descrepes · September 8, 2020 14:58
diff --git a/K8S Zenko WorkflowTemplate b/K8S Zenko WorkflowTemplate
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: WorkflowTemplate
 metadata:
  name: zenko
  namespace: argo
 spec:
  templates:
    - name: account
      inputs:
        parameters:
          - name: username
      serviceAccountName: argo
      script:
        imagePullPolicy: "Always"
        image: descrepes/zenko-cli:latest
        command: ["sh"]
        source: |
          export VAULT_ADDR="https://vault.default:8200"
          export VAULT_SKIP_VERIFY="true"
          export PYTHONWARNINGS="ignore:Unverified HTTPS request"
          . /home/myuser/.env/zenko
          /home/myuser/zenkocli user --username {{inputs.parameters.username}} --store-in-vault --vault-auth-method kubernetes
      metadata:
        annotations:
          vault.hashicorp.com/agent-inject: "true"
          vault.hashicorp.com/role: "zenko"
          vault.hashicorp.com/tls-skip-verify: "true"
          vault.hashicorp.com/agent-inject-secret-zenko: "argo/zenko"
          vault.hashicorp.com/agent-inject-template-zenko: |
            {{- with secret "argo/zenko" -}}
            export ZENKO_ACCESS_TOKEN={{.Data.data.access_token}}
            export ZENKO_INSTANCE_ID={{.Data.data.instance_id}}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-zenko: "/home/myuser/.env"

    - name: location
      inputs:
        parameters:
          - name: account
          - name: locationName
          - name: locationBucketName
          - name: locationEndpoint
      serviceAccountName: argo
      script:
        imagePullPolicy: "Always"
        image: descrepes/zenko-cli:latest
        command: ["sh"]
        source: |
          export VAULT_ADDR="https://vault.default:8200"
          export VAULT_SKIP_VERIFY="true"
          export PYTHONWARNINGS="ignore:Unverified HTTPS request"
          . /home/myuser/.env/zenko
          export LOCATION_ACCESS_KEY=$(cat /home/myuser/.env/account | yq -r .{{inputs.parameters.account}}.acces_key)
          export LOCATION_SECRET_KEY=$(cat /home/myuser/.env/account | yq -r .{{inputs.parameters.account}}.secret_key)
          /home/myuser/zenkocli location --location-name {{inputs.parameters.locationName}} --location-type location-azure-v1 --location-bucket-name {{inputs.parameters.locationBucketName}} --location-endpoint {{inputs.parameters.locationEndpoint}}
      metadata:
        annotations:
          vault.hashicorp.com/agent-inject: "true"
          vault.hashicorp.com/role: "zenko"
          vault.hashicorp.com/tls-skip-verify: "true"
          vault.hashicorp.com/agent-inject-secret-zenko: "argo/zenko"
          vault.hashicorp.com/agent-inject-template-zenko: |
            {{- with secret "argo/zenko" -}}
            export ZENKO_ACCESS_TOKEN={{.Data.data.access_token}}
            export ZENKO_INSTANCE_ID={{.Data.data.instance_id}}
            {{- end -}}
          vault.hashicorp.com/secret-volume-path-zenko: "/home/myuser/.env"
          vault.hashicorp.com/agent-inject-secret-account: "customers/metadata/azure/accounts"
          vault.hashicorp.com/agent-inject-template-account: |
            {{ range secrets "customers/metadata/azure/accounts/" }}
            {{ . }}:
            {{- with secret (printf "customers/data/azure/accounts/%s" .) }}{{ range $k, $v := .Data.data }}
              {{ $k }}: {{ $v -}}
            {{- end -}}{{ end }}{{ end }}
          vault.hashicorp.com/secret-volume-path-account: "/home/myuser/.env"

