afnix/infra
0
1
Fork 6
Code Issues 47 Pull requests 11 Projects 1 Releases Packages Wiki Activity

Machine identity: OIDC discovery provider for OpenBao #360

Merged
raito merged 9 commits from oidc-discovery-provider into main 2025-09-25 23:22:34 +00:00
Conversation 7 Commits 9 Files changed 13 +555 -30
raito commented 2025-09-23 19:54:09 +00:00
Owner
Copy link

This finishes the base setup for machine identity.

The next PRs will work on providing policies and feeding OpenBao with secrets, eventually putting an OpenBao agent in every VMs.

This finishes the base setup for machine identity. The next PRs will work on providing policies and feeding OpenBao with secrets, eventually putting an OpenBao agent in every VMs.
We use this piece of software to let OpenBao register a new OIDC method
for login which will be used by machines.

Signed-off-by: Raito Bezarius <raito@afnix.fr>
Signed-off-by: Raito Bezarius <raito@afnix.fr>
Signed-off-by: Raito Bezarius <raito@afnix.fr>
Signed-off-by: Raito Bezarius <raito@afnix.fr>
Signed-off-by: Raito Bezarius <raito@afnix.fr>
raito changed title from Machine identity: OIDC discovery provider for OpenBao to WIP: Machine identity: OIDC discovery provider for OpenBao 2025-09-23 19:54:16 +00:00
raito reviewed 2025-09-23 19:59:04 +00:00
services/baremetal/hypervisors/default.nix Outdated
@ -55,1 +55,3 @@
bagel.baremetal.hypervisor.enable = lib.mkEnableOption "hypervisor role";
bagel.baremetal.hypervisor = {
enable = lib.mkEnableOption "hypervisor role";
secondaryIPv6 = lib.mkOption {
raito commented 2025-09-23 19:59:04 +00:00
Author
Owner
Copy link

We could avoid this if:

  • We succeed into using a front NGINX on port 443 and perform SNI.
  • We succeed into moving SPIRE server and OIDC discovery provider inside a VM with 2 IPv6 or something.
We could avoid this if: - We succeed into using a front NGINX on port 443 and perform SNI. - We succeed into moving SPIRE server and OIDC discovery provider inside a VM with 2 IPv6 or something.
raito commented 2025-09-25 22:28:12 +00:00
Author
Owner
Copy link

SNI is done.

SNI is done.
raito marked this conversation as resolved
raito force-pushed oidc-discovery-provider from f090d2beb4 to cceaa1902e 2025-09-23 20:41:41 +00:00 Compare
raito force-pushed oidc-discovery-provider from cceaa1902e to b793d03ce5 2025-09-25 22:28:05 +00:00 Compare
raito changed title from WIP: Machine identity: OIDC discovery provider for OpenBao to Machine identity: OIDC discovery provider for OpenBao 2025-09-25 22:28:19 +00:00
raito reviewed 2025-09-25 22:29:28 +00:00
terraform/afnix_superadmin/vault/default.nix Outdated
@ -36,0 +27,4 @@
defaultPolicyFragment = {
"auth/token/*".capabilities = [ "create" "read" "update" "delete" "list" ];
};
# spiffe://$TD/tenants/$TENANT/svc/forgejo
raito commented 2025-09-25 22:29:28 +00:00
Author
Owner
Copy link

Expand these comments.

Expand these comments.
raito marked this conversation as resolved
raito reviewed 2025-09-25 22:29:38 +00:00
terraform/afnix_superadmin/vault/default.nix Outdated
@ -36,0 +22,4 @@
# Each region has its own OIDC discovery server and is expected to operate
# independently.
machine-identity = {
# audience = $tenant_id OR https://vault.afnix.fr
raito commented 2025-09-25 22:29:38 +00:00
Author
Owner
Copy link

Expand these comments.

Expand these comments.
raito marked this conversation as resolved
raito reviewed 2025-09-25 22:29:53 +00:00
terraform/afnix_superadmin/vault/default.nix Outdated
@ -83,2 +131,4 @@
"transit/decrypt/terraform-backend-states-key".capabilities = [ "create" "update" ];
};
machine_sts = {
raito commented 2025-09-25 22:29:53 +00:00
Author
Owner
Copy link

We can get rid of this test now.

We can get rid of this test now.
raito marked this conversation as resolved
raito reviewed 2025-09-25 22:30:03 +00:00
terraform/common/vault/auth/machine-identity.nix Outdated
@ -0,0 +7,4 @@
regionOpts = { config, ... }: {
options = {
trustDomain = mkOption {
type = types.str;
raito commented 2025-09-25 22:30:03 +00:00
Author
Owner
Copy link

Missing description and examples.

