From 7e372d93b5c4917bc6826c0a899f25d22183fc0b Mon Sep 17 00:00:00 2001
From: Muse Mulatu <muse@kubefirst.io>
Date: Sun, 19 Jan 2025 19:45:00 -0700
Subject: [PATCH 1/5] feat: set issuer for identity token secret store

Creates a policy to allow entities/role to access token for "federated" role. Add role for kubefirst-pro api, argocd server, argocd application controller and crossplane terraform provider roles.
---
 civo-github/terraform/vault/identity-token.tf | 30 ++++++++++++++++
 .../vault/kubernetes-auth-backend.tf          | 36 +++++++++++++++++++
 civo-github/terraform/vault/policies.tf       | 11 ++++++
 3 files changed, 77 insertions(+)
 create mode 100644 civo-github/terraform/vault/identity-token.tf

diff --git a/civo-github/terraform/vault/identity-token.tf b/civo-github/terraform/vault/identity-token.tf
new file mode 100644
index 000000000..be7621145
--- /dev/null
+++ b/civo-github/terraform/vault/identity-token.tf
@@ -0,0 +1,30 @@
+resource "vault_identity_oidc" "this" {
+  issuer = "https://vault.<DOMAIN_NAME>"
+}
+
+resource "vault_identity_oidc_key" "federated" {
+  name      = "federated"
+  algorithm = "RS256"
+}
+
+resource "vault_identity_oidc_role" "federated" {
+  name     = "federated"
+  key      = vault_identity_oidc_key.federated.id
+  ttl      = 3600
+  template = <<EOT
+  {
+  "kubernetes.io": {
+    "serviceaccount": {
+      "name": {{identity.entity.aliases.${vault_auth_backend.k8s.accessor}.metadata.service_account_name}},
+       "namespace": {{identity.entity.aliases.${vault_auth_backend.k8s.accessor}.metadata.service_account_namespace}},
+       "uid": {{identity.entity.aliases.${vault_auth_backend.k8s.accessor}.metadata.service_account_uid}}
+      }
+    }
+  }
+EOT
+}
+
+resource "vault_identity_oidc_key_allowed_client_id" "role" {
+  key_name          = vault_identity_oidc_key.federated.name
+  allowed_client_id = vault_identity_oidc_role.federated.client_id
+}
diff --git a/civo-github/terraform/vault/kubernetes-auth-backend.tf b/civo-github/terraform/vault/kubernetes-auth-backend.tf
index 4fb4f994b..8884b2e76 100644
--- a/civo-github/terraform/vault/kubernetes-auth-backend.tf
+++ b/civo-github/terraform/vault/kubernetes-auth-backend.tf
@@ -33,3 +33,39 @@ resource "vault_kubernetes_auth_backend_role" "k8s_external_secrets" {
   token_ttl                        = 86400
   token_policies                   = ["admin", "default"]
 }
+
+resource "vault_kubernetes_auth_backend_role" "k8s_kubefirst_api" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-kubefirst-pro-api"
+  bound_service_account_names      = ["kubefirst-pro-api"]
+  bound_service_account_namespaces = ["kubefirst"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_argocd_server" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-argocd-server"
+  bound_service_account_names      = ["argocd-server"]
+  bound_service_account_namespaces = ["argocd"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_argocd_application_controller" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-argocd-application-controller"
+  bound_service_account_names      = ["argocd-application-controller"]
+  bound_service_account_namespaces = ["argocd"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_crossplane-provider-terraform" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "sa-crossplane-provider-terraform"
+  bound_service_account_names      = ["crossplane-provider-terraform-5e9bbaf0b61c"]
+  bound_service_account_namespaces = ["crossplane-system"]
+  token_ttl                        = 3600
+  token_policies                   = ["oidc_token"]
+}
diff --git a/civo-github/terraform/vault/policies.tf b/civo-github/terraform/vault/policies.tf
index 93bf58075..8c54ebe97 100644
--- a/civo-github/terraform/vault/policies.tf
+++ b/civo-github/terraform/vault/policies.tf
@@ -248,3 +248,14 @@ path "sys/control-group/request" {
 }
 EOT
 }
+
+
+resource "vault_policy" "oidc_token" {
+  name = "oidc_token"
+
+  policy = <<EOT
+path "identity/oidc/token/federated" {
+  capabilities = [ "read" ]
+}
+EOT
+}

