Fix the Vault auth role for helmfile apply jobs from the main branch (!2096) · Merge requests · GitLab.com / GitLab Infrastructure Team / Kubernetes Workloads / GitLab Helmfiles

Pierre Guinoiseau requested to merge pguinoiseau/fix-ci-vault-k8s-secrets into master May 02, 2023

What

Fix the Vault auth role for helmfile apply jobs from the main branch.

Why

It's using the readonly role by default which is no longer allowed to use the readwrite Kubernetes roles.

$ export HELM_KUBETOKEN="$(vault write -field=service_account_token "kubernetes/${GKE_CLUSTER}/creds/${VAULT_KUBERNETES_ROLE}" kubernetes_namespace=vault-k8s-secrets cluster_role_binding=true ttl=100m)"
Error writing data to kubernetes/gprd-gitlab-gke/creds/cluster-admin: Error making API request.
URL: PUT https://vault.ops.gke.gitlab.net/v1/kubernetes/gprd-gitlab-gke/creds/cluster-admin
Code: 403. Errors:
* 1 error occurred:
	* permission denied

Fix the Vault auth role for helmfile apply jobs from the main branch

What

Why

Merge request reports