Skip to content

mbp-951: Add spiffe-vault-client to qtodo app #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
1 commit merged into from
Sep 3, 2025
Merged

mbp-951: Add spiffe-vault-client to qtodo app #34

1 commit merged into from
Sep 3, 2025

Conversation

@mlorenzofr
Copy link
Collaborator

@mlorenzofr mlorenzofr commented Aug 28, 2025

This PR adds a new sidecar container (spiffe-vault-client) to qtodo app.

A Python script running inside this container will:

  1. connect to the Vault service (using the cluster svc address and TLS)
  2. retrieve a Vault client token using the SPIFFE jwt.token generated by the spiffe-helper container
  3. get the qtodo database credentials
  4. dump the credentials into a properties file

Perhaps we could build an image instead of creating the script on the fly. This would improve the startup process.

The script can be configured using the following environment variables:

  • VAULT_URL
  • VAULT_ROLE
  • VAULT_SECRET_PATH
  • DB_USERNAME
  • CREDENTIALS_FILE

I set up the Chart template to configure these variables using the values-hub.yaml file.

Here is an example of spiffe-vault-client logs:

2025-08-28 15:59:07,210 - INFO - Initialized VaultCredentialManager with:
2025-08-28 15:59:07,210 - INFO -   VAULT_URL: https://vault.vault.svc.cluster.local:8200
2025-08-28 15:59:07,210 - INFO -   VAULT_SECRET_PATH: secret/data/global/qtodo
2025-08-28 15:59:07,210 - INFO -   VAULT_ROLE: dev
2025-08-28 15:59:07,210 - INFO - Starting Vault credential manager
2025-08-28 15:59:07,210 - ERROR - Failed to retrieve SPIFFE token: [Errno 2] No such file or directory: '/svids/jwt.token'
2025-08-28 15:59:07,210 - ERROR - Vault authentication error: [Errno 2] No such file or directory: '/svids/jwt.token'
2025-08-28 15:59:07,210 - ERROR - Error in main loop: [Errno 2] No such file or directory: '/svids/jwt.token'
2025-08-28 15:59:07,210 - INFO - Retrying in 60 seconds...
2025-08-28 16:00:07,211 - INFO - Successfully retrieved SPIFFE JWT token
2025-08-28 16:00:07,211 - INFO - Authenticating with Vault
2025-08-28 16:00:07,235 - INFO - Successfully authenticated with Vault
2025-08-28 16:00:07,235 - INFO - Token lease duration: 3600 seconds
2025-08-28 16:00:07,235 - INFO - Retrieving secret from Vault
2025-08-28 16:00:07,249 - INFO - Successfully retrieved secret from Vault
2025-08-28 16:00:07,249 - INFO - Extracted 1 credential(s)
2025-08-28 16:00:07,250 - INFO - Credentials written to /run/secrets/db-credentials/credentials.properties
2025-08-28 16:00:07,250 - INFO - Sleeping for 1800 seconds before next check

And this is the result in qtodo app container:

$ oc exec -ti -n qtodo qtodo-674dfc5dcd-d8fw4 -c qtodo -- cat /run/secrets/db-credentials/credentials.properties
# Generated credentials from Vault
# Generated at: 2025-08-28T16:00:07.250004

quarkus.datasource.username=qtodo_user
quarkus.datasource.password=secret-password

@mlorenzofr
Copy link
Collaborator Author

mlorenzofr commented Aug 28, 2025

@posip-redhat @sabre1041

@ghost
Copy link

ghost commented Aug 28, 2025

Was advocating creation of sidecar container image and push to quay. Slack discussion is on using base python ubi and injecting python code via CM

sabre1041
sabre1041 requested changes Aug 28, 2025
View reviewed changes
Copy link
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First batch of suggestions

@mlorenzofr
Copy link
Collaborator Author

mlorenzofr commented Aug 28, 2025

First batch of suggestions

Thanks for the review @sabre1041 ! 🙏
I've implemented all the suggestions, please review them when possible

@mlorenzofr mlorenzofr requested a review from sabre1041 August 28, 2025 19:47
@mlorenzofr mlorenzofr force-pushed the mbp-951 branch 3 times, most recently from a2d0cd9 to 0805ead Compare September 1, 2025 13:38
@mlorenzofr
mbp-951: Add spiffe-vault-client to qtodo app
51a393f 
Signed-off-by: Manuel Lorenzo <mlorenzofr@redhat.com>
@mlorenzofr mlorenzofr marked this pull request as ready for review September 1, 2025 16:58
sabre1041
sabre1041 approved these changes Sep 1, 2025
View reviewed changes
Copy link
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Requires #33 to be integrated first

@ghost ghost merged commit a715d2a into validatedpatterns:main Sep 3, 2025
3 checks passed
@mlorenzofr mlorenzofr deleted the mbp-951 branch September 3, 2025 16:12
beraldoleal pushed a commit to beraldoleal/layered-zero-trust that referenced this pull request Sep 17, 2025
@butler54
fix: remove uneeded azure credential code (validatedpatterns#34)
9470105 
* fix: add ripple ns

Signed-off-by: Chris Butler <chris.butler@redhat.com>

* feat: enable LE

Signed-off-by: Chris Butler <chris.butler@redhat.com>

* fix: remove uneeded azure credential code

Signed-off-by: Chris Butler <chris.butler@redhat.com>

---------

Signed-off-by: Chris Butler <chris.butler@redhat.com>
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mlorenzofr @sabre1041