chore(vault): migrate to openbao #563

Smana · 2024-11-20T06:45:21Z

PR Type

enhancement, documentation

Description

Migrated from Vault to OpenBao across multiple Terraform configurations, including security groups, IAM policies, and autoscaling groups.
Added new configurations for OpenBao, such as PKI, authentication, and policies.
Updated Go code to reflect changes from Vault to OpenBao, including function names and error messages.
Revised documentation to guide users through the setup and configuration of OpenBao, replacing previous Vault references.
Updated scripts and YAML configurations to support OpenBao, including snapshot management and certificate issuance.

Changes walkthrough 📝

Relevant files

Enhancement

28 files

security_group.tf `Update security group configurations for OpenBao` terraform/openbao/cluster/security_group.tf Updated security group descriptions and IDs from Vault to OpenBao. Renamed resources to reflect OpenBao naming.	+19/-19
data.tf `Update cloudinit configuration for OpenBao` terraform/openbao/cluster/data.tf Renamed cloudinit configuration from Vault to OpenBao. Updated TLS file paths for OpenBao.	+9/-8
pki.tf `Add PKI configuration for OpenBao` terraform/openbao/management/pki.tf Added PKI resources for OpenBao. Configured certificate signing and issuer settings.	+50/-1
admin.hcl `Add admin policy for OpenBao management` terraform/openbao/management/policies/admin.hcl Added admin policy for managing identities and PKI in OpenBao. Defined capabilities for various paths.	+79/-1
iam.tf `Update IAM policy for OpenBao S3 buckets` terraform/eks/iam.tf Updated S3 bucket ARNs from Vault to OpenBao.	+4/-4
autoscaling_group.tf `Update autoscaling group for OpenBao` terraform/openbao/cluster/autoscaling_group.tf Renamed autoscaling group module from Vault to OpenBao. Updated security group IDs and user data references.	+6/-6
variables.tf `Update variables for OpenBao configuration` terraform/openbao/cluster/variables.tf Renamed variables from Vault to OpenBao. Added OpenBao version and data path variables.	+13/-7
iam.tf `Update IAM roles and policies for OpenBao` terraform/openbao/cluster/iam.tf Renamed IAM policy document and role policy from Vault to OpenBao.	+4/-4
load_balancer.tf `Add load balancer configuration for OpenBao` terraform/openbao/cluster/load_balancer.tf Added load balancer configuration for OpenBao. Defined target group and listener settings.	+32/-1
auth.tf `Add AppRole authentication for OpenBao` terraform/openbao/management/auth.tf Added AppRole authentication backend for OpenBao. Configured roles for snapshot and cert-manager.	+20/-1
roles.tf `Add PKI roles for OpenBao` terraform/openbao/management/roles.tf Added PKI secret backend role configuration for OpenBao.	+16/-1
policies.tf `Add policies for OpenBao management` terraform/openbao/management/policies.tf Added policies for admin, cert-manager, and snapshot in OpenBao.	+18/-1
route53.tf `Add Route53 DNS configuration for OpenBao` terraform/openbao/cluster/route53.tf Added Route53 record configuration for OpenBao.	+12/-1
kms.tf `Add KMS key configuration for OpenBao` terraform/openbao/cluster/kms.tf Added KMS key configuration for OpenBao unseal key.	+9/-0
variables.tf `Update management variables for OpenBao` terraform/openbao/management/variables.tf Renamed domain name variable from Vault to OpenBao.	+2/-2
snapshot.hcl `Add snapshot policy for OpenBao` terraform/openbao/management/policies/snapshot.hcl Added snapshot policy for OpenBao.	+9/-1
locals.tf `Update local tags for OpenBao` terraform/openbao/cluster/locals.tf Renamed local tags from Vault to OpenBao.	+1/-1
mounts.tf `Add secret mount configuration for OpenBao` terraform/openbao/management/mounts.tf Added secret mount configuration for OpenBao.	+6/-1
cert-manager.hcl `Add cert-manager policy for OpenBao` terraform/openbao/management/policies/cert-manager.hcl Added cert-manager policy for OpenBao.	+4/-1
outputs.tf `Add outputs for OpenBao autoscaling group` terraform/openbao/cluster/outputs.tf Added output for autoscaling group ID in OpenBao.	+3/-0
openbao.go `Refactor Go code for OpenBao integration` dagger/openbao.go Renamed functions and variables from Vault to OpenBao. Updated error messages and script contents for OpenBao.	+55/-55
main.go `Update main Go file for OpenBao configuration` dagger/main.go Renamed VaultConfig to OpenBaoConfig. Updated function names and variables for OpenBao.	+52/-52
openbao-snapshot.sh `Update snapshot script for OpenBao` scripts/openbao-snapshot.sh Renamed script references from Vault to OpenBao. Updated commands and variables for OpenBao.	+24/-24
startup_script.sh `Add startup script for OpenBao initialization` terraform/openbao/cluster/scripts/startup_script.sh Added installation and configuration steps for OpenBao. Updated paths and service names from Vault to OpenBao.	+53/-20
setup-local-disks.sh `Update local disk setup script for OpenBao` terraform/openbao/cluster/scripts/setup-local-disks.sh Renamed RAID setup from Vault to OpenBao. Updated mount directory path.	+2/-2
snapshot-cronjob.yaml `Update snapshot cronjob for OpenBao` security/base/openbao-snapshot/snapshot-cronjob.yaml Renamed cronjob from Vault to OpenBao. Updated image and service account references.	+10/-10
s3-bucket.yaml `Update S3 bucket configuration for OpenBao snapshots` security/base/openbao-snapshot/s3-bucket.yaml Renamed S3 bucket configuration from Vault to OpenBao.	+10/-10
platform-private-gateway-certificate.yaml `Update gateway certificate issuer to OpenBao` infrastructure/base/gapi/platform-private-gateway-certificate.yaml Updated issuer reference from Vault to OpenBao.	+1/-1