Missing description and examples.
raito marked this conversation as resolved
raito reviewed 2025-09-25 22:30:13 +00:00
terraform/common/vault/auth/machine-identity.nix Outdated
@ -0,0 +12,4 @@
discoveryUrl = mkOption {
type = types.str;
default = "https://sts-oidc.${config.trustDomain}";
raito commented 2025-09-25 22:30:13 +00:00
Author
Owner
Copy link

Missing description.

Missing description.
raito marked this conversation as resolved
delroth approved these changes 2025-09-25 23:11:07 +00:00
delroth left a comment
Owner
Copy link

Modulo existing comments.

Modulo existing comments.
services/sni/default.nix Outdated
@ -0,0 +1,126 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
delroth commented 2025-09-25 23:10:58 +00:00
Owner
Copy link

Aren't we relicensing this to match the rest of the repo?

Aren't we relicensing this to match the rest of the repo?
raito commented 2025-09-25 23:13:15 +00:00
Author
Owner
Copy link

Yes, we did indeed.

Yes, we did indeed.
raito marked this conversation as resolved
services/sni/default.nix Outdated
@ -0,0 +89,4 @@
inherit (cfg.localTermination) port;
addr = "127.0.0.1";
ssl = true;
# proxyProtocol = true;
delroth commented 2025-09-25 23:10:42 +00:00
Owner
Copy link

Why is this (and the later proxy_protocol line) commented out?

Why is this (and the later proxy_protocol line) commented out?
raito commented 2025-09-25 23:13:54 +00:00
Author
Owner
Copy link

It's because @thubrecht had in intent to support optional proxy protocol for downstreams that would support for it I imagine.
We should get rid of it, our downstreams do not support PROXY protocol v2 anyway and we don't need it, we can read the access logs on our NGINX.

It's because @thubrecht had in intent to support optional proxy protocol for downstreams that would support for it I imagine. We should get rid of it, our downstreams do not support PROXY protocol v2 anyway and we don't need it, we can read the access logs on our NGINX.
👍 1
raito commented 2025-09-25 23:14:07 +00:00
Author
Owner
Copy link

This PROXY story will come back in n64gw01 once I add SNI proxies for IPv4.

This PROXY story will come back in n64gw01 once I add SNI proxies for IPv4.
raito marked this conversation as resolved
raito force-pushed oidc-discovery-provider from b793d03ce5 to aa00cd11cc 2025-09-25 23:22:14 +00:00 Compare
raito merged commit aa00cd11cc into main 2025-09-25 23:22:34 +00:00
raito deleted branch oidc-discovery-provider 2025-09-25 23:22:34 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
delroth
Labels
Clear labels   
Compat/Breaking

Breaking change that won't be backward compatible

  
Difficulty/Architectural

Requires changes in multiple pieces of the stack: the Nix interpreter, etc.

  
Difficulty/Easy

Infrastructure beginner friendly tasks

  
Difficulty/Hard

Requires prior knowledge, research and design

  
Help Wanted

Looking for a first task to pick? This one is looking for somefew to do it as well!

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Testing

Issue or pull request related to testing

  
Priority/Critical

The priority is critical

  
Priority/High

The priority is high

  
Priority/Low

The priority is low

  
Priority/Medium

The priority is medium

  
Reviewed/Confirmed

Issue has been confirmed

  
Reviewed/Duplicate

This issue or pull request already exists

  
Reviewed/Invalid

Invalid issue

  
Reviewed/Won't Fix

This issue won't be fixed

  
Security

This is a security issue

  
Silenced Alert

This issue was created to track a silenced alert which needs remediation work.

  
Status/Abandoned

Somebody has started to work on this but abandoned work

  
Status/Blocked

Something is blocking this issue or pull request

  
Status/Need More Info

Feedback is required to reproduce issue or to continue work

  
Status/Postponed

We can do this later

  
Tracking Issue

Umbrella issue of many things at the same time

No labels
Compat/Breaking
Difficulty/Architectural
Difficulty/Easy
Difficulty/Hard
Help Wanted
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Testing
Priority/Critical
Priority/High
Priority/Low
Priority/Medium
Reviewed/Confirmed
Reviewed/Duplicate
Reviewed/Invalid
Reviewed/Won't Fix
Security
Silenced Alert
Status/Abandoned
Status/Blocked
Status/Need More Info
Status/Postponed
Tracking Issue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
afnix/infra!360
No description provided.