    - name: bucket
      inputs:
        parameters:
          - name: profile
          - name: bucket
          - name: region
      serviceAccountName: argo
      script:
        imagePullPolicy: "Always"
        image: descrepes/zenko-cli:latest
        command: ["sh"]
        source: |
          aws s3 mb s3://{{inputs.parameters.bucket}} --region {{inputs.parameters.region}} --endpoint-url http://zenko-cloudserver.default:80 --profile {{inputs.parameters.profile}}
      metadata:
        annotations:
          vault.hashicorp.com/agent-inject: "true"
          vault.hashicorp.com/role: "zenko"
          vault.hashicorp.com/tls-skip-verify: "true"
          vault.hashicorp.com/agent-inject-secret-credentials: "customers/metadata/zenko/accounts"
          vault.hashicorp.com/agent-inject-template-credentials: |
            {{ range secrets "customers/metadata/zenko/accounts/" }}
            [{{ . }}]
            {{- with secret (printf "customers/data/zenko/accounts/%s" .) }}
            aws_access_key_id =  {{.Data.data.key_id}}
            aws_secret_access_key = {{.Data.data.key_secret}}
            {{ end }}{{ end }}
          vault.hashicorp.com/secret-volume-path-credentials: "/home/myuser/.aws"
	---
	apiVersion: argoproj.io/v1alpha1
	kind: WorkflowTemplate
	metadata:
	name: zenko
	namespace: argo
	spec:
	templates:
	- name: account
	inputs:
	parameters:
	- name: username
	serviceAccountName: argo
	script:
	imagePullPolicy: "Always"
	image: descrepes/zenko-cli:latest
	command: ["sh"]
	source: \|
	export VAULT_ADDR="https://vault.default:8200"
	export VAULT_SKIP_VERIFY="true"
	export PYTHONWARNINGS="ignore:Unverified HTTPS request"
	. /home/myuser/.env/zenko
	/home/myuser/zenkocli user --username {{inputs.parameters.username}} --store-in-vault --vault-auth-method kubernetes
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/role: "zenko"
	vault.hashicorp.com/tls-skip-verify: "true"
	vault.hashicorp.com/agent-inject-secret-zenko: "argo/zenko"
	vault.hashicorp.com/agent-inject-template-zenko: \|
	{{- with secret "argo/zenko" -}}
	export ZENKO_ACCESS_TOKEN={{.Data.data.access_token}}
	export ZENKO_INSTANCE_ID={{.Data.data.instance_id}}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-zenko: "/home/myuser/.env"

	- name: location
	inputs:
	parameters:
	- name: account
	- name: locationName
	- name: locationBucketName
	- name: locationEndpoint
	serviceAccountName: argo
	script:
	imagePullPolicy: "Always"
	image: descrepes/zenko-cli:latest
	command: ["sh"]
	source: \|
	export VAULT_ADDR="https://vault.default:8200"
	export VAULT_SKIP_VERIFY="true"
	export PYTHONWARNINGS="ignore:Unverified HTTPS request"
	. /home/myuser/.env/zenko
	export LOCATION_ACCESS_KEY=$(cat /home/myuser/.env/account \| yq -r .{{inputs.parameters.account}}.acces_key)
	export LOCATION_SECRET_KEY=$(cat /home/myuser/.env/account \| yq -r .{{inputs.parameters.account}}.secret_key)
	/home/myuser/zenkocli location --location-name {{inputs.parameters.locationName}} --location-type location-azure-v1 --location-bucket-name {{inputs.parameters.locationBucketName}} --location-endpoint {{inputs.parameters.locationEndpoint}}
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/role: "zenko"
	vault.hashicorp.com/tls-skip-verify: "true"
	vault.hashicorp.com/agent-inject-secret-zenko: "argo/zenko"
	vault.hashicorp.com/agent-inject-template-zenko: \|
	{{- with secret "argo/zenko" -}}
	export ZENKO_ACCESS_TOKEN={{.Data.data.access_token}}
	export ZENKO_INSTANCE_ID={{.Data.data.instance_id}}
	{{- end -}}
	vault.hashicorp.com/secret-volume-path-zenko: "/home/myuser/.env"
	vault.hashicorp.com/agent-inject-secret-account: "customers/metadata/azure/accounts"
	vault.hashicorp.com/agent-inject-template-account: \|
	{{ range secrets "customers/metadata/azure/accounts/" }}
	{{ . }}:
	{{- with secret (printf "customers/data/azure/accounts/%s" .) }}{{ range $k, $v := .Data.data }}
	{{ $k }}: {{ $v -}}
	{{- end -}}{{ end }}{{ end }}
	vault.hashicorp.com/secret-volume-path-account: "/home/myuser/.env"

	- name: bucket
	inputs:
	parameters:
	- name: profile
	- name: bucket
	- name: region
	serviceAccountName: argo
	script:
	imagePullPolicy: "Always"
	image: descrepes/zenko-cli:latest
	command: ["sh"]
	source: \|
	aws s3 mb s3://{{inputs.parameters.bucket}} --region {{inputs.parameters.region}} --endpoint-url http://zenko-cloudserver.default:80 --profile {{inputs.parameters.profile}}
	metadata:
	annotations:
	vault.hashicorp.com/agent-inject: "true"
	vault.hashicorp.com/role: "zenko"
	vault.hashicorp.com/tls-skip-verify: "true"
	vault.hashicorp.com/agent-inject-secret-credentials: "customers/metadata/zenko/accounts"
	vault.hashicorp.com/agent-inject-template-credentials: \|
	{{ range secrets "customers/metadata/zenko/accounts/" }}
	[{{ . }}]
	{{- with secret (printf "customers/data/zenko/accounts/%s" .) }}
	aws_access_key_id = {{.Data.data.key_id}}
	aws_secret_access_key = {{.Data.data.key_secret}}
	{{ end }}{{ end }}
	vault.hashicorp.com/secret-volume-path-credentials: "/home/myuser/.aws"