Configuration changes

6 files

versions.tf `Define Terraform and provider versions for OpenBao` terraform/openbao/cluster/versions.tf Specified required Terraform and provider versions for OpenBao.	+15/-1
versions.tf `Define Terraform and provider versions for OpenBao management` terraform/openbao/management/versions.tf Specified required Terraform and provider versions for OpenBao management.	+15/-1
backend.tf `Update S3 backend configuration for OpenBao` terraform/openbao/cluster/backend.tf Updated backend configuration key from Vault to OpenBao.	+1/-1
backend.tf `Update S3 backend configuration for OpenBao management` terraform/openbao/management/backend.tf Updated backend configuration key from Vault to OpenBao.	+1/-1
providers.tf `Add Vault provider configuration for OpenBao` terraform/openbao/management/providers.tf Added Vault provider configuration for OpenBao.	+3/-0
providers.tf `Add AWS provider configuration for OpenBao` terraform/openbao/cluster/providers.tf Added AWS provider configuration for OpenBao.	+4/-1

Documentation

5 files

README.md `Update README for OpenBao cluster setup` terraform/openbao/cluster/README.md Updated documentation from Vault to OpenBao. Revised setup instructions and architecture details.	+24/-23
getting_started.md `Update getting started guide for OpenBao` terraform/openbao/cluster/docs/getting_started.md Updated getting started guide from Vault to OpenBao. Revised initialization and verification steps.	+13/-13
README.md `Update main README for OpenBao integration` README.md Updated references from Vault to OpenBao. Revised overview and setup instructions.	+10/-8
pki_requirements.md `Update PKI requirements documentation for OpenBao` terraform/openbao/cluster/docs/pki_requirements.md Updated PKI requirements from Vault to OpenBao. Revised certificate generation instructions.	+14/-14
README.md `Update Dagger README for OpenBao deployment` dagger/README.md Updated instructions from Vault to OpenBao. Revised deployment process and outputs.	+4/-4

Dependencies

1 files

go.sum `Update Go module dependencies for OpenBao` dagger/go.sum Updated dependencies for OpenBao integration.	+4/-4

Additional files (token-limit)