From ba15c25b9723ff2e6b9d8c5dc25248da2b1974ef Mon Sep 17 00:00:00 2001
From: Muse Mulatu <muse@kubefirst.io>
Date: Sun, 19 Jan 2025 19:45:51 -0700
Subject: [PATCH 2/5] feat: add vault-injector annotation

---
 .../argocd-application-controller-sa.yaml      | 18 ++++++++++++++++++
 .../components/argocd/argocd-server-sa.yaml    | 18 ++++++++++++++++++
 .../mgmt/components/argocd/kustomization.yaml  |  2 ++
 .../crossplane/provider/controllerconfig.yaml  |  8 ++++++++
 .../mgmt/components/kubefirst/console.yaml     |  9 +++++++++
 5 files changed, 55 insertions(+)
 create mode 100644 civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml
 create mode 100644 civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml

diff --git a/civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml b/civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml
new file mode 100644
index 000000000..dbeb7d4ef
--- /dev/null
+++ b/civo-github/templates/mgmt/components/argocd/argocd-application-controller-sa.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "sa-argocd-application-controller" 
+    vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+    vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+    vault.hashicorp.com/agent-inject-template-jwt-token: |
+      {{- with secret "identity/oidc/token/federated" -}}
+      {{ .Data.token }}
+      {{- end }}
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/name: argocd-application-controller
+    app.kubernetes.io/part-of: argocd
+  name: argocd-application-controller
+  namespace: argocd
diff --git a/civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml b/civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml
new file mode 100644
index 000000000..618773df7
--- /dev/null
+++ b/civo-github/templates/mgmt/components/argocd/argocd-server-sa.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "sa-argocd-server" 
+    vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+    vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+    vault.hashicorp.com/agent-inject-template-jwt-token: |
+      {{- with secret "identity/oidc/token/federated" -}}
+      {{ .Data.token }}
+      {{- end }}
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server
+  namespace: argocd
diff --git a/civo-github/templates/mgmt/components/argocd/kustomization.yaml b/civo-github/templates/mgmt/components/argocd/kustomization.yaml
index 00ddbc540..11671f0da 100644
--- a/civo-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/civo-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -13,6 +13,8 @@ resources:
 patchesStrategicMerge:
   - argocd-cm.yaml
   - argocd-cmd-params-cm.yaml
+  - argocd-server-sa.yaml
+  - argocd-application-controller-sa.yaml
   
 generatorOptions:
   disableNameSuffixHash: true
diff --git a/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml b/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
index 3d9e9f701..85e1b35a0 100644
--- a/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
+++ b/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
@@ -3,6 +3,14 @@ kind: ControllerConfig
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '10'
+    vault.hashicorp.com/agent-inject: "true"
+    vault.hashicorp.com/role: "sa-crossplane-provider-terraform" 
+    vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+    vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+    vault.hashicorp.com/agent-inject-template-jwt-token: |
+      {{- with secret "identity/oidc/token/federated" -}}
+      {{ .Data.token }}
+      {{- end }}
   labels:
     app: crossplane-provider-terraform
   name: terraform-config
diff --git a/civo-github/templates/mgmt/components/kubefirst/console.yaml b/civo-github/templates/mgmt/components/kubefirst/console.yaml
index cedff7331..59821c89a 100644
--- a/civo-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/civo-github/templates/mgmt/components/kubefirst/console.yaml
@@ -26,6 +26,15 @@ spec:
           kubefirstVersion: "<KUBEFIRST_VERSION>"
           useTelemetry: "<USE_TELEMETRY>"
         kubefirst-pro-api:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "sa-kubefirst-pro-api" 
+            vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+            vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+            vault.hashicorp.com/agent-inject-template-jwt-token: |
+              {{- with secret "identity/oidc/token/federated" -}}
+              {{ .Data.token }}
+              {{- end }}
           extraEnv:
             CLUSTER_NAME: "<CLUSTER_NAME>"
         kubefirst-pro-ui:

