Skip to content

Commit

Permalink
Fix/vault token reneval (#13)
Browse files Browse the repository at this point in the history 
* Fix not working renewal script

* Also renew token used for vault metrics
  • Loading branch information
@JoonaHa
JoonaHa authored Jan 28, 2025
1 parent fea2fa5 commit d0c3e0d
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 14 deletions.
29 changes: 20 additions & 9 deletions ewc/jobs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,16 +46,27 @@ resource "kubernetes_cron_job_v1" "vault_token_renewal" {
value = vault_kubernetes_auth_backend_role.cron-job.role_name
}

env {
name = "TOKENS_TO_RENEW"
value_from {
secret_key_ref {
name = kubernetes_secret.vault_jobs_secrets.metadata.0.name
key = "TOKENS_TO_RENEW"
}
}

volume_mount {
name = "tokens-volume"
mount_path = "/tmp/secret/tokens"
sub_path = "tokens"
}



}

volume {
name = "tokens-volume"
secret {
secret_name = kubernetes_secret.vault_jobs_secrets.metadata.0.name
items {

key = "TOKENS_TO_RENEW"
path = "tokens"
}
}
}
}
}
Expand Down Expand Up @@ -127,7 +138,7 @@ resource "kubernetes_secret" "vault_jobs_secrets" {
data = {
AWS_ACCESS_KEY_ID = var.s3_bucket_access_key
AWS_SECRET_ACCESS_KEY = var.s3_bucket_secret_key
TOKENS_TO_RENEW = "(${join(" ", [vault_token.apisix-global.client_token, vault_token.dev-portal-global.client_token])})"
TOKENS_TO_RENEW = "${join("\n", [vault_token.apisix-global.client_token, vault_token.dev-portal-global.client_token, vault_token.prometheus])}"
}

type = "Opaque"
Expand Down
10 changes: 5 additions & 5 deletions ewc/jobs/vault-token-renewal.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ source /usr/local/bin/common-functions.sh
# Variables
VAULT_ADDR=${VAULT_ADDR}
VAULT_ROLE=${VAULT_ROLE}
TOKENS=(${TOKENS_TO_RENEW})

readarray -t TOKENS < /tmp/secret/tokens


# Check required variables
check_var "VAULT_ADDR" "$VAULT_ADDR"
Expand All @@ -25,14 +27,12 @@ export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
role=$VAULT_ROLE \
jwt=$SA_TOKEN)

index=0
for token in "${TOKENS[@]}"; do
for index in "${!TOKENS[@]}"; do
echo "Renewing token index $index ..."
vault token renew $token > /dev/null || {
vault token renew "${TOKENS[$index]}" > /dev/null || {
echo "Error renewing $index"
error_occurred=true
}
((index++))
done

if [ "$error_occurred" = true ]; then
Expand Down

0 comments on commit d0c3e0d

Please sign in to comment.