14 files

openbao-snapshot.yaml `...` security/base/epis/openbao-snapshot.yaml ...	+48/-0
go.mod `...` dagger/go.mod ...	+2/-2
ci.yaml `...` .github/workflows/ci.yaml ...	+5/-5
approle.md `...` terraform/openbao/management/docs/approle.md ...	+3/-3
kms.yaml `...` security/base/openbao-snapshot/kms.yaml ...	+4/-4
cloudinit-config.yaml `...` terraform/openbao/cluster/scripts/cloudinit-config.yaml ...	+21/-0
openbao-approle-externalsecret.yaml `...` security/base/cert-manager/openbao-approle-externalsecret.yaml ...	+3/-3
external-secrets.yaml `...` security/base/openbao-snapshot/external-secrets.yaml ...	+3/-3
kustomization.yaml `...` security/base/openbao-snapshot/kustomization.yaml ...	+12/-1
kustomization.yaml `...` security/base/epis/kustomization.yaml ...	+1/-1
snapshot-pvc.yaml `...` security/base/openbao-snapshot/snapshot-pvc.yaml ...	+2/-2
kustomization.yaml `...` security/base/cert-manager/kustomization.yaml ...	+2/-2
kustomization.yaml `...` security/mycluster-0/kustomization.yaml ...	+1/-1
serviceaccount.yaml `...` security/base/openbao-snapshot/serviceaccount.yaml ...	+1/-1

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

github-actions · 2024-11-20T06:47:59Z

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 5 🔵🔵🔵🔵🔵
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review Security Group Configuration The security group configurations and rules for OpenBao need thorough review to ensure they align with security best practices, especially regarding ingress and egress rules. Autoscaling Configuration Review the autoscaling configurations to ensure they meet the expected performance and cost-efficiency requirements for the OpenBao deployment. Policy Definitions The policy definitions for admin roles in OpenBao should be reviewed for excessive permissions that could potentially lead to security risks. PKI Configuration The PKI configuration for OpenBao involves sensitive operations that should be carefully reviewed to ensure they are secure and correctly implemented. Code Implementation The Go implementation for managing OpenBao operations should be reviewed, particularly around error handling and the use of external commands which may affect stability and security.

github-actions · 2024-11-20T06:48:42Z

PR Code Suggestions ✨

No code suggestions found for the PR.

Smana · 2024-11-22T07:28:48Z

/describe

github-actions · 2024-11-22T07:31:32Z

PR Description updated to latest commit (2e16760)

Smana changed the title ~~Chore vault2openbao~~ chore(vault): migrate to openbao Nov 20, 2024

github-actions bot added the Review effort [1-5]: 5 label Nov 20, 2024

Smana force-pushed the chore_vault2openbao branch from c0db3b1 to dc8a1f6 Compare November 20, 2024 06:48

Smana mentioned this pull request Nov 20, 2024

[ENHANCEMENT] Vault -> OpenBao #253

Closed

Smana force-pushed the chore_vault2openbao branch 4 times, most recently from 38164db to 33c58c7 Compare November 22, 2024 07:11

chore(openbao): migrate vault to openbao

2e16760

Smana force-pushed the chore_vault2openbao branch from 33c58c7 to 2e16760 Compare November 22, 2024 07:26

Smana marked this pull request as ready for review November 22, 2024 07:28

Smana merged commit 423c747 into main Nov 22, 2024
3 checks passed

Smana deleted the chore_vault2openbao branch November 22, 2024 07:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(vault): migrate to openbao #563

chore(vault): migrate to openbao #563

Smana commented Nov 20, 2024 •

edited by github-actions bot

Loading

github-actions bot commented Nov 20, 2024

github-actions bot commented Nov 20, 2024

Smana commented Nov 22, 2024

github-actions bot commented Nov 22, 2024

chore(vault): migrate to openbao #563

chore(vault): migrate to openbao #563

Conversation

Smana commented Nov 20, 2024 • edited by github-actions bot Loading

PR Type

Description

Changes walkthrough 📝

github-actions bot commented Nov 20, 2024

PR Reviewer Guide 🔍

github-actions bot commented Nov 20, 2024

PR Code Suggestions ✨

Smana commented Nov 22, 2024

github-actions bot commented Nov 22, 2024

Smana commented Nov 20, 2024 •

edited by github-actions bot

Loading