feat: add K8s token rotation

2026-03-10 08:11:21 +00:00 · 2021-01-05 22:04:43 +01:00
parent c95081f79d
commit 48f41ff69a
8 changed files with 221 additions and 0 deletions
--- a/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/Chart.yaml
+++ b/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 0.1.3
+description: Rotate Kubernetes Digital Ocean token and store it on space
+name: do-k8s-token-rotate
+type: application
+version: 0.1.3
--- a/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/_helpers.tpl
+++ b/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "k8s-token-rotate.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "k8s-token-rotate.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "k8s-token-rotate.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "k8s-token-rotate.labels" -}}
+helm.sh/chart: {{ include "k8s-token-rotate.chart" . }}
+{{ include "k8s-token-rotate.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "k8s-token-rotate.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "k8s-token-rotate.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "k8s-token-rotate.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "k8s-token-rotate.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/cronjob.yaml
+++ b/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/cronjob.yaml
@@ -0,0 +1,31 @@
+{{- $kubefullname := include "k8s-token-rotate.fullname" . }}
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: {{ include "k8s-token-rotate.fullname" . }}
+  labels:
+    {{- include "k8s-token-rotate.labels" . | nindent 4 }}
+spec:
+  schedule: {{ .Values.schedule | quote }}
+  concurrencyPolicy: Replace
+  failedJobsHistoryLimit: 3
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: k8s-token-rotate
+              image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              env:
+              {{ range $key, $value := .Values.environmentVariables -}}
+              - name: "{{ $key }}"
+                valueFrom:
+                  secretKeyRef:
+                    name: {{ $kubefullname }}
+                    key: {{ $key }}
+              {{ end }}
+              resources:
+              {{- toYaml .Values.engineResources | nindent 16 }}
+          restartPolicy: OnFailure
--- a/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/secret.yaml
+++ b/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "k8s-token-rotate.fullname" . }}
+  labels:
+    {{- include "k8s-token-rotate.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- toYaml .Values.environmentVariables | nindent 2 }}
--- a/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/serviceaccount.yaml
+++ b/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "k8s-token-rotate.serviceAccountName" . }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "k8s-token-rotate.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/values.yaml
+++ b/lib/digitalocean/bootstrap/charts/do-k8s-token-rotate/values.yaml
@@ -0,0 +1,39 @@
+image:
+  repository: qoveryrd/do-k8s-token-rotate
+  pullPolicy: IfNotPresent
+  tag: "0.1.3"
+
+nameOverride: ""
+fullnameOverride: ""
+
+labels:
+  app: k8s-token-rotate
+
+schedule: "0 12 * * */1"
+
+environmentVariables:
+  DO_API_TOKEN: ""
+  SPACES_KEY_ACCESS: ""
+  SPACES_SECRET_KEY: ""
+  SPACES_BUCKET: ""
+  SPACES_REGION: ""
+  SPACES_FILENAME: ""
+  K8S_MAX_EXPIRY_TOKEN: "561600"
+  K8S_CLUSTER_ID: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+resources:
+  limits:
+    cpu: 10m
+    memory: 64Mi
+  requests:
+    cpu: 10m
+    memory: 64Mi
--- a/lib/digitalocean/bootstrap/helm-k8s-token-rotate.j2.tf
+++ b/lib/digitalocean/bootstrap/helm-k8s-token-rotate.j2.tf
@@ -0,0 +1,53 @@
+resource "helm_release" "k8s_token_rotate" {
+  name = "k8s-token-rotate"
+  chart = "charts/do-k8s-token-rotate"
+  namespace = "kube-system"
+  atomic = true
+  max_history = 50
+  force_update = true
+
+  // make a fake arg to avoid TF to validate update on failure because of the atomic option
+  set {
+    name = "fake"
+    value = timestamp()
+  }
+
+  set {
+    name = "environmentVariables.DO_API_TOKEN"
+    value = "{{ digitalocean_token }}"
+  }
+
+  set {
+    name = "environmentVariables.SPACES_KEY_ACCESS"
+    value = "{{ spaces_access_id }}"
+  }
+
+  set {
+    name = "environmentVariables.SPACES_SECRET_KEY"
+    value = "{{ spaces_secret_key }}"
+  }
+
+  set {
+    name = "environmentVariables.SPACES_BUCKET"
+    value = digitalocean_spaces_bucket.space_bucket_kubeconfig.name
+  }
+
+  set {
+    name = "environmentVariables.SPACES_REGION"
+    value = var.region
+  }
+
+  set {
+    name = "environmentVariables.SPACES_FILENAME"
+    value = digitalocean_spaces_bucket_object.upload_kubeconfig.key
+  }
+
+  set {
+    name = "environmentVariables.K8S_CLUSTER_ID"
+    value = digitalocean_kubernetes_cluster.kubernetes_cluster.id
+  }
+
+  depends_on = [
+    digitalocean_kubernetes_cluster.kubernetes_cluster
+  ]
+}
--- a/lib/helm-freeze.yaml
+++ b/lib/helm-freeze.yaml
@@ -57,6 +57,10 @@ charts:
  - name: pleco
    version: 0.3.3
    repo_name: pleco
+  - name: do-k8s-token-rotate
+    version: 0.1.3
+    dest: do-bootstrap
+    repo_name: do-k8s-token-rotate

 repos:
  - name: stable
@@ -73,11 +77,15 @@ repos:
    url: https://grafana.github.io/loki/charts
  - name: pleco
    url: https://qovery.github.io/pleco/
+  - name: do-k8s-token-rotate
+    url: https://qovery.github.io/do-k8s-token-rotate/

 destinations:
  - name: default
    path: common/bootstrap/charts
  - name: aws-bootstrap
    path: aws/bootstrap/charts
+  - name: do-bootstrap
+    path: digitalocean/bootstrap/charts
  - name: services
    path: common/services