From abec43f93f928f2459c2dadeb9a12b5993784905 Mon Sep 17 00:00:00 2001
From: Muse Mulatu <muse@kubefirst.io>
Date: Sun, 19 Jan 2025 19:46:12 -0700
Subject: [PATCH 3/5] feat: use vault generated token file

---
 .../workload-cluster/provider-config/providerconfig.yaml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml b/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
index 860c149fd..3720cbfcc 100644
--- a/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
+++ b/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -38,7 +38,7 @@ spec:
         assume_role_with_web_identity {
           session_name = "kubefirst-pro"
           role_arn = "<WORKLOAD_ASSUME_ROLE>"
-          web_identity_token_file = "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+          web_identity_token_file = "/vault/secret/jwt-token"
         }
       }
   credentials:

From 66a9799cdc136558f623792c51273c3e4ce3396d Mon Sep 17 00:00:00 2001
From: Muse Mulatu <muse@kubefirst.io>
Date: Mon, 20 Jan 2025 18:28:56 -0700
Subject: [PATCH 4/5] fix: update annotation for controller pod

---
 .../crossplane/provider/controllerconfig.yaml | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml b/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
index 85e1b35a0..8969f7721 100644
--- a/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
+++ b/civo-github/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
@@ -3,18 +3,21 @@ kind: ControllerConfig
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '10'
-    vault.hashicorp.com/agent-inject: "true"
-    vault.hashicorp.com/role: "sa-crossplane-provider-terraform" 
-    vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
-    vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
-    vault.hashicorp.com/agent-inject-template-jwt-token: |
-      {{- with secret "identity/oidc/token/federated" -}}
-      {{ .Data.token }}
-      {{- end }}
   labels:
     app: crossplane-provider-terraform
   name: terraform-config
 spec:
+  metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: '10'
+      vault.hashicorp.com/agent-inject: "true"
+      vault.hashicorp.com/role: "sa-crossplane-provider-terraform" 
+      vault.hashicorp.com/auth-path: auth/kubernetes/kubefirst
+      vault.hashicorp.com/agent-inject-secret-jwt-token: "identity/oidc/token/federated"
+      vault.hashicorp.com/agent-inject-template-jwt-token: |
+        {{- with secret "identity/oidc/token/federated" -}}
+        {{ .Data.token }}
+        {{- end }}
   args:
   - -d
   - --poll=2m

From 48017b206f73488731fe5280c48fb192cb2691b3 Mon Sep 17 00:00:00 2001
From: Muse Mulatu <muse@kubefirst.io>
Date: Mon, 20 Jan 2025 18:29:51 -0700
Subject: [PATCH 5/5] add aud

---
 civo-github/terraform/vault/identity-token.tf | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/civo-github/terraform/vault/identity-token.tf b/civo-github/terraform/vault/identity-token.tf
index be7621145..19b99e16d 100644
--- a/civo-github/terraform/vault/identity-token.tf
+++ b/civo-github/terraform/vault/identity-token.tf
@@ -8,10 +8,12 @@ resource "vault_identity_oidc_key" "federated" {
 }
 
 resource "vault_identity_oidc_role" "federated" {
-  name     = "federated"
-  key      = vault_identity_oidc_key.federated.id
-  ttl      = 3600
-  template = <<EOT
+  name = "federated"
+  key  = vault_identity_oidc_key.federated.id
+  # This is temporary
+  client_id = "kubefirst.konstruct.io/federated"
+  ttl       = 3600
+  template  = <<EOT
   {
   "kubernetes.io": {
     "serviceaccount": {