Merge pull request #41 from appuio/feat/lieutenant-api-vault

Read Vault address and login method from Lieutenant API

Author: simu

workflows/cloudscale/decommission-steps.yml

@@ -6,9 +6,7 @@ spells:
   - name: vault_address
     description: |-
       Address of the Vault server associated with the Lieutenant API to store cluster secrets.
-
-      https://vault-prod.syn.vshn.net/ for production clusters.
-      https://vault-int.syn.vshn.net/ for test clusters.
+  - name: vault_login_method
   - name: commodore_cluster_id
   - name: commodore_tenant_id
   outputs:
@@ -19,7 +17,7 @@ spells:
   run: |
     set -euo pipefail
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     token=$(vault kv get -format=json \
       "clusters/kv/${INPUT_commodore_tenant_id}/${INPUT_commodore_cluster_id}/cloudscale" | \
@@ -257,6 +255,7 @@ spells:
   inputs:
   - name: cloudscale_token
   - name: vault_address
+  - name: vault_login_method
   - name: commodore_cluster_id
   - name: commodore_api_url
   - name: backup_deletion_confirmation
@@ -293,7 +292,7 @@ spells:
     git archive --remote "${REPO_URL}" master | tar -xC catalog
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     # extract restic credentials from catalog and vault
     restic_repo=s3:$(yq -o=json 'select(.kind == "Schedule")| .spec.backend.s3 | .endpoint + "/" + .bucket' catalog/manifests/cluster-backup/10_object.yaml | tr -d '"')

workflows/cloudscale/init-steps.yml

@@ -73,8 +73,7 @@ spells:
   - name: vault_address
     description: |-
       Address of the Vault server associated with the Lieutenant API to store cluster secrets.
-
-      https://vault-prod.syn.vshn.net/ for production clusters.
+  - name: vault_login_method
   - name: commodore_cluster_id
   - name: commodore_tenant_id
   - name: bucket_user
@@ -89,7 +88,7 @@ spells:
     set -euo pipefail
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     # Set the cloudscale.ch access secrets
     vault kv put clusters/kv/${INPUT_commodore_tenant_id}/${INPUT_commodore_cluster_id}/cloudscale \
@@ -198,6 +197,7 @@ spells:
   - name: base_domain
   - name: cluster_domain
   - name: vault_address
+  - name: vault_login_method
   - name: redhat_pull_secret
   - name: csp_region
   - name: bucket_user
@@ -214,7 +214,7 @@ spells:
     }
 
     export VAULT_ADDR="${INPUT_vault_address}"
-    vault login -method=oidc
+    vault login -method="${INPUT_vault_login_method}"
 
     ssh_private_key="$(pwd)/ssh_${INPUT_commodore_cluster_id}"
     ssh_public_key="${ssh_private_key}.pub"
@@ -821,14 +821,15 @@ spells:
   inputs:
   - name: commodore_api_url
   - name: vault_address
+  - name: vault_login_method
   - name: kubeconfig_path
   run: |
     set -euo pipefail
     export COMMODORE_API_URL="${INPUT_commodore_api_url}"
     export KUBECONFIG="${INPUT_kubeconfig_path}"
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     echo '# Applying cert-manager ... #'
     kubectl apply -f catalog/manifests/cert-manager/00_namespace.yaml

workflows/exoscale/decommission-steps.yml

@@ -199,6 +199,7 @@ spells:
   - name: exoscale_key
   - name: exoscale_secret
   - name: vault_address
+  - name: vault_login_method
   - name: commodore_cluster_id
   - name: commodore_api_url
   - name: backup_deletion_confirmation
@@ -238,7 +239,7 @@ spells:
     git archive --remote "${REPO_URL}" master | tar -xC catalog
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     # extract restic credentials from catalog and vault
     restic_repo=s3:$(yq -o=json 'select(.kind == "Schedule")| .spec.backend.s3 | .endpoint + "/" + .bucket' catalog/manifests/cluster-backup/10_object.yaml | tr -d '"')

workflows/exoscale/init-steps.yml

@@ -231,8 +231,7 @@ spells:
   - name: vault_address
     description: |-
       Address of the Vault server associated with the Lieutenant API to store cluster secrets.
-
-      https://vault-prod.syn.vshn.net/ for production clusters.
+  - name: vault_login_method
   - name: commodore_cluster_id
   - name: commodore_tenant_id
   - name: s3_key
@@ -249,7 +248,7 @@ spells:
     set -euo pipefail
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     # Set the Exoscale object storage API key
     vault kv put clusters/kv/${INPUT_commodore_tenant_id}/${INPUT_commodore_cluster_id}/exoscale/storage_iam \
@@ -353,6 +352,7 @@ spells:
   - name: base_domain
   - name: cluster_domain
   - name: vault_address
+  - name: vault_login_method
   - name: redhat_pull_secret
   - name: ccm_key
   - name: ccm_secret
@@ -370,7 +370,7 @@ spells:
     }
 
     export VAULT_ADDR="${INPUT_vault_address}"
-    vault login -method=oidc
+    vault login -method="${INPUT_vault_login_method}"
 
     ssh_private_key="$(pwd)/ssh_${INPUT_commodore_cluster_id}"
     ssh_public_key="${ssh_private_key}.pub"
@@ -895,6 +895,7 @@ spells:
   inputs:
   - name: commodore_api_url
   - name: vault_address
+  - name: vault_login_method
   - name: kubeconfig_path
   run: |
     set -euo pipefail
@@ -903,7 +904,7 @@ spells:
     export KUBECONFIG="${INPUT_kubeconfig_path}"
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     echo '# Applying cert-manager ... #'
     kubectl apply -f catalog/manifests/cert-manager/00_namespace.yaml

workflows/shared/decommission-steps.yml

@@ -49,11 +49,12 @@ spells:
     during decommissioning.
   inputs:
   - name: vault_address
+  - name: vault_login_method
   - name: commodore_cluster_id
   run: |
     set -euo pipefail
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
     OPSGENIE_KEY=$(vault kv get -format=json \
       clusters/kv/__shared__/__shared__/opsgenie/aldebaran | \
       jq -r '.data.data["heartbeat-password"]')
@@ -287,6 +288,7 @@ spells:
   - name: commodore_cluster_id
   - name: commodore_api_url
   - name: vault_address
+  - name: vault_login_method
   - name: backup_deletion_confirmation
   run: |
     set -euo pipefail
@@ -308,7 +310,7 @@ spells:
     SECRET_KEY="$(yq -o=json 'select(.kind == "Secret" and .metadata.name == "objects-backup-s3-credentials") | .stringData.password' catalog/manifests/cluster-backup/10_object.yaml | cut -d: -f2)"
 
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
 
     for secret in $(find catalog/refs/ -type f \
       | sed -r -e 's#catalog/refs#clusters/kv#' -e 's#(.*)/.*#\1#' \
@@ -334,11 +336,12 @@ spells:
     This step deletes the cluster's OpsGenie heartbeat.
   inputs:
   - name: vault_address
+  - name: vault_login_method
   - name: commodore_cluster_id
   run: |
     set -euo pipefail
     export VAULT_ADDR=${INPUT_vault_address}
-    vault login -method=oidc
+    vault login -method=${INPUT_vault_login_method}
     OPSGENIE_KEY=$(vault kv get -format=json \
       clusters/kv/__shared__/__shared__/opsgenie/aldebaran | \
       jq -r '.data.data["heartbeat-password"]')

workflows/shared/init-steps.yml

@@ -34,6 +34,8 @@ spells:
       You might use the WebUI at https://control.vshn.net/syn/lieutenantapiendpoints to create and manage your clusters.
   outputs:
   - name: commodore_tenant_id
+  - name: vault_address
+  - name: vault_login_method
   - name: csp_region
   run: |
     set -euo pipefail
@@ -47,6 +49,12 @@ spells:
     region=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" ${COMMODORE_API_URL}/clusters/${INPUT_commodore_cluster_id} | jq -r .facts.region)
     if test -z "$region" && test "$region" != "null" ; then { echo "❌ Failed to retrieve CSP region for cluster ID '$INPUT_commodore_cluster_id'."; exit 1; } ; else { echo "✅ Retrieved CSP region '$region' for cluster ID '$INPUT_commodore_cluster_id'."; } ; fi
     env -i "csp_region=$region" >> "$OUTPUT"
+
+    echo "Retrieving Vault address and login method..."
+    vault_addr=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.addr')
+    env -i "vault_address=${vault_addr}" >> "$OUTPUT"
+    vault_login_method=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.loginMethod')
+    env -i "vault_login_method=${vault_login_method}" >> "$OUTPUT"
 - match: And a Keycloak service
   description: |-
     In this step, you have to create a Keycloak service for the new cluster