Skip to content

Commit d0c3e0d

Browse files
JoonaHaJoonaHa
authored
Fix/vault token reneval (#13)
* Fix not working renewal script * Also renew token used for vault metrics
1 parent fea2fa5 commit d0c3e0d

File tree

2 files changed

+25
-14
lines changed

2 files changed

+25
-14
lines changed

ewc/jobs.tf

Lines changed: 20 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -46,16 +46,27 @@ resource "kubernetes_cron_job_v1" "vault_token_renewal" {
4646
value = vault_kubernetes_auth_backend_role.cron-job.role_name
4747
}
4848

49-
env {
50-
name = "TOKENS_TO_RENEW"
51-
value_from {
52-
secret_key_ref {
53-
name = kubernetes_secret.vault_jobs_secrets.metadata.0.name
54-
key = "TOKENS_TO_RENEW"
55-
}
56-
}
49+
50+
volume_mount {
51+
name = "tokens-volume"
52+
mount_path = "/tmp/secret/tokens"
53+
sub_path = "tokens"
5754
}
5855

56+
57+
58+
}
59+
60+
volume {
61+
name = "tokens-volume"
62+
secret {
63+
secret_name = kubernetes_secret.vault_jobs_secrets.metadata.0.name
64+
items {
65+
66+
key = "TOKENS_TO_RENEW"
67+
path = "tokens"
68+
}
69+
}
5970
}
6071
}
6172
}
@@ -127,7 +138,7 @@ resource "kubernetes_secret" "vault_jobs_secrets" {
127138
data = {
128139
AWS_ACCESS_KEY_ID = var.s3_bucket_access_key
129140
AWS_SECRET_ACCESS_KEY = var.s3_bucket_secret_key
130-
TOKENS_TO_RENEW = "(${join(" ", [vault_token.apisix-global.client_token, vault_token.dev-portal-global.client_token])})"
141+
TOKENS_TO_RENEW = "${join("\n", [vault_token.apisix-global.client_token, vault_token.dev-portal-global.client_token, vault_token.prometheus])}"
131142
}
132143

133144
type = "Opaque"

ewc/jobs/vault-token-renewal.sh

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,9 @@ source /usr/local/bin/common-functions.sh
88
# Variables
99
VAULT_ADDR=${VAULT_ADDR}
1010
VAULT_ROLE=${VAULT_ROLE}
11-
TOKENS=(${TOKENS_TO_RENEW})
11+
12+
readarray -t TOKENS < /tmp/secret/tokens
13+
1214

1315
# Check required variables
1416
check_var "VAULT_ADDR" "$VAULT_ADDR"
@@ -25,14 +27,12 @@ export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
2527
role=$VAULT_ROLE \
2628
jwt=$SA_TOKEN)
2729

28-
index=0
29-
for token in "${TOKENS[@]}"; do
30+
for index in "${!TOKENS[@]}"; do
3031
echo "Renewing token index $index ..."
31-
vault token renew $token > /dev/null || {
32+
vault token renew "${TOKENS[$index]}" > /dev/null || {
3233
echo "Error renewing $index"
3334
error_occurred=true
3435
}
35-
((index++))
3636
done
3737

3838
if [ "$error_occurred" = true ]; then

0 commit comments

Comments
 (0)