From 486d6e9a3beeaf302276b1af6241b620662b0625 Mon Sep 17 00:00:00 2001 From: fjeannot Date: Fri, 25 Oct 2024 17:48:00 +0200 Subject: [PATCH] chore: use vault (via vso) to get app secrets --- .../dev/templates/carnets.sealed-secret.yaml | 18 --- .../env/dev/templates/vaultsecrets.yaml | 135 ++++++++++++++++++ .../templates/carnets.sealed-secret.yaml | 18 --- .../env/preprod/templates/vaultsecrets.yaml | 135 ++++++++++++++++++ .../prod/templates/carnets.sealed-secret.yaml | 19 --- .../env/prod/templates/vaultsecrets.yaml | 135 ++++++++++++++++++ 6 files changed, 405 insertions(+), 55 deletions(-) delete mode 100644 .kontinuous/env/dev/templates/carnets.sealed-secret.yaml create mode 100644 .kontinuous/env/dev/templates/vaultsecrets.yaml delete mode 100644 .kontinuous/env/preprod/templates/carnets.sealed-secret.yaml create mode 100644 .kontinuous/env/preprod/templates/vaultsecrets.yaml delete mode 100644 .kontinuous/env/prod/templates/carnets.sealed-secret.yaml create mode 100644 .kontinuous/env/prod/templates/vaultsecrets.yaml diff --git a/.kontinuous/env/dev/templates/carnets.sealed-secret.yaml b/.kontinuous/env/dev/templates/carnets.sealed-secret.yaml deleted file mode 100644 index c37d4cbe..00000000 --- a/.kontinuous/env/dev/templates/carnets.sealed-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - annotations: - sealedsecrets.bitnami.com/cluster-wide: 'true' - name: app -spec: - encryptedData: - SENTRY_AUTH_TOKEN: AgCQn7lLO2hnjtJ7hUGGygZwZ/vVr0rjuC313ulyv9/LrJne7+KG9tyjhV04bebPguIte1XDPhFNmVjiPkM3TLKEcO2PsYYIc3WPYkUlunl1fsVzC7t5Y6OpK3cGrXjmoo4J/qgqcUa/ZU6ezBvz8Fd55SJxQ0T0JmUciMkwtyti2W1373cvLARZLQ1YOl49h/dt+gj3+rZslzziIoZaoLfi6QCoJBTMeNxKz8Ss9PwxqOOK43oSInEPy7lAzCQSDxk2uTg/BooPvGXgGC6uLLX9T07Ax9ops6rSvQkaBaK7Xo61IpdeXe5FDSA3+UlQLeaRpMnxv6zTg9i9poJSPN1s4hA1g+x7r/quBC4JcNYjA/T9GL84YIXlkYKTdQtREEd2ceBcR3Lt6qpB218zgzWoORyz0//CRadQwXhSzqKlLYqbqPXKJOg21YsbNQnk6Hd4iIfKlgMqOqNkYFDRhvU/NIYthMEWlvFlMCqJueDKYwVo/Lgesy7GhabLxmJ6X2ssdgPAclJdCbEscZkBonkytegQTGKTlrGy8falAC3Lb8xv9vZMwG0Aq4VtI5mpXWxpQtrHrP9CKut6J5d9U86Mak3ShGfhtf4DxcAAdyRiox8ljmDnc+lCcGILM1zE7ZjSNFTs+uoySGyzG8iVwqYs2QIO/xyri/HKbcT9m77hikBzL4G8sR2iUPAwEJTQ5kxj8xT4ELhOPUMz8zzPS8Wxe4VRZCgJXl+M9iLJiDhXwB1/dBQqYv5EXbSugCHwNorX+v1H4au93x5HIbAqOv14 - GITHUB_ID: AgBPOC6HLF7NPga6a6xXbErjFhJkNRxKB9XvsaQA97DrnJcBDy/PKvH1ol0L+vNbsmXW+Qpkmzjr5B8iWC9yTmulcYE62mx3gDuDW8PsXJENDMMSuvkv7tkEApdWrTHIC84cHyCQ6pzwdBVL2veXK07nH6FE5XcIHCaGs04KJRCe40PqcbzcxRKdH0IapobHYq9+ShLrK2C6rFN78RsEFGvccn2YaHviJ6DC1CQyjWtUdtJ3VCIKnJjPFTG9JwcGT14+t/j9AAErtuTuQAoSW3OvaiM9VjwbvBEOytecQgPKaXJEn6nAq/hY6PnhDbIKnuJNJ3GHp1Q3CDFH3yfgGQofGFq8wTnkb+9Y1/BQJb2ke4m38EMgBaPhmvu0ksA5IMjaJXBbuAXGDmozSILcb3joZc5d89+fIge/BYlN4WeeS5/nEDaVmbeFtB3Liy20MfuloQXaD3m65i2NRnaVzYjE4mlEFaWRLLU0pWRA9nP8MMXWy8nKc2ikKAjam8Mhl1V0d8lkTEm8zkZ9ZcYARGNi/edd1eCvwt1E9t7cHIefkpZ3B45Lnv+oM0TvV1+9Ve+yOQKei4HeFEixGQ0E1GNNuXmQIlWwu60633mgt0EhIDWDavo40/YMxSN7+1F3qOo5oZnzZx8nuXr1LKhjpXEL3CY+hPivRAOKINlzTQmDNYQzToVwOBakUUq3UNazQRjdomIOszkUX+Nq2Ro7amvpbflAJw== - GITHUB_SECRET: AgC+SQb6XfDNav3yGc2k7ZjeHJm4/hevOSCzQECOCPnq8USA/AO1bZrOuM9GUKI+k6AHCbHKvp0/Tha8cQSL3nLT6io1swEE1RByszGwwTGn8qK5RESFCp7VN+jWbsjtcvmawAltH4PkJ7aEioe2vFRRlVPQXty3/TCAv8LzJzRJ/q7ErY4Hr33vrAeSitxWDSwXMCmYFG+D9FDehWq7pxfypndyvbHmAp0yncp/nWqOVTBxIkWdYJqztLNAnzrDGMlCvOo3P9bkiMwTbdw54cUW0BQYoPwVgBvQxSIXlBNOnLGO2YC4dqba40UetF1ApAq+kBCwDUPQlAeiCAgqIrPPVRzCL2lYAYn99kLlMjoXt/6bM4CTBKUTP4+wGf3wq9mjbXdu+1CELFITspzJ7hDN6nrAQnEqZ4eaYaNvv3EzwsZj4Lb9QXU3lxIw2cLPK8EMjM809dywsQiqwjee0fsLp21R6obPzdW0cF/RkbHwFgJf+BIoaZj/ULs6BmWdARqXa12NQsmf6dE5HMd1G/yH8RzH3Hou+pBeWbrIdA/pblbyis8ugHslBqkril5UgwVkio0TIa2ynmT2IdAgus4wvQLaBPUP9dRDnutQVbir9mzI+DRpVnV8C+J13RH8PFPz3Ak/Uu+rGJibBk5d9xOUXc5t4zrzy2EVFdyrLKU2asYgn7ZsOLejqtd4FDkRoWPA2IkVtyBN/VOZpPHFLzgsT4HvrwZgBsCI9de78z7Pfw+BZJ7nAnpc - NEXTAUTH_SECRET: AgBmCSptzI/QFsdgfl0IiSCD/8Jau5OiGGlVX3ghm5fnw4WwyFLLDybDegkUcBNZrlTCCcm2UBalZkBTLLQMgNh0zRN1qq0eWjz4O6UPaxnusiX6l3agn3TkOdXbfc3sONxI6rKROi4zr2gQpXWWJ3eZg9FY6Kk9nWHV1VQg5OlEaPmhcDe3IHTsiV+m+uHFijAa+3NEvywgGeD5TP7xEZrarAuowd0yvqeqeQmTQDLbm+l+054YC2VNN/CKOr/zDLUZbUEnD3eTFFyPD8Np8RA1QSVzDg3S8sF3oFlP7/O2vRTbj0sH7cO9JscOkdsyp3i9n3Pntqw+oZnte2bk1mRey2RV8KRhSNexaDKFHLLII3QUSlhLl3IYcw0XA4qU8D+SW7kn266fE+zXPCDAz1zMoN5f+o4a+TS+3ape7nCoSijpDdSD3ZgYsvwvp63l3c1V+bInHl7YcAJ/7YKFmCm5QVPB3dOC+LCtDX1Uw99JkqnE/YOzlSSFgKFKbPPNS7N47aIVxQGMcOWIwVcDK+i24c0SMc+fVihJxmJrq0G0ta3IQFrmfQh/M8MZMjwQdB6soM/MKdvKkAkmczepQ2IEiF7fpa2uYobkWUMvOD7k63nrSUTjQdK99TD8d6K3XBaBrbk8vtF+uvISfRpgJu0SNH+AqPcic9SiNYFhIroRSzyj/QoNvwe7O+jjqxdooUX01RWlBAcJHXnGNjKenRzZXaf0lzsaOFSL8e3cCDwxAzjbQsfCr1P1zjdrFFZC7IBhpyAWWiZd9eBW7kDSUdCiY5586+0d8f8iDTOIaeIO+tKUAG9qJX1ACPvY1Bd/bSr/3LJ4RLrdj/diAXmYmVJn9BlSGd9FemqKDs5fjBFQxZGXtUVBBEi+NinXb22o+htmJ/P2OO1aRArseLutZZH3EaspOP/3xd7ToNHb8hyETl2CFy58xqN1yepc99033fWFDa6a/qY0BGlPiFT2dMzJfleouLguQV9zeFpyVQVGpYiKzjmTLAzVZGOENRSMqIbvKB6vju4+lBNEe4QG5hhhKuPlqv4tqalBdkEtwuuZMQdvUIglIU53EQZpyo42v2F3Rcis6T0zdwYHht9kf1nCZhGJdfnaN5lYdxeF0hJVZOD3rzsydIa0tJchieKh8rDinI+jgxi35DX69RpIYYMxORrTtARu39s9I9U7cfoEJMbG763wMyAbXe0LYEymyNH2iKvSJ4H1za7hYis5OvkJZWJ+MTWx32E82msSqeHF1OoaQXoR2i0cXozz6SFfLAHvtsn8E6OFMtKYyLNFui6z1W/nTw+Cuino3uPSaJILqJ4sQqDGGVmyi1ezT63+kwkTmmEcuhu6a5U0Mvr00Yj5WkvkTeFt6Db5e80Zky1D9F2uQw93X6ePyMGPLJIr0uDaW/OkQalKNf7AZwgS4rLdbtaVhfuzrWTvs0B248+IHOFukTlqWchpUnUPQ1ivnGpOB/XYivvy7emSwE4BmyknC/obJu/3DzJxvodlI9M20fGskmnTjI/1WqrqxwLBVDvNLpomRKm1YLGCP/J/lDKoCO9BZuTP3/kg30USgmauHY3C+M2ttABNwgtFAeXuzAOEPe8j5K9hW1YZA7Iw+D7aZJ7mXnobzrvF9ZhEI+ESUq8lx3Ujnu9wJQxKy09I63GNMtaG5kkAhjl7kwP4AmDuY7pir+0uHuFbpll81xgja8dKwIMMAfsPuc1TQhYqwXnySHoL++F0Sc1SKj2CQMgq/AF/ZJBIcvw4KFIMW6eLaycwXm/eMdui/sUICPEQbZ7lmSiG0Gx8dNzLyec+P8DdHKer6SBr2+ivC2irssXY865/g8XbqbbTOle7C4v0sUXRZaPvBrVenheevi6uUQlSn0QTLhI+zOaswj41PLMnvUjd2W2kw3EJVDH91ck/OcMtTuAEaPfP1yeilfKxkMQKKLurFumn0ncBCTO0NDhCGkk2wBENlIjJ929OSvzN739ogGR6l+o00FFxUoJbfpDxNrQB2agGpQx+7z42xUYsilEpiKw2NGAluG34nOaApi0OyY7xG4s3XibnM88CJsbJ8KqK+ePieAi+6GEent0SeVxGqFQy69XNG/A5H7w6EGC8PWDGkCKp8rxmYWrdvAobB5IC+IpJ3Tez9inzCKA6cosRErHnXJ/IHm5h5xpe8q9CUnoA/P0CnH3YCKER/aKKZvlQ7HqY10MAFqbJq1VU5waqzGm7eQWVK8oYnTa0KhLxTEBBAY7+yzaEw8693gEm+hZClyaUM5si8dYHwGFRVwBkYcBu0A48JBYpxqTew634OcSO9ffypJaMqdrESBGHgUTlqEey9VE4vlTb7IHLO0WsBIwWKJE5PcsAmqKBbiPN3ihwcXzA/ohKLi5K/AfsHCXEtvXpscUCXM2NBz3a59J9KlTwjr4yRBatR3GElX5Etc/mi/L8ueZhH/ObnBRwekZOnPR4fh0q9/l58/ADmjI4osy6mrimrQwjPo8qpG7t38coewAiMom5AB9ZKKYi7SOu94l2UPZ+P067D2KGu0nkqFkE5GLvhi8daF/oyMpUNWPloWzBJdr37ZzNEa4Qe5gdKWXDDTjg8VHSxCrgYsSp9O3u67CwNq30u8fBnezOwN8c68HpzaO7yCvZkLz1/JAWZg+4R4iapXhulvsdXnORJvR7P9X7RKO9EyKjPSBGgZl2PeFB9FAlCovyAiyBTP0NH3edL233/0pyMxNOBZXPOsAlt/G8tzxSfeGya9DnbYdZvpBf+TReE89WHm9GlD8ib6KoRTLhCbPmfJeeWXfbfqWMfpGW7SRso8fT6uNpCjg/vSDntM1sL9ijmN3fmRdNOlf4eknOck6Oq+ALvsIbzEmjPfqEIqpckwhJRVIT/c0Tz+FdtQiwoJV8N1XcksCSCPjuo8MMXRAodcwd9ykwGnkx4dJYBX/fyXebIyx5ZaiqXNL/jj9A+sREq8evTOhCBQvGlJAwq+Sy07syyay5gFTjgSSj+ljv1h75/87zaKMlZnejO9jgQf1SSHF7oIJSPjEIOzAGHXya20ZPdgdnUn26zCZJM6R8s7rOLVpSCuTV3HzIWd8L5ggg4x7PFiopYeZ+znlV50g3MdrvonelIfy9qA7v2BnAcQr8kHYsxq0Py/8AvmfiaUaT2uXsJRsOjLBmY2uvVIqjhA2CZ2rvD8iJ2RDw0gAii+okGbumCp6/FUzsC5SwywUUkhdJtwPZHYC27ikKT6lEak5BCfvrDayZP0KaaiBbWeA7uHGmPia2447uajrp6YX5uEKXW9NnEWH9F3WDvz2S8912s5T6MWUZagC+ycEhLrBobVTyIhSodneAynaZlHR472Kd9nqo38GAKc/tefaPoyiS6hdxuPBv1tFRCfAAZEmKau4QcFNZ/4lkgDOPOtO2qVzkPaouBQFVxPNqjJp1iEumInShmfUfoaM5RJ4yjXYfYs6AlE6j1SalliTi82MtP1vYhmid85Qi2lkhw41m0uQXUIJa6y+h4QFiQfu1vdrfKJWW4WH238S8c2K/GsBsNO/jfXzDEvji3vEcyFffmmP29oU88O5fCHy2B42FnN8t33NVUqVAQA1BLPT3zAYYhPkuSUqNZaT6ABEK4sKmTfgsBa8Zxv240AfakTcQaWnR/WnAUYEwWtcIahWIrUll/I7NMhkApZyQ8LCnRghwJ5Pi0J5r2D8Tjyxhmv8povDsiWKGCCobpATDiTIf65Ut8JrZtGOIhC2UrxF/pYtWy1Vl3jM2BKqJ5gjXnvLuafmAkHN49MFOgAwYUxhfYT5Q4y1vPWcGZIDBMfciCBIaeQZtqCDKC2uxDEZmXpMBYh49sCtMvsTrvFhB05IElbgFhi7nw1CfJW23gnDAMhQuiV1hsEtVi7CDTyWl8UZjveD3ZOgv0y4+bOJ13YFQnlV4xJ2SM4kZBGW5no8G2yqg4KG2/ekyYCRpnYXDTnDA8gLl7ybDyrm/UCRFFuX2SnEPinc+NXmgmXEh5hZwj+zPdvNRzsoNO2WOrGMAPI7Z7FqTVlJ2J9x8MNBVUhms2b6KXH2YNCHkgmF/q6kql1umzIasDLzXNrARgmeYb71iZgArpy+h4h/0jqc4fR4aqVZuvHsxDAkwyRYwtyP/ynM8rHV68lX5TDJzLSmY7M00/WlmptkB4nuK8lEgtqsuREkIjYpIjIZh6q6nv04FSpFcYM9QKR9uBPaH8D61+wZbTar6LILc6oqRQhC3nlFQbgMerApouPbaNwFr0gLdNa9ndPfQl601Hz34CGrwtNa99mNNSDDL5pOibqEuYqJ2rfAWiNM8I8jY1p2yBOwnDSwT3ncFULZau3/bD1bwFa9H2NIuWp4rLfQkQKuPen2yJbR46Y+viKuvDvbjYgpp7fKf6gCMVNjKa/ZaYV62kEKzsAXG1q2NBm6qqJFJyQrYpVRPZumZg0tmyUom5T1BAZi5AxUQzdOEBpkgC+TI/nMCVnmhMIgPoAOCBQI48GoxBIngpbrpo6sUWFMIQD+dNZ0aZp3R9h4bevtxeLbh8JWJbfCj/TYQ7yeiG+AS7NEJiYV9rhxqg2RayMnZjaJZqbH6qzvA++wX2K1oYX+DfoaHfpqry9RxaAURVJXoEt3ab2OZDnEphcJLFOPK8YPtaJEnVPV3OvnI74pG4cbVTQYA5MTqz5ZpJBYbWuUSd/v10Pnh81TWYuy0qRr5LXPSd2k2qdvp+rRHALl7DZ5dkT+bIZW8lP99gOgcZLG5tuomRiKsSqq92HkA6bKYQLo3YH/snyY8nSsl63QtdfX08apRUk+jcDRWHD18j8TyfuwJ+NsvG0nG2tm3gK2Ivs/LtoI1cRirk8Wn29uBFQ8zBUC1Zw/axxJLOC5uujVYuPhShjSumx8CLG4fXdGru8f+SbvAn14TJqQPzx2sEtS9YNP6J2oU7JSLU6f/TcbVrnZNWpoNs3OmUMdvIp/fzJzZZj1KJ2c7ed4yGF+y61paEx2lv4a6eqoG7+GqrKiySB79f3fCBhtYbDMTYaT3VdLh1w== - template: - metadata: - annotations: - sealedsecrets.bitnami.com/cluster-wide: 'true' - name: app - type: Opaque diff --git a/.kontinuous/env/dev/templates/vaultsecrets.yaml b/.kontinuous/env/dev/templates/vaultsecrets.yaml new file mode 100644 index 00000000..c9411a99 --- /dev/null +++ b/.kontinuous/env/dev/templates/vaultsecrets.yaml @@ -0,0 +1,135 @@ +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + name: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault +roleRef: + kind: Role + name: vault + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: vault + namespace: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno-create-vault-secrets +rules: +- apiGroups: + - secrets.hashicorp.com + resources: + - vaultstaticsecrets + verbs: + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kyverno-create-vault-secrets +roleRef: + kind: Role + name: kyverno-create-vault-secrets + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: refresh-vault-secrets +spec: + background: false + rules: + - name: update-vault-secret-annotation + match: + resources: + kinds: + - Pod + operations: + - CREATE + context: + - name: secretvolumes + variable: + jmesPath: "request.object.spec.volumes[?secret].secret.secretName" + default: [] + - name: secretenvfrom + variable: + jmesPath: "request.object.spec.containers[?envFrom].envFrom[].secretRef.name" + default: [] + - name: secretenvvaluefrom + variable: + jmesPath: "request.object.spec.containers[?env].env[].valueFrom.secretKeyRef.name" + default: [] + preconditions: + any: + - key: "{{ `{{ length(secretvolumes) }}` }}" + operator: GreaterThan + value: 0 + - key: "{{ `{{ length(secretenvfrom) }}` }}" + operator: GreaterThan + value: 0 + - key: "{{ `{{ length(secretenvvaluefrom) }}` }}" + operator: GreaterThan + value: 0 + generate: + synchronize: true + apiVersion: secrets.hashicorp.com/v1beta1 + kind: VaultStaticSecret + name: vault-app + namespace: carnets-vault-refresh-test + data: + metadata: + name: vault-app + labels: + app: carnet-standup + annotations: + fabrique.social.gouv.fr/refresh-time: "{{ `{{ request.object.metadata.creationTimestamp }}` }}" + spec: + destination: + create: true + name: app + overwrite: false + transformation: {} + hmacSecretData: true + refreshAfter: 24h + mount: secret/carnets-standup/dev + path: app-dev + type: kv-v2 + vaultAuthRef: static-auth +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: static-auth +spec: + kubernetes: + audiences: + - vault + role: carnets-standup-dev-app + serviceAccount: vault + tokenExpirationSeconds: 600 + method: kubernetes + mount: ovh-dev \ No newline at end of file diff --git a/.kontinuous/env/preprod/templates/carnets.sealed-secret.yaml b/.kontinuous/env/preprod/templates/carnets.sealed-secret.yaml deleted file mode 100644 index c37d4cbe..00000000 --- a/.kontinuous/env/preprod/templates/carnets.sealed-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - annotations: - sealedsecrets.bitnami.com/cluster-wide: 'true' - name: app -spec: - encryptedData: - SENTRY_AUTH_TOKEN: AgCQn7lLO2hnjtJ7hUGGygZwZ/vVr0rjuC313ulyv9/LrJne7+KG9tyjhV04bebPguIte1XDPhFNmVjiPkM3TLKEcO2PsYYIc3WPYkUlunl1fsVzC7t5Y6OpK3cGrXjmoo4J/qgqcUa/ZU6ezBvz8Fd55SJxQ0T0JmUciMkwtyti2W1373cvLARZLQ1YOl49h/dt+gj3+rZslzziIoZaoLfi6QCoJBTMeNxKz8Ss9PwxqOOK43oSInEPy7lAzCQSDxk2uTg/BooPvGXgGC6uLLX9T07Ax9ops6rSvQkaBaK7Xo61IpdeXe5FDSA3+UlQLeaRpMnxv6zTg9i9poJSPN1s4hA1g+x7r/quBC4JcNYjA/T9GL84YIXlkYKTdQtREEd2ceBcR3Lt6qpB218zgzWoORyz0//CRadQwXhSzqKlLYqbqPXKJOg21YsbNQnk6Hd4iIfKlgMqOqNkYFDRhvU/NIYthMEWlvFlMCqJueDKYwVo/Lgesy7GhabLxmJ6X2ssdgPAclJdCbEscZkBonkytegQTGKTlrGy8falAC3Lb8xv9vZMwG0Aq4VtI5mpXWxpQtrHrP9CKut6J5d9U86Mak3ShGfhtf4DxcAAdyRiox8ljmDnc+lCcGILM1zE7ZjSNFTs+uoySGyzG8iVwqYs2QIO/xyri/HKbcT9m77hikBzL4G8sR2iUPAwEJTQ5kxj8xT4ELhOPUMz8zzPS8Wxe4VRZCgJXl+M9iLJiDhXwB1/dBQqYv5EXbSugCHwNorX+v1H4au93x5HIbAqOv14 - GITHUB_ID: AgBPOC6HLF7NPga6a6xXbErjFhJkNRxKB9XvsaQA97DrnJcBDy/PKvH1ol0L+vNbsmXW+Qpkmzjr5B8iWC9yTmulcYE62mx3gDuDW8PsXJENDMMSuvkv7tkEApdWrTHIC84cHyCQ6pzwdBVL2veXK07nH6FE5XcIHCaGs04KJRCe40PqcbzcxRKdH0IapobHYq9+ShLrK2C6rFN78RsEFGvccn2YaHviJ6DC1CQyjWtUdtJ3VCIKnJjPFTG9JwcGT14+t/j9AAErtuTuQAoSW3OvaiM9VjwbvBEOytecQgPKaXJEn6nAq/hY6PnhDbIKnuJNJ3GHp1Q3CDFH3yfgGQofGFq8wTnkb+9Y1/BQJb2ke4m38EMgBaPhmvu0ksA5IMjaJXBbuAXGDmozSILcb3joZc5d89+fIge/BYlN4WeeS5/nEDaVmbeFtB3Liy20MfuloQXaD3m65i2NRnaVzYjE4mlEFaWRLLU0pWRA9nP8MMXWy8nKc2ikKAjam8Mhl1V0d8lkTEm8zkZ9ZcYARGNi/edd1eCvwt1E9t7cHIefkpZ3B45Lnv+oM0TvV1+9Ve+yOQKei4HeFEixGQ0E1GNNuXmQIlWwu60633mgt0EhIDWDavo40/YMxSN7+1F3qOo5oZnzZx8nuXr1LKhjpXEL3CY+hPivRAOKINlzTQmDNYQzToVwOBakUUq3UNazQRjdomIOszkUX+Nq2Ro7amvpbflAJw== - GITHUB_SECRET: AgC+SQb6XfDNav3yGc2k7ZjeHJm4/hevOSCzQECOCPnq8USA/AO1bZrOuM9GUKI+k6AHCbHKvp0/Tha8cQSL3nLT6io1swEE1RByszGwwTGn8qK5RESFCp7VN+jWbsjtcvmawAltH4PkJ7aEioe2vFRRlVPQXty3/TCAv8LzJzRJ/q7ErY4Hr33vrAeSitxWDSwXMCmYFG+D9FDehWq7pxfypndyvbHmAp0yncp/nWqOVTBxIkWdYJqztLNAnzrDGMlCvOo3P9bkiMwTbdw54cUW0BQYoPwVgBvQxSIXlBNOnLGO2YC4dqba40UetF1ApAq+kBCwDUPQlAeiCAgqIrPPVRzCL2lYAYn99kLlMjoXt/6bM4CTBKUTP4+wGf3wq9mjbXdu+1CELFITspzJ7hDN6nrAQnEqZ4eaYaNvv3EzwsZj4Lb9QXU3lxIw2cLPK8EMjM809dywsQiqwjee0fsLp21R6obPzdW0cF/RkbHwFgJf+BIoaZj/ULs6BmWdARqXa12NQsmf6dE5HMd1G/yH8RzH3Hou+pBeWbrIdA/pblbyis8ugHslBqkril5UgwVkio0TIa2ynmT2IdAgus4wvQLaBPUP9dRDnutQVbir9mzI+DRpVnV8C+J13RH8PFPz3Ak/Uu+rGJibBk5d9xOUXc5t4zrzy2EVFdyrLKU2asYgn7ZsOLejqtd4FDkRoWPA2IkVtyBN/VOZpPHFLzgsT4HvrwZgBsCI9de78z7Pfw+BZJ7nAnpc - NEXTAUTH_SECRET: AgBmCSptzI/QFsdgfl0IiSCD/8Jau5OiGGlVX3ghm5fnw4WwyFLLDybDegkUcBNZrlTCCcm2UBalZkBTLLQMgNh0zRN1qq0eWjz4O6UPaxnusiX6l3agn3TkOdXbfc3sONxI6rKROi4zr2gQpXWWJ3eZg9FY6Kk9nWHV1VQg5OlEaPmhcDe3IHTsiV+m+uHFijAa+3NEvywgGeD5TP7xEZrarAuowd0yvqeqeQmTQDLbm+l+054YC2VNN/CKOr/zDLUZbUEnD3eTFFyPD8Np8RA1QSVzDg3S8sF3oFlP7/O2vRTbj0sH7cO9JscOkdsyp3i9n3Pntqw+oZnte2bk1mRey2RV8KRhSNexaDKFHLLII3QUSlhLl3IYcw0XA4qU8D+SW7kn266fE+zXPCDAz1zMoN5f+o4a+TS+3ape7nCoSijpDdSD3ZgYsvwvp63l3c1V+bInHl7YcAJ/7YKFmCm5QVPB3dOC+LCtDX1Uw99JkqnE/YOzlSSFgKFKbPPNS7N47aIVxQGMcOWIwVcDK+i24c0SMc+fVihJxmJrq0G0ta3IQFrmfQh/M8MZMjwQdB6soM/MKdvKkAkmczepQ2IEiF7fpa2uYobkWUMvOD7k63nrSUTjQdK99TD8d6K3XBaBrbk8vtF+uvISfRpgJu0SNH+AqPcic9SiNYFhIroRSzyj/QoNvwe7O+jjqxdooUX01RWlBAcJHXnGNjKenRzZXaf0lzsaOFSL8e3cCDwxAzjbQsfCr1P1zjdrFFZC7IBhpyAWWiZd9eBW7kDSUdCiY5586+0d8f8iDTOIaeIO+tKUAG9qJX1ACPvY1Bd/bSr/3LJ4RLrdj/diAXmYmVJn9BlSGd9FemqKDs5fjBFQxZGXtUVBBEi+NinXb22o+htmJ/P2OO1aRArseLutZZH3EaspOP/3xd7ToNHb8hyETl2CFy58xqN1yepc99033fWFDa6a/qY0BGlPiFT2dMzJfleouLguQV9zeFpyVQVGpYiKzjmTLAzVZGOENRSMqIbvKB6vju4+lBNEe4QG5hhhKuPlqv4tqalBdkEtwuuZMQdvUIglIU53EQZpyo42v2F3Rcis6T0zdwYHht9kf1nCZhGJdfnaN5lYdxeF0hJVZOD3rzsydIa0tJchieKh8rDinI+jgxi35DX69RpIYYMxORrTtARu39s9I9U7cfoEJMbG763wMyAbXe0LYEymyNH2iKvSJ4H1za7hYis5OvkJZWJ+MTWx32E82msSqeHF1OoaQXoR2i0cXozz6SFfLAHvtsn8E6OFMtKYyLNFui6z1W/nTw+Cuino3uPSaJILqJ4sQqDGGVmyi1ezT63+kwkTmmEcuhu6a5U0Mvr00Yj5WkvkTeFt6Db5e80Zky1D9F2uQw93X6ePyMGPLJIr0uDaW/OkQalKNf7AZwgS4rLdbtaVhfuzrWTvs0B248+IHOFukTlqWchpUnUPQ1ivnGpOB/XYivvy7emSwE4BmyknC/obJu/3DzJxvodlI9M20fGskmnTjI/1WqrqxwLBVDvNLpomRKm1YLGCP/J/lDKoCO9BZuTP3/kg30USgmauHY3C+M2ttABNwgtFAeXuzAOEPe8j5K9hW1YZA7Iw+D7aZJ7mXnobzrvF9ZhEI+ESUq8lx3Ujnu9wJQxKy09I63GNMtaG5kkAhjl7kwP4AmDuY7pir+0uHuFbpll81xgja8dKwIMMAfsPuc1TQhYqwXnySHoL++F0Sc1SKj2CQMgq/AF/ZJBIcvw4KFIMW6eLaycwXm/eMdui/sUICPEQbZ7lmSiG0Gx8dNzLyec+P8DdHKer6SBr2+ivC2irssXY865/g8XbqbbTOle7C4v0sUXRZaPvBrVenheevi6uUQlSn0QTLhI+zOaswj41PLMnvUjd2W2kw3EJVDH91ck/OcMtTuAEaPfP1yeilfKxkMQKKLurFumn0ncBCTO0NDhCGkk2wBENlIjJ929OSvzN739ogGR6l+o00FFxUoJbfpDxNrQB2agGpQx+7z42xUYsilEpiKw2NGAluG34nOaApi0OyY7xG4s3XibnM88CJsbJ8KqK+ePieAi+6GEent0SeVxGqFQy69XNG/A5H7w6EGC8PWDGkCKp8rxmYWrdvAobB5IC+IpJ3Tez9inzCKA6cosRErHnXJ/IHm5h5xpe8q9CUnoA/P0CnH3YCKER/aKKZvlQ7HqY10MAFqbJq1VU5waqzGm7eQWVK8oYnTa0KhLxTEBBAY7+yzaEw8693gEm+hZClyaUM5si8dYHwGFRVwBkYcBu0A48JBYpxqTew634OcSO9ffypJaMqdrESBGHgUTlqEey9VE4vlTb7IHLO0WsBIwWKJE5PcsAmqKBbiPN3ihwcXzA/ohKLi5K/AfsHCXEtvXpscUCXM2NBz3a59J9KlTwjr4yRBatR3GElX5Etc/mi/L8ueZhH/ObnBRwekZOnPR4fh0q9/l58/ADmjI4osy6mrimrQwjPo8qpG7t38coewAiMom5AB9ZKKYi7SOu94l2UPZ+P067D2KGu0nkqFkE5GLvhi8daF/oyMpUNWPloWzBJdr37ZzNEa4Qe5gdKWXDDTjg8VHSxCrgYsSp9O3u67CwNq30u8fBnezOwN8c68HpzaO7yCvZkLz1/JAWZg+4R4iapXhulvsdXnORJvR7P9X7RKO9EyKjPSBGgZl2PeFB9FAlCovyAiyBTP0NH3edL233/0pyMxNOBZXPOsAlt/G8tzxSfeGya9DnbYdZvpBf+TReE89WHm9GlD8ib6KoRTLhCbPmfJeeWXfbfqWMfpGW7SRso8fT6uNpCjg/vSDntM1sL9ijmN3fmRdNOlf4eknOck6Oq+ALvsIbzEmjPfqEIqpckwhJRVIT/c0Tz+FdtQiwoJV8N1XcksCSCPjuo8MMXRAodcwd9ykwGnkx4dJYBX/fyXebIyx5ZaiqXNL/jj9A+sREq8evTOhCBQvGlJAwq+Sy07syyay5gFTjgSSj+ljv1h75/87zaKMlZnejO9jgQf1SSHF7oIJSPjEIOzAGHXya20ZPdgdnUn26zCZJM6R8s7rOLVpSCuTV3HzIWd8L5ggg4x7PFiopYeZ+znlV50g3MdrvonelIfy9qA7v2BnAcQr8kHYsxq0Py/8AvmfiaUaT2uXsJRsOjLBmY2uvVIqjhA2CZ2rvD8iJ2RDw0gAii+okGbumCp6/FUzsC5SwywUUkhdJtwPZHYC27ikKT6lEak5BCfvrDayZP0KaaiBbWeA7uHGmPia2447uajrp6YX5uEKXW9NnEWH9F3WDvz2S8912s5T6MWUZagC+ycEhLrBobVTyIhSodneAynaZlHR472Kd9nqo38GAKc/tefaPoyiS6hdxuPBv1tFRCfAAZEmKau4QcFNZ/4lkgDOPOtO2qVzkPaouBQFVxPNqjJp1iEumInShmfUfoaM5RJ4yjXYfYs6AlE6j1SalliTi82MtP1vYhmid85Qi2lkhw41m0uQXUIJa6y+h4QFiQfu1vdrfKJWW4WH238S8c2K/GsBsNO/jfXzDEvji3vEcyFffmmP29oU88O5fCHy2B42FnN8t33NVUqVAQA1BLPT3zAYYhPkuSUqNZaT6ABEK4sKmTfgsBa8Zxv240AfakTcQaWnR/WnAUYEwWtcIahWIrUll/I7NMhkApZyQ8LCnRghwJ5Pi0J5r2D8Tjyxhmv8povDsiWKGCCobpATDiTIf65Ut8JrZtGOIhC2UrxF/pYtWy1Vl3jM2BKqJ5gjXnvLuafmAkHN49MFOgAwYUxhfYT5Q4y1vPWcGZIDBMfciCBIaeQZtqCDKC2uxDEZmXpMBYh49sCtMvsTrvFhB05IElbgFhi7nw1CfJW23gnDAMhQuiV1hsEtVi7CDTyWl8UZjveD3ZOgv0y4+bOJ13YFQnlV4xJ2SM4kZBGW5no8G2yqg4KG2/ekyYCRpnYXDTnDA8gLl7ybDyrm/UCRFFuX2SnEPinc+NXmgmXEh5hZwj+zPdvNRzsoNO2WOrGMAPI7Z7FqTVlJ2J9x8MNBVUhms2b6KXH2YNCHkgmF/q6kql1umzIasDLzXNrARgmeYb71iZgArpy+h4h/0jqc4fR4aqVZuvHsxDAkwyRYwtyP/ynM8rHV68lX5TDJzLSmY7M00/WlmptkB4nuK8lEgtqsuREkIjYpIjIZh6q6nv04FSpFcYM9QKR9uBPaH8D61+wZbTar6LILc6oqRQhC3nlFQbgMerApouPbaNwFr0gLdNa9ndPfQl601Hz34CGrwtNa99mNNSDDL5pOibqEuYqJ2rfAWiNM8I8jY1p2yBOwnDSwT3ncFULZau3/bD1bwFa9H2NIuWp4rLfQkQKuPen2yJbR46Y+viKuvDvbjYgpp7fKf6gCMVNjKa/ZaYV62kEKzsAXG1q2NBm6qqJFJyQrYpVRPZumZg0tmyUom5T1BAZi5AxUQzdOEBpkgC+TI/nMCVnmhMIgPoAOCBQI48GoxBIngpbrpo6sUWFMIQD+dNZ0aZp3R9h4bevtxeLbh8JWJbfCj/TYQ7yeiG+AS7NEJiYV9rhxqg2RayMnZjaJZqbH6qzvA++wX2K1oYX+DfoaHfpqry9RxaAURVJXoEt3ab2OZDnEphcJLFOPK8YPtaJEnVPV3OvnI74pG4cbVTQYA5MTqz5ZpJBYbWuUSd/v10Pnh81TWYuy0qRr5LXPSd2k2qdvp+rRHALl7DZ5dkT+bIZW8lP99gOgcZLG5tuomRiKsSqq92HkA6bKYQLo3YH/snyY8nSsl63QtdfX08apRUk+jcDRWHD18j8TyfuwJ+NsvG0nG2tm3gK2Ivs/LtoI1cRirk8Wn29uBFQ8zBUC1Zw/axxJLOC5uujVYuPhShjSumx8CLG4fXdGru8f+SbvAn14TJqQPzx2sEtS9YNP6J2oU7JSLU6f/TcbVrnZNWpoNs3OmUMdvIp/fzJzZZj1KJ2c7ed4yGF+y61paEx2lv4a6eqoG7+GqrKiySB79f3fCBhtYbDMTYaT3VdLh1w== - template: - metadata: - annotations: - sealedsecrets.bitnami.com/cluster-wide: 'true' - name: app - type: Opaque diff --git a/.kontinuous/env/preprod/templates/vaultsecrets.yaml b/.kontinuous/env/preprod/templates/vaultsecrets.yaml new file mode 100644 index 00000000..5403e0a2 --- /dev/null +++ b/.kontinuous/env/preprod/templates/vaultsecrets.yaml @@ -0,0 +1,135 @@ +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + name: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault +roleRef: + kind: Role + name: vault + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: vault + namespace: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno-create-vault-secrets +rules: +- apiGroups: + - secrets.hashicorp.com + resources: + - vaultstaticsecrets + verbs: + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kyverno-create-vault-secrets +roleRef: + kind: Role + name: kyverno-create-vault-secrets + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: refresh-vault-secrets +spec: + background: false + rules: + - name: update-vault-secret-annotation + match: + resources: + kinds: + - Pod + operations: + - CREATE + context: + - name: secretvolumes + variable: + jmesPath: "request.object.spec.volumes[?secret].secret.secretName" + default: [] + - name: secretenvfrom + variable: + jmesPath: "request.object.spec.containers[?envFrom].envFrom[].secretRef.name" + default: [] + - name: secretenvvaluefrom + variable: + jmesPath: "request.object.spec.containers[?env].env[].valueFrom.secretKeyRef.name" + default: [] + preconditions: + any: + - key: "{{ `{{ length(secretvolumes) }}` }}" + operator: GreaterThan + value: 0 + - key: "{{ `{{ length(secretenvfrom) }}` }}" + operator: GreaterThan + value: 0 + - key: "{{ `{{ length(secretenvvaluefrom) }}` }}" + operator: GreaterThan + value: 0 + generate: + synchronize: true + apiVersion: secrets.hashicorp.com/v1beta1 + kind: VaultStaticSecret + name: vault-app + namespace: carnets-vault-refresh-test + data: + metadata: + name: vault-app + labels: + app: carnet-standup + annotations: + fabrique.social.gouv.fr/refresh-time: "{{ `{{ request.object.metadata.creationTimestamp }}` }}" + spec: + destination: + create: true + name: app + overwrite: false + transformation: {} + hmacSecretData: true + refreshAfter: 24h + mount: secret/carnets-standup/dev + path: app-preprod + type: kv-v2 + vaultAuthRef: static-auth +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: static-auth +spec: + kubernetes: + audiences: + - vault + role: carnets-standup-dev-app + serviceAccount: vault + tokenExpirationSeconds: 600 + method: kubernetes + mount: ovh-dev \ No newline at end of file diff --git a/.kontinuous/env/prod/templates/carnets.sealed-secret.yaml b/.kontinuous/env/prod/templates/carnets.sealed-secret.yaml deleted file mode 100644 index 00645b41..00000000 --- a/.kontinuous/env/prod/templates/carnets.sealed-secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - annotations: - sealedsecrets.bitnami.com/namespace-wide: 'true' - name: app - namespace: carnets -spec: - encryptedData: - GITHUB_ID: AgBhjMdMwua30xVAw0Mw5fD2XKUaw39WRXmTTgr7nXujaDsl3co7oc2SdAlcLamBZsPRhSW+e1LNfSnesPFs5as4EjVQWjeRgXrq2umHv3TWXSJASbDFmhoArGasUR4/4WYWo0g4XcmLSeVHmVcIHUo3fgkVZltWCPFDEOqolnzjEpfe2Lfooy5zIwVYyZ7RnZlPEwKuqRjcu0/gmnC3iBI7t2Rd7jj48xzFHJj2Dh0Al6CMwjaORH9aET3S5FrB57PvkEdv8sxfPaN5XgFXN3IZEOiZVVlD+1rYm1wrENC7UwysyQnCpDJ7mvGCdkAhK2ztk84L0rx0XQwZgzDM1NlKKx8tbMOsRAfSmFbZW9Ss1ZLJ9Nhmk25BDvXo8Hyq6lquKk4YrBNJwMjRvOmkpL4VF7bx95bYaongXtfi1CmskJUeJLEimp1G/N0KWmIRds1PlhwLnWoZaUZ3nxrjFnU4sxNADsCaPm6v32zzO5xYykiQY295DNFc1hueX/kHolBhac9R5nBGni+MFodvOOfE3bajX8eAtsLfpqlgq8VZN5Nh3GDyDJLgFS7f7jObu22hAsQkB6gigpN/sPHEBUgc9QFJkBvpu/64tOZ2PEckf3DUX5+yT62a7KZ94rr41eqyPm61oTg4Fc1sSSQ9/v2SkqN7RUAXV172cWpqPFGr2EE/T7+OKmqbkzUE0qBDz1kMckDZnPFC0FSFwpkrDBJY7K5gFg== - GITHUB_SECRET: AgCDSOZghWIIvjHO8b6zls5m9cVwas6djnOIMOUGpDFbPDbaDnhPjF28T0ylEhkwZhG78ql1Jamth4avC6IANjZG4zsfTk732rFrnaRDZz4ThxvoUp1Ldids9UzRkfo3OLIXH+AawK0DmJ6TYTT/njIKUN7h9iRYvVPFvoHnGlH4djjMc1jxyveWSRjT80OhcxKVxpznvjD58q0o4EozXCEr1hTWzF1K0PgOhTZEwx9iy4LfTP5mFqLlMHnG0LP8FHuEEkFLBdOu/vAqQYjdz600yR1J55bOX7EEReOMco49jfca8z4zDPh8l0j2FjWmCTar2ooeC1Leo0ZodLmmFoD3eJVfOAHbRbKinMJgNe4meyiI4JflpW8rI5HpnupJCa17UXChNLVfZyPuDZMb+V7syJEjzL/+3Icu3mToXvlEo7tWCVXIGFnbz8dW4xwDpbKBE7J3GST/xDzJHTo0EuDatGAvEttusDQMs5yuVJLgp2g3Axy7MYZQNI/1YS1oQK48IrsKyunQMbhB9+ayQWiLFzZDDAFjZNyP4ZQ0491vuUMxdc1jCFrjv4+LHDrIKznGaJNVc9l5kiVvkZUJhmnRc3xklkJgYiJ/ThOW/FFMDPr3/dwAFqnxJk7NES86HChXQMwX3zFD/9i1PpYQfq3Nax0h1g5jHf2pVLEXOI7TlzE5yd5faoDk2eInYIsNe1HrPopMx3/JG+ZMX8Fiwv8kUELD35urDsMckmR34mtYCDG29FaJRix+ - NEXTAUTH_SECRET: AgCuyMTTqgv/EPyaqph3IR5p0pysPZGTRxNnz2VtExOiKMvPQSIPuLe3l5V86MakBXZ+Qr1MAZhTtXyga1VYlXmFBfRp0n6fqLN412dJO1D2/JUH/kTn1xsD/GR8mIUo82WFGzH4ZNKC2kTCQYR8Hwu5dli0WPYM7i++4rlyIg1Ku7OrHFPr1SZ8oigpmWHCGYxHOWY+/ZUoBy8zhkTRhMg7k1619X/veNOBp2dq27Gvr7OjVQ5FLcnH8WKPVqMFuJk4tiFWbq7urtn7Qt86BCpw4iIHhkeD/I0dNkArSfDi3+sJinNeA10GCHBK7mtVJpVyYNMybdE7a/fX0QgqGVEMXf9O6nc76/SeO+Ejs4i6ZVGdO7tJWJamjX8er2BBHiY7j7NC25F3HoX2nmwu79pEJesc+HAQdTP/Wgi6TPDU7wLdo5gyNF5OabR5xwk814eouMKt4dWlwK0Pw3/s6io2n6g+A8ClyHR+EJ9BN0TCC3Xrpp1TUVaPEv0IXEh2vb60+rzh4ZOq/OR7EQc99PKFBteGw0kA1IHMHb4xteiNWsHhu2zWwbY2hBGYhtCDZYJzFybhuCYNOo0oj/GA9F3eclQf8wkEXRU0eQ9Dqm/uDOxVnFQrKvUgfBFqR4rSSAHsME0Ce3ne9AeyDVl/REMQ3odMYZbcv1JzEaZPmTZJFC7BxwqAf3Yr2aBvKLhC93lFOtIO4LrZkYJCpnHgjqUozO4RTA4rtlmNrl2vAba5ySd/y3r2iYIe9FGr9MOqavmZJc/3Qj5lnRqfF4f99fwiXvCF/NdJPlaSEu3C0c330tJmQt8bTezownszPW6GzAzNpjyoiDSrSIswLUtAW4jT/tmmakvkz4UMLUEZKoWDfFNXY6F8u4DYZVOeIm+SXZWr/hn75cU43s/Y9BNHVnHiCfKL37bkhwzTJrNgfmeUK0E38XKkzQXvIfTzcfRUDdTmVY43yFSv4ZgS2KWVMbL7pCjW5ldSQ+/Rj1KdDYT/hu4E2jeNMSVZdsBV0U/j1VgHLAiupVkJGBgcet5JogpPIHt5BWEA+go4TDvT8zFe1wEg3z8WWWliudvDcnYx9KKWAZuk69YUQYd/a52+x6xn9tzOAVD4UJbhCW2riAPGdBCO/m6+ilgHehObBnbEd+jtUnElPh80pTxQkIhzxAi8vQz7WUwHpjhRtfVwi/X1iO6En1JbMvn2ApYWz7nOPv68rKW1Jh+XL0+BT3o3UZC0GkiB3pabX6qGZ9zUxyO4JQalv18Y/ebM+KmrvHG2DSApEE+AiuklBOjVK333EwqR7nnJ9Jk7TDMcTVn6RDGjpdfzMbBO+ZG2Q2nbF6YKhrxeIHfZ6zIiK0cVwec+406+kDuf6epfCxj/T2NlZ54lDWh9vdOhJsdUJRu2VMhGV4B8iWRBNH0y6NMLLPIVRTC9mDs0yxN4RCqaKA6SSCyHh4mLTKj0LFqKaICm0fPg1Fq2Eer1aJXs7KomMcWak0sjti3QTnK4MUR3HtKgY6CznxvdsexKOMLKIS7cmzRqMRVKYTY6O4kM3kwBx0Xu8c2vHY8ezOaoixFMuc7glY4PNexf2e1raYUh4WgvLtZvzmYxcLd6trqMZr5N3rrXPKVHflH/BJXUfqFxjXy1UTj+7MfTHa14eGRZWlVtNJJd1lhiK7Dq7anOwgNaGeIoAJap3zXuS1jL3WaCKtHmWfgEykdwauHh1kTCgExA+gznGlfFhrqJX/rktjJE2a+z4EiZB2Mcr2YX2olyKqdcpPW9f34O2XkYGWNlPLIacoUkVLX9b4uM6vnzii+DwDGzTHTFNkJ2iTuIyXfnDqnLO1aHsHim+LdtB0P8GiIruv6dLu+H636x5YML8FIUdumzdDR2N0vkkM4aAMKtDZFyeYQqcP0syGIn8layP3HQ13PADcDn0DsgSk35oGYVfuCq86OZjbxoMERslauEHYvxJqIkQeyhxuzPatSwcOED5jdCCS/bYfTwemXBagyH88+pZFtvJjhnCzSf1X+h0ZwlEuJJMa76VAFJQV6NbwHxv6fS1VuhCFlts3FyBpym5N+V2LpvREJEDZuqvmQS8IImfJua/dKTnBD6lN33+33jmBvdZTNj+0jw21H94BVF9FkzNb8xHVtMNct8Iz0OphBKyro2bO1cWhRJ2AyGgJYd6F9uB5TlE0FY4lgdNHju9avytOQwuzdo8eHyFzrWAL25ALdizpDNgZQJgyxLSNdqSPtlNBGbmWTO8G5ml/VGCmCUKcmHMz7KspLFCHaII6LSN7sQAoayqvzZPRHPOsqprfcFEl1U9wd2dN57OSQ+ZrXzHReiOJr6Vx0bztHZEM13mzqnmfHe4jfZ1hvhK5MbUBO+nUe5lHK0mdSBjd33XOAF22gfIOWjYjduX3NQF1Vn83KBPm62o0neMIYR1+Cml/zLe0nSvSnRUujNkkL5ElE30L+rDTaZR8pprq1lRDnyduXTrUuuDr77qqp+4glGbow8F/Qy8C5/rKCoT/5yDlYuamtG33rJFreBDkbWYr2PazdfOyUqsTwgj6YIOnGeouk6HiNKeJ/uhDhhclAm+l31SgTBj/n9ZK0UdUob82NnbbjrtovALPNnCpDAjY7GpVfnbDjqcoL6swlnNWN5CPXme7GpvamF2iiWVWnMQH4rdjfjL0vP5JHaowbVnFnNMrzurWRxseJvLRABsMmuKHXxrg1bdQ74XOvBA/6BAIneHo1gn0TX7iPNuWCoHSSldVMrvW98Qa+IbUHaRbphoaONP+rsGC/NDjbfEIFKz520k3KbY5OO35eHqzKjBfOBNBqVKZB9MdBliCARKrBhTa3tlZXK64zJlD1PMZWB6trdhtUfZYFO7bueVGekEzyO2N09YVO90g1jAtsB9yZqd7eeTcDwmZZXmmI3e3tGhRgqt4nF/hNIXvOgQuXBd2JHzO7uDsKVlX6YgXe1Lj1fG/sN+Bumksh++Y0qUFdXTpYqc7HNjNp5nVoKm/sX0EqPBIBVOYimu/AVlz7K0E75Xml/r/GASc2Vqxrga2EhTgXhXrhRyj/NjHdaHUbVHWsAELnRZ1N0D+a9J3U0x3NKncs092c3mk0AYBqfYzEMzebrLr6D39EfxOy+CSRtTrrf9OH+5TBeJ+XUHjtYE/gJhZkUEARP+h7nlP75G1h3pQrCE8scD187LC0+C6QjimK+xZfhll8py44E+NyYt1qbAqruaos7ISkFlR4i79dTYnBGIJinzZ5/9lf4+nIkG8bGSEJDCd5IMPmGqw8PsR6ty8/8NXDJll0snpXBo1vL9AA520DKvyKLCf/zNBYooJP6bw7ZnTNUv1sWfXBw+WILr0aJHX4dylDJCKS0cr/kgu1JYSbofzlHa7/4Ti/fIPpUKrXDBv5MZxHXx5VSOjMUUh2+rjM6jILBJNNItbl7T3gPa3SXwdnyUDmihvVMLjDj+9mEMUQIwV86/+NnBL6ZNPVk1PGKb9d3fqAsolEFt57wihUvM1NbHgeNU/0muMOqWFXVtetSB5muQqoRzIjLwgOcGEFh/eZIVSBG48xoBzWk44sK/m+cnWFugzcA2vB7cz0uwdt2PZ4cWxkH0cszpEf0td0klpj1o4USx9xctAtOacTGZG4vuWFA/pYf7/Uix2ZWFYIgoY6n2f2M/4BjOl8H3vllJSAGThEq+7tIVSxvhf46Kz07xzQAPON5oV1Llr0rXbDA7ReMw0bM0NOi5XcrnW7vpV1HmDstl4PxuJ0ICZchvt0sm0sYnu4dsuRFOvGwIUioLnvInzgDmNoVr9Ju9sW0qGFI4A+GeywtDaZgr6TmPmbm2chAEmRty1WhSQ2TXZT9QBvzruyhCqccmzVV7RP7dh7Z9tABNUZNNWVRK98uUyoogsfeDZOfP5Ag6LuDga1HP0uw1HRvFSPtvAwKu/MLmo4soPa3BcTku9dEWzy2plG0o3yAl8z/Xiwj1HHl2qJ0MZOTgGauRFXnrDpflJDAOarYy8QoBO/38CMSkbuTvx5HUK6PndkTMFlGZLwdg3S2KeJxaIpWmzfelEI2ahCyXGNN77fC7E9m0y+Ep9vg2vXvmhMXOmywZJMDtkXVvWd38xURYpjrKrn1G9RB+/3DUsqOPr8r9UhMBhjWMYONcwh3LXXdTnmu6y8F7Qcl2vZSYiDG6IcEeekRmN4JLvMp/n3vbojzVrZuxte5RPa3cZE/P5zZ01wnDPek31CnaMUxka4osbHL0PAN3fXNgqHTTqCU9B4SB5oHsbBkfyCH2YBK1oZHHQ+xH0U8T0F8clOojPKHHlvTW8miJ+bTYP6DGQV+0Pfz1zIRs2EqOoNzSJ0UBwDfRe6/hkF0fGJGicvQqUHvmEHBT59fQFKGesN5OLbFZyifAwl+DLDGtAdNoA5W6vZQUsilLL0QS5kaj7w9vlyDuc+f01z/KBLWwV2ogUuVdxBG9gpBwRds69Q6l1WZ9ksIHIl6xAK2XvhMpuF99crfAXzOZU3ljfpOIn62ewTzIfUyC1KpSD2VKqgjD0yxV8Wmvz6ySYDYTrWEKhBk8qb3SdeMTJyjoi43EMVayrDrPhMIE4Ea3fa4NQ4r1hkKurHrSi9XmKuW5fySr3FIO6W1Ft11CKk2XNRK4xOuLsecnEy+1OQCmBWyw9IhCVOlLezhwa8v6bLS9DKUJdtIDChZQ2ZoNIJryV2sLM6urs58uHYqzqZWICnZ5PA7ghodf6Ozb3J9VKdh4IF1KVcocbSZc+AauQnf/YHL7JZE7NVWKteF1A6EMV4KvLhKp2Sy2VBUSTWrwpQLwI0/Z9d5iH72UU9d9ooTTMmpqonfFNegElXcdJvQeU4DTAiKHuz/g9+zoa47ALB/oZUgotoNeWI4d7WTAvi0NXt6vxfqCqQCZacXsXNzFwZYhN4LkVud5FpT8aPBt7qnZZoWzJjXFhagBtz67FNJWFmmUKb1otFyzpS4GLsQBtWiroVidqbiXjVW/ikJH3IfFR5txNl85okNC+svbKOoTZmahaDeCBU9nH/rrDkNZA== - SENTRY_AUTH_TOKEN: AgCd2XIzff1FnqVd5YTS+7F/29i8m9DBfonqNLnpML6sIX6T349YG44bXSieHBKwC1roiNiXuGwGP97wkuV+BYheYEpYyfU2YjqNO2rQmo9f42jvDn3Qb1GErhBMxaXSJ9mr8hqwbt73YfZjU3hVdch+siIuvGWgvnohzed/mvi9gQTAHBnJHDRQKbYxFJpEYCgk9v5i6AQljYGBqf04ouW76Qndur8Ry5+Xe/w+cCh0wA8IEKcE+2pzSBBwtCVk1uWbdkVOdgMYhzfPIAZYW2kdyDcU2Z21tbkESEfJ4TsHpjhAFoTlZGUqNI7XtcDBkwnarOczybkWoWCf0KEE5OyjfpiUFxWEjbuQW9AkOi2mK63mPR24RcIoB7PHxIcszlnEQ2mNBwUF2x7nhSBt/3UNRYlgvSHt7vQNUb5+dcWduuU38nYfa9xSNTYR9ZSZhnjZ11AU4R5696aHemhrpBS1PISV+pq8evxB/bgEVn8SWHW1fkXRyD0xz64ZapN2phbXl5tMQSkTezvNOJ7w0L2obMYi59zjUrr2mQs2mokDDd4IbTAQfARpPU8Bf+u/YzbPOKZwF7ltPIliHsrru4cGKQrUvLQuJxnC7rER9DO03peWXuAk2yXuAmRlu5osjWAAJB4qyewy7BAnE8LlbLjk+A2H4nKNVFN0Fo3LGFqgTn2slXOEkYNhL89wB2A5Kzro+qSJnVPOD1dW51VvunPnv+PkZNALKtYf0fMlmHn73TmivVuxxiATWqPmFLrybXN22SHTtszYhVq8jLBsbXYD - template: - metadata: - annotations: - sealedsecrets.bitnami.com/namespace-wide: 'true' - name: app - type: Opaque diff --git a/.kontinuous/env/prod/templates/vaultsecrets.yaml b/.kontinuous/env/prod/templates/vaultsecrets.yaml new file mode 100644 index 00000000..18a868ce --- /dev/null +++ b/.kontinuous/env/prod/templates/vaultsecrets.yaml @@ -0,0 +1,135 @@ +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + name: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault +roleRef: + kind: Role + name: vault + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: vault + namespace: vault +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno-create-vault-secrets +rules: +- apiGroups: + - secrets.hashicorp.com + resources: + - vaultstaticsecrets + verbs: + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kyverno-create-vault-secrets +roleRef: + kind: Role + name: kyverno-create-vault-secrets + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: refresh-vault-secrets +spec: + background: false + rules: + - name: update-vault-secret-annotation + match: + resources: + kinds: + - Pod + operations: + - CREATE + context: + - name: secretvolumes + variable: + jmesPath: "request.object.spec.volumes[?secret].secret.secretName" + default: [] + - name: secretenvfrom + variable: + jmesPath: "request.object.spec.containers[?envFrom].envFrom[].secretRef.name" + default: [] + - name: secretenvvaluefrom + variable: + jmesPath: "request.object.spec.containers[?env].env[].valueFrom.secretKeyRef.name" + default: [] + preconditions: + any: + - key: "{{ `{{ length(secretvolumes) }}` }}" + operator: GreaterThan + value: 0 + - key: "{{ `{{ length(secretenvfrom) }}` }}" + operator: GreaterThan + value: 0 + - key: "{{ `{{ length(secretenvvaluefrom) }}` }}" + operator: GreaterThan + value: 0 + generate: + synchronize: true + apiVersion: secrets.hashicorp.com/v1beta1 + kind: VaultStaticSecret + name: vault-app + namespace: carnets-vault-refresh-test + data: + metadata: + name: vault-app + labels: + app: carnet-standup + annotations: + fabrique.social.gouv.fr/refresh-time: "{{ `{{ request.object.metadata.creationTimestamp }}` }}" + spec: + destination: + create: true + name: app + overwrite: false + transformation: {} + hmacSecretData: true + refreshAfter: 24h + mount: secret/carnets-standup/prod + path: app + type: kv-v2 + vaultAuthRef: static-auth +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: static-auth +spec: + kubernetes: + audiences: + - vault + role: carnets-standup-prod + serviceAccount: vault + tokenExpirationSeconds: 600 + method: kubernetes + mount: ovh-prod