add generating all bridge tokens by default for matrix; add openbao a…

…s demo app and default app installed during operator phase (#286) * add generating all bridge app service and home server tokens by default for matrix * openbao is a now a demo app; make notes about github being optional for hookshot via matrix if bridges are enabled * add openbao to audio generation * add openbao as a default operator that is installed * add openbao docs and more matrix secret creation for github hookshot bridge
small-hack · Jul 15, 2024 · 38eb6b0 · 38eb6b0
1 parent f170408
commit 38eb6b0
Show file tree

Hide file tree

Showing 9 changed files with 226 additions and 11 deletions.
diff --git a/docs/k8s_apps/experimental/openbao.md b/docs/k8s_apps/experimental/openbao.md
@@ -0,0 +1,43 @@
+[Openbao](https://openbao.org/) is a self-hosted FOSS alternative to Hashicorp's Vault. We're still experimenting with it, but we're really hopeful!
+
+## Example config
+
+Here's an example config:
+
+```yaml
+apps:
+  openbao:
+    description: |
+      ⚠️ [magenta]ALPHA STATUS[/magenta]
+
+      [Openbao](https://openbao.org/) is FOSS Linux Foundation maintained alternative to HashiCorp Vault.
+    enabled: false
+    # Initialization of the app through smol-k8s-lab using bitwarden and/or k8s secrets
+    init:
+      enabled: true
+    argo:
+      # secrets keys to make available to Argo CD ApplicationSets
+      secret_keys:
+        # name of the cluster that vault is associated with, can be any unique name
+        cluster_name: my-cool-cluster
+      repo: https://github.com/small-hack/argocd-apps
+      # path in the argo repo to point to. Trailing slash very important!
+      path: demo/openbao/
+      # either the branch or tag to point at in the argo repo above
+      revision: main
+      # kubernetes cluster to install the k8s app into, defaults to Argo CD default
+      cluster: https://kubernetes.default.svc
+      # namespace to install the k8s app in
+      namespace: openbao
+      # recurse directories in the provided git repo
+      directory_recursion: false
+      # source repos for Argo CD App Project (in addition to argo.repo)
+      project:
+        name: vault
+        source_repos:
+          - https://openbao.github.io/openbao-helm
+          - https://github.com/openbao/openbao-helm
+        destination:
+          # automatically includes the app's namespace and argocd's namespace
+          namespaces: []
+```
diff --git a/mkdocs.yaml b/mkdocs.yaml
@@ -89,6 +89,7 @@ nav:
       - Kyverno: k8s_apps/experimental/kyverno.md
       - Kubevirt: k8s_apps/experimental/kubevirt.md
       - Longhorn: k8s_apps/experimental/longhorn.md
+      - Openbao: k8s_apps/experimental/openbao.md
       - MinIO: k8s_apps/experimental/minio.md
       - Zalando Postgress Operator: k8s_apps/experimental/postgres_operator.md
     - Generic App: k8s_apps/generic_app.md

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name          = "smol_k8s_lab"
-version       = "5.11.0"
+version       = "5.12.0"
 description   = "CLI and TUI to quickly install slimmer Kubernetes distros and then manage apps declaratively using Argo CD"
 authors       = ["Jesse Hitch <jessebot@linux.com>",
                  "Max Roby <emax@cloudydev.net>"]

diff --git a/smol_k8s_lab/__init__.py b/smol_k8s_lab/__init__.py
@@ -265,6 +265,7 @@ def main(config: str = "",
                         apps.pop('seaweedfs', {'enabled': False}),
                         apps.pop('cnpg_operator', {'enabled': False}),
                         apps.pop('postgres_operator', {'enabled': False}),
+                        apps.pop('openbao', {'enabled': False}),
                         bw)
 
         # global pvc storage class

diff --git a/smol_k8s_lab/config/audio/en.yml b/smol_k8s_lab/config/audio/en.yml
@@ -114,6 +114,7 @@ apps:
   minio_tenant: "min I.O. tenant"
   netmaker: "net maker"
   nextcloud: "next cloud"
+  openbao: "open bao"
   postgres_operator: "post gres operator"
   prometheus_crds: "prometheus C.Are.D.s"
   prometheus: "prometheus"

