ci: keyless K8s creds via GitHub OIDC->Vault (retire KUBECONFIG_DEV/PROD)#76
Conversation
|
|
||
| # Keyless: GitHub OIDC -> Vault jwt auth. exportToken makes VAULT_TOKEN available to the mint step. | ||
| - name: Vault login (GitHub OIDC) | ||
| uses: hashicorp/vault-action@v3 |
|
|
||
| # Keyless: GitHub OIDC -> Vault jwt auth. exportToken makes VAULT_TOKEN available to the mint step. | ||
| - name: Vault login (GitHub OIDC) | ||
| uses: hashicorp/vault-action@v3 |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8466102bed
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| KUBE_TOKEN=$(curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \ | ||
| -X PUT -d '{"kubernetes_namespace":"arc-runners-supporttools"}' \ | ||
| "${VAULT_ADDR}/v1/kubernetes-onprem/creds/website" \ | ||
| | jq -r '.data.service_account_token') |
There was a problem hiding this comment.
Grant create before keeping the bootstrap branch
This kubeconfig is now sourced from the Vault-issued least-privilege token, but the deploy script still treats a missing supporttools-${ENVIRONMENT} Application as recoverable by piping argocd/${ENVIRONMENT}.yaml into kubectl apply below. The new role is scoped for the existing get/patch path, so if one of the six Applications is deleted or a cluster is rebuilt, this branch now fails with an RBAC error instead of recreating it as the old kubeconfig did; the same pattern exists in Deploy-Prod. Either give the token create on those Applications or replace the branch with a clear precondition failure.
Useful? React with 👍 / 👎.
Summary
Converts the Kubernetes deploy path of this pipeline to keyless credentials (GitHub OIDC -> HashiCorp Vault), retiring the two org admin secrets
KUBECONFIG_DEVandKUBECONFIG_PROD. No long-lived kubeconfig is stored in GitHub after this.The Vault + RBAC backend is already provisioned and verified:
github-actions, rolegha-website(audiencehttps://github.com/SupportTools)kubernetes-onprem/creds/websitemints a 1h token for SAwebsite-ci-deployer, scoped to get/patch only the six ArgoCD Applicationssupporttools-{mst,dev,qas,tst,stg,prd}in theargocdnamespace.What changed
Applied identically to both K8s deploy jobs (
Deploy-NonProd[matrix mst/dev/qas/tst] andDeploy-Prod[matrix stg/prd]):permissions: { contents: read, id-token: write }(mint the GitHub OIDC token).Setup Kubeconfigstep that base64-decodedsecrets.KUBECONFIG_DEV/secrets.KUBECONFIG_PRODwith two steps:hashicorp/vault-action@v3JWT login (path: github-actions,role: gha-website,jwtGithubAudience: https://github.com/SupportTools,exportToken: true).run:step that mints the short-lived, namespace-scoped Kubernetes token fromkubernetes-onprem/creds/website(guards non-empty/!= null, masks it) and builds thekubeconfigfile targetinghttps://kubernetes.default.svc:443with the in-cluster SA CA.secrets.KUBECONFIG_DEV/secrets.KUBECONFIG_PRODreferences. The same keyless token serves every env (onea1-ops-prdcluster; there is no separate dev cluster).Deploy ArgoCD Projectstep (kubectl apply -f argocd/project.yaml) from both jobs and left a one-line comment: the AppProject is cluster-services-managed, and the scoped token cannot apply AppProjects. All six Applications already exist, so only the patch branch of the deploy block fires.kubectl --kubeconfig kubeconfig, which now points at the runtime-minted kubeconfig.runs-onNo change — both deploy jobs were already
self-hosted-linux(in-cluster ARC runner inarc-runners-supporttools), which is required for the keyless kubeconfig (in-cluster apiserver + SA CA) to work.Not touched
Buildjob, DockerHubsupporttools/website,DOCKER_USERNAME/DOCKER_PASSWORD), Helm packaging, andBOT_TOKENhelm-chart push are all left exactly as-is.on:triggers unchanged (workflow_dispatch,pushonmain, nightlyschedule).Note
This is a draft PR. After merge, the org admin secrets
KUBECONFIG_DEVandKUBECONFIG_PRODcan be deleted.