrets.js b/.kontinuous/patches/secrets.js
@@ -0,0 +1,26 @@
+/*
+Patch manifests
+*/
+module.exports = (manifests) => {
+ for (const manifest of manifests) {
+ const { kind } = manifest;
+ if (kind === "Deployment" && manifest.metadata.name === "app") {
+ manifest.spec.template.annotation = {
+ ...manifest.spec.template.annotation,
+ "vault.hashicorp.com/service": "http://vault.vault-dev.svc:8200",
+ "vault.hashicorp.com/agent-inject": "true",
+ "vault.hashicorp.com/role": "webapp",
+ "vault.hashicorp.com/agent-inject-secret-nextauth": 'kv/data/dev/nextauth_secret',
+ "vault.hashicorp.com/agent-inject-secret-keycloack_client_id": 'kv/data/dev/keycloack_client_id',
+ "vault.hashicorp.com/agent-inject-secret-keycloack_client_secret": 'kv/data/dev/keycloack_client_secret',
+ "vault.hashicorp.com/agent-inject-template-dev": '| \
+ {{- with secret "kv/dev/nextauth_secret" -}} \
+ {{- range $key, $value := .Data.data }} \
+ export {{ $key }}={{ $value }} \
+ {{- end }} \
+ {{- end }}'
+ };
+ }
+ }
+ return manifests;
+};
diff --git a/.kontinuous/values.yaml b/.kontinuous/values.yaml
@@ -49,6 +49,8 @@ app:
  ingress:
  annotations:
  nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
+ args:
+ ['sh', '-c', 'source /vault/secrets/dev && node start']
 
 jobs:
  runs: