Merge pull request #2585 from lsst-sqre/tickets/DM-40889c

DM-40889: Convert minikube to new secrets management
lsst-sqre · Oct 2, 2023 · 5c4e968 · 5c4e968
2 parents 1f646e0 + 0857f55
commit 5c4e968
Show file tree

Hide file tree

Showing 16 changed files with 80 additions and 727 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -86,6 +86,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Install test dependencies
+        run: make init
+
       - name: Filter paths
         uses: dorny/paths-filter@v2
         id: filter
@@ -124,14 +132,13 @@ jobs:
           sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.7.10/argocd-linux-amd64
           sudo chmod +x /usr/local/bin/argocd
           sudo apt-get install socat
-          sudo pip install -r installer/requirements.txt
 
       - name: Run installer
         timeout-minutes: 15
         if: steps.filter.outputs.minikube == 'true'
         run: |
           cd installer
-          ./install.sh minikube ${{ secrets.MINIKUBE_VAULT_KEY }}
+          ./install.sh minikube "${{ secrets.MINIKUBE_VAULT_ROLE_ID }}" "${{ secrets.MINIKUBE_VAULT_SECRET_ID }}"
 
       - name: Get final list of resources
         if: steps.filter.outputs.minikube == 'true'

diff --git a/applications/vault-secrets-operator/values-minikube.yaml b/applications/vault-secrets-operator/values-minikube.yaml
@@ -0,0 +1,14 @@
+vault-secrets-operator:
+  environmentVars:
+    - name: VAULT_ROLE_ID
+      valueFrom:
+        secretKeyRef:
+          name: vault-credentials
+          key: VAULT_ROLE_ID
+    - name: VAULT_SECRET_ID
+      valueFrom:
+        secretKeyRef:
+          name: vault-credentials
+          key: VAULT_SECRET_ID
+  vault:
+    authMethod: approle
diff --git a/docs/admin/installation.rst b/docs/admin/installation.rst
@@ -58,19 +58,25 @@ Installing Phalanx
 Once you have defined a Phalanx environment, follow these steps to install it.
 These can be run repeatedly to reinstall Phalanx over an existing deployment.
 
-.. warning::
+#. Create a Vault AppRole that will be used by Vault Secrets Operator.
 
-   The installer has not been updated to work with the new secrets management system yet, and the way it initializes Vault Secrets Operator is incorrect for the new system and will not work.
-   This is currently being worked on, but in the meantime you will have to make changes to the installation script to use :command:`phalanx vault create-read-approle --as-secret vault-credentials` and skip the attempt to create a Vault read token secret obtained from 1Password.
-   Hopefully this will be fixed shortly.
+   .. prompt:: bash
 
-.. rst-class:: open
+      phalanx vault create-read-approle <environment>
 
-#. Create a virtual environment with the tools you will need from the installer's `requirements.txt <https://github.com/lsst-sqre/phalanx/blob/main/installer/requirements.txt>`__.
+   Be aware that this will invalidate any existing AppRole for that environment.
 
 #. Run the installer script at `installer/install.sh <https://github.com/lsst-sqre/phalanx/blob/main/installer/install.sh>`__.
+
+   .. prompt:: bash
+
+      installer/install.sh <enviornment> <vault-role-id> <vault-secret-id>
+
+   ``<vault-role-id>`` and ``<vault-secret-id>`` are the Role ID and Secret ID of the Vault AppRole created in the previous step.
+
    Debug any problems.
    The most common source of problems are errors or missing configuration in the :file:`values-{environment}.yaml` files you created for each application.
+   You can safely run the installer repeatedly as you debug and fix issues.
 
 #. If the installation is using a dynamically-assigned IP address, while the installer is running, wait until the ingress-nginx-controller service comes up and has an external IP address.
    Then, set the A record for your endpoint to that address (or set an A record with that IP address for the ingress and a CNAME from the endpoint to the A record).

diff --git a/docs/admin/secrets-setup.rst b/docs/admin/secrets-setup.rst
@@ -43,12 +43,6 @@ This approach is being replaced with a `Vault AppRole`_ that has read access to
 
 .. _Vault AppRole: https://developer.hashicorp.com/vault/docs/auth/approle
 
-.. warning::
-
-   The current Phalanx installer only supports Vault read tokens, not Vault AppRoles.
-   Support for Vault AppRoles will be added in the future.
-   In the meantime, the Vault bootstrapping process in `install.sh <https://github.com/lsst-sqre/phalanx/blob/main/installer/install.sh>`__ will need to be modified when installing environments that use Vault AppRoles.
-
 Phalanx does not strictly require either of those approaches; any authentication approach that `Vault Secrets Operator`_ supports may be used as long as :px-app:`vault-secrets-operator` is configured accordingly for that environment.
 However, the standard installation process only supports AppRoles, and tooling is provided to manage those roles.
 

diff --git a/environments/values-minikube.yaml b/environments/values-minikube.yaml
@@ -4,7 +4,7 @@ onepassword:
   connectUrl: "https://roundtable-dev.lsst.cloud/1password"
   vaultTitle: "RSP minikube.lsst.codes"
 vaultUrl: "https://vault.lsst.codes"
-vaultPathPrefix: secret/k8s_operator/minikube.lsst.codes
+vaultPathPrefix: secret/phalanx/minikube
 
 # The primary constraint on enabling applications is the low available memory
 # of a GitHub Actions runner, since minikube is used for smoke testing of new