diff --git a/smol_k8s_lab/config/default_config.yaml b/smol_k8s_lab/config/default_config.yaml
@@ -918,17 +918,33 @@ apps:
           # synapse config snapshot id. if not given, we use the latest
           synapse_config: ""
       values:
+        # all github values are optional and only used when argo.path is set to
+        # matrix/app_of_apps_with_bridges/
+        github_app_id:
+          value_from:
+            env: MATRIX_GITHUB_WEBHOOK_SECRET
+        github_webhook_secret:
+          value_from:
+            env: MATRIX_GITHUB_WEBHOOK_SECRET
+        github_client_id:
+          value_from:
+            env: MATRIX_GITHUB_CLIENT_ID
+        github_client_secret:
+          value_from:
+            env: MATRIX_GITHUB_CLIENT_SECRET
+        github_private_key:
+          value_from:
+            env: MATRIX_GITHUB_PRIVATE_KEY
         smtp_user: "change me to enable mail"
         smtp_host: "change@me-to-enable.mail"
         smtp_password:
           value_from:
             env: MATRIX_SMTP_PASSWORD
-        # expects a list like this:
-        #
+        # expects a list like this
+        trusted_key_servers: []
         # - server_name: "matrix.dog.friend"
         #   verify_keys:
         #     "ed25519:a_abcd": "somekeyherethatisnotactuallythis"
-        trusted_key_servers: []
     backups:
       # cronjob syntax schedule to run matrix pvc backups
       pvc_schedule: 10 0 * * *
@@ -999,6 +1015,7 @@ apps:
       # git repo to install the Argo CD app from
       repo: https://github.com/small-hack/argocd-apps
       # path in the argo repo to point to. Trailing slash very important!
+      # for using bridges, change to matrix/app_of_apps_with_bridges/
       path: matrix/app_of_apps/
       # either the branch or tag to point at in the argo repo above
       revision: main
@@ -1296,6 +1313,41 @@ apps:
           # automatically includes the app's namespace and argocd's namespace
           namespaces: []
 
+  openbao:
+    description: |
+      ⚠️ [magenta]ALPHA STATUS[/magenta]
+
+      [Openbao](https://openbao.org/) is FOSS Linux Foundation maintained alternative to HashiCorp Vault.
+    enabled: false
+    # Initialization of the app through smol-k8s-lab using bitwarden and/or k8s secrets
+    init:
+      enabled: true
+    argo:
+      # secrets keys to make available to Argo CD ApplicationSets
+      secret_keys:
+        # name of the cluster that vault is associated with, can be any unique name
+        cluster_name: my-cool-cluster
+      repo: https://github.com/small-hack/argocd-apps
+      # path in the argo repo to point to. Trailing slash very important!
+      path: demo/openbao/
+      # either the branch or tag to point at in the argo repo above
+      revision: main
+      # kubernetes cluster to install the k8s app into, defaults to Argo CD default
+      cluster: https://kubernetes.default.svc
+      # namespace to install the k8s app in
+      namespace: openbao
+      # recurse directories in the provided git repo
+      directory_recursion: false
+      # source repos for Argo CD App Project (in addition to argo.repo)
+      project:
+        name: vault
+        source_repos:
+          - https://openbao.github.io/openbao-helm
+          - https://github.com/openbao/openbao-helm
+        destination:
+          # automatically includes the app's namespace and argocd's namespace
+          namespaces: []
+
   postgres_operator:
     description: |
       ⚠️ [magenta][i]demo[/i] status[/magenta]

diff --git a/smol_k8s_lab/k8s_apps/operators/__init__.py b/smol_k8s_lab/k8s_apps/operators/__init__.py
@@ -3,6 +3,7 @@
 from smol_k8s_lab.utils.rich_cli.console_logging import header
 from .postgres_operators import configure_postgres_operator
 from .seaweedfs import configure_seaweedfs
+from .openbao import configure_openbao
 
 
 def setup_operators(argocd: ArgoCD,
@@ -13,6 +14,7 @@ def setup_operators(argocd: ArgoCD,
                     seaweed_config: dict = {},
                     cnpg_config: dict = {},
                     pg_config: dict = {},
+                    openbao_config: dict = {},
                     bitwarden: BwCLI = None) -> None:
     """
     deploy all k8s operators that can block other apps:
@@ -23,6 +25,7 @@ def setup_operators(argocd: ArgoCD,
         - seaweedfs
         - cnpg (cloud native postgres) operator
         - zalando postgres operator
+        - openbao
     """
     header("Setting up Operators", "⚙️ ")
 
@@ -34,6 +37,10 @@ def setup_operators(argocd: ArgoCD,
     if longhorn_config and longhorn_config.get('enabled', False):
         argocd.install_app('longhorn', longhorn_config['argo'])
 
+    # openbao is a secret backend
+    if openbao_config and openbao_config.get('enabled', False):
+        configure_openbao(argocd, openbao_config, bitwarden)
+
     # k8up operator is a postgres operator for creating postgresql clusters
     if k8up_config and k8up_config.get('enabled', False):
         argocd.install_app('k8up', k8up_config['argo'])

diff --git a/smol_k8s_lab/k8s_apps/operators/openbao.py b/smol_k8s_lab/k8s_apps/operators/openbao.py
@@ -0,0 +1,12 @@
+# internal libraries
+from smol_k8s_lab.bitwarden.bw_cli import BwCLI
+from smol_k8s_lab.k8s_tools.argocd_util import ArgoCD
+
+def configure_openbao(argocd: ArgoCD, config: dict, bw: BwCLI = None) -> None:
+    """
+    setup the openbao as an Argo CD Application
+    """
+    if not argocd.check_if_app_exists('openbao'):
+        argocd.install_app('openbao', config['argo'])
+    else:
+        argocd.sync_app('openbao')
diff --git a/smol_k8s_lab/k8s_apps/social/matrix.py b/smol_k8s_lab/k8s_apps/social/matrix.py
@@ -116,6 +116,19 @@ def configure_matrix(argocd: ArgoCD,
 
         # if the user has bitwarden enabled
         if bitwarden and not restore_enabled:
+            if "bridges" in cfg['argo']['path'] and init_enabled:
+                github_app_id = extract_secret(init_values.get("github_app_id"))
+                github_webhook_secret = extract_secret(init_values.get("github_webhook_secret"))
+                github_client_id = extract_secret(init_values.get("github_client_id"))
+                github_client_secret = extract_secret(init_values.get("github_client_secret"))
+                github_private_key = extract_secret(init_values.get("github_private_key"))
+            else:
+                github_app_id = "not applicable"
+                github_webhook_secret = "not applicable"
+                github_client_id = "not applicable"
+                github_client_secret = "not applicable"
+                github_private_key = "not applicable"
+
             setup_bitwarden_items(argocd,
                                   matrix_hostname,
                                   matrix_namespace,
@@ -137,6 +150,11 @@ def configure_matrix(argocd: ArgoCD,
                                   mas_client_secret,
                                   mas_admin_token,
                                   syncv3_secret,
+                                  github_app_id,
+                                  github_webhook_secret,
+                                  github_client_id,
+                                  github_client_secret,
+                                  github_private_key,
                                   bitwarden)
 
         # else create these as Kubernetes secrets
@@ -249,14 +267,42 @@ def refresh_bweso(argocd: ArgoCD, matrix_hostname: str, bitwarden: BwCLI):
             f"matrix-smtp-credentials-{matrix_hostname}", False
             )[0]['id']
 
+    ## BEGIN BRIDGES
+
     try:
         hookshot_id = bitwarden.get_item(
-                f"matrix-hookshot-bridge-pem-{matrix_hostname}", False
+                f"matrix-hookshot-bridge-{matrix_hostname}", False
                 )[0]['id']
     except TypeError:
-        log.info("No matrix hookshot bridge passkey.pem id found")
+        log.info("No matrix hookshot bridge id found")
         hookshot_id = "Not Applicable"
 
+    try:
+        hookshot_github_id = bitwarden.get_item(
+                f"matrix-hookshot-bridge-github-{matrix_hostname}", False
+                )[0]['id']
+    except TypeError:
+        log.info("No matrix hookshot github bridge id found")
+        hookshot_github_id = "Not Applicable"
+
+    try:
+        alertmanager_id = bitwarden.get_item(
+                f"matrix-alertmanager-bridge-{matrix_hostname}", False
+                )[0]['id']
+    except TypeError:
+        log.info("No matrix alertmanager bridge id found")
+        alertmanager_id = "Not Applicable"
+
+    try:
+        discord_id = bitwarden.get_item(
+                f"matrix-discord-bridge-{matrix_hostname}", False
+                )[0]['id']
+    except TypeError:
+        log.info("No matrix discord bridge id found")
+        discord_id = "Not Applicable"
+
+    ## END BRIDGES
+
     s3_admin_id = bitwarden.get_item(
             f"matrix-admin-s3-credentials-{matrix_hostname}", False
             )[0]['id']
@@ -334,7 +380,10 @@ def refresh_bweso(argocd: ArgoCD, matrix_hostname: str, bitwarden: BwCLI):
              'matrix_authentication_service_bitwarden_id': mas_id,
              'matrix_sliding_sync_postgres_credentials_bitwarden_id': sync_db_id,
              'matrix_oidc_credentials_bitwarden_id': oidc_id['id'],
-             'matrix_hookshot_pem_bitwarden_id': hookshot_id,
+             'matrix_discord_bitwarden_id': discord_id,
+             'matrix_alertmanager_bitwarden_id': alertmanager_id,
+             'matrix_hookshot_bitwarden_id': hookshot_id,
+             'matrix_hookshot_github_bitwarden_id': hookshot_github_id,
              'matrix_idp_name': idp_name,
              'matrix_idp_id': idp_id})
 
@@ -360,6 +409,11 @@ def setup_bitwarden_items(argocd: ArgoCD,
                           mas_client_secret: str,
                           mas_admin_token: str,
                           syncv3_secret: str,
+                          github_app_id: str,
+                          github_webhook_secret: str,
+                          github_client_id: str,
+                          github_client_secret: str,
+                          github_private_key: str,
                           bitwarden: BwCLI):
     """
     setup all the required secrets as items in bitwarden
@@ -480,13 +534,54 @@ def setup_bitwarden_items(argocd: ArgoCD,
             password=matrix_registration_key
             )
 
-    # passkey.pem
+    # hookshot bot passkey.pem and as_token + hs_token
     hookshot_passkey_pem = bitwarden.generate()
+    hookshot_as_token = bitwarden.generate()
+    hookshot_as_token_obj = create_custom_field("as_token", hookshot_as_token)
+    hookshot_hs_token = bitwarden.generate()
+    hookshot_hs_token_obj = create_custom_field("hs_token", hookshot_hs_token)
     hookshot_id = bitwarden.create_login(
-            name='matrix-hookshot-bridge-pem',
+            name='matrix-hookshot-bridge',
+            item_url=matrix_hostname,
+            user="none",
+            note=hookshot_passkey_pem,
+            fields=[hookshot_as_token_obj, hookshot_hs_token_obj]
+            )
+
+    # hookshot bot github credentials
+    github_client_id_obj = create_custom_field("oauth_client_id", github_client_id)
+    github_client_secret_obj = create_custom_field("oauth_client_secret", github_client_secret)
+    hookshot_github_id = bitwarden.create_login(
+            name='matrix-hookshot-bridge',
+            item_url=matrix_hostname,
+            user=github_app_id,
+            password=github_webhook_secret,
+            note=github_private_key,
+            fields=[github_client_id_obj, github_client_secret_obj]
+            )
+
+    # alert manager bot as_token + hs_token
+    alertmanager_as_token = bitwarden.generate()
+    alertmanager_as_token_obj = create_custom_field("as_token", alertmanager_as_token)
+    alertmanager_hs_token = bitwarden.generate()
+    alertmanager_hs_token_obj = create_custom_field("hs_token", alertmanager_hs_token)
+    alertmanager_id = bitwarden.create_login(
+            name='matrix-alertmanager-bridge',
+            item_url=matrix_hostname,
+            user="none",
+            fields=[alertmanager_as_token_obj, alertmanager_hs_token_obj]
+            )
+
+    # discord bot as_token + hs_token
+    discord_as_token = bitwarden.generate()
+    discord_as_token_obj = create_custom_field("as_token", discord_as_token)
+    discord_hs_token = bitwarden.generate()
+    discord_hs_token_obj = create_custom_field("hs_token", discord_hs_token)
+    discord_id = bitwarden.create_login(
+            name='matrix-discord-bridge',
             item_url=matrix_hostname,
             user="none",
-            password=hookshot_passkey_pem
+            fields=[discord_as_token_obj, discord_hs_token_obj]
             )
 
     # matrix sliding sync
@@ -554,7 +649,10 @@ def setup_bitwarden_items(argocd: ArgoCD,
              'matrix_sliding_sync_postgres_credentials_bitwarden_id': sync_db_id,
              'matrix_oidc_credentials_bitwarden_id': oidc_id,
              'matrix_authentication_service_bitwarden_id': mas_id,
-             'matrix_hookshot_pem_bitwarden_id': hookshot_id,
+             'matrix_alertmanager_bitwarden_id': alertmanager_id,
+             'matrix_hookshot_bitwarden_id': hookshot_id,
+             'matrix_hookshot_github_bitwarden_id': hookshot_github_id,
+             'matrix_discord_bitwarden_id': discord_id,
              'matrix_idp_name': idp_name,
              'matrix_idp_id': idp_id}
             )