Switch vault to vault.services.fedcloud.eu

README.md

@@ -9,18 +9,20 @@ Notebooks.
 
 Prepare environment for interrating with Hashicorp Vault:
 
-    export VAULT_ADDR=https://vault.egi.zcu.cz:8200
+    export VAULT_ADDR=https://vault.services.fedcloud.eu:8200
 
-    # replace $LOGIN for real user name in vault
-    vault login -method=userpass username=$LOGIN
+Login:
 
-Check environment:
+    # get the service token
+    read OIDC_ACCESS_TOKEN
 
-    vault kv get -mount=eosc/dev -field 'data' -format=json test
+    # login to vault
+    export VAULT_TOKEN=$(vault write auth/jwt/login jwt=$OIDC_ACCESS_TOKEN | grep -Po 'token\s+\K[^\s]+$')
 
 Note: values were created as admin by commands (replace $SECRET\_NAME and $VALUE):
 
-    vault kv put -mount=eosc/dev $SECRET_NAME value=$VALUE
+    prefix=/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-dev
+    vault kv put -mount=secret vault kv put -mount secrets $prefix/nexus_admin_password/$SECRET_NAME value=$VALUE
 
 ## Sites
 

cesnet-central/inventory/99-all.yaml

@@ -10,7 +10,7 @@ all:
     ansible_user: egi
 
     site_name: cesnet-central
-    vault_mount_point: eosc/dev
+    vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-dev
 
     binder_hostname: replay.eosc.zcu.cz
     old_binder_hostname: binder.eosc.zcu.cz

cesnet-central/playbooks/repository-nexus.yaml

@@ -3,11 +3,11 @@
   hosts: master
   vars:
     nexus_url: "https://{{ nexus_hostname }}/service/rest/v1"
-    nexus_admin_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_admin_password:value', token_validate=false) }}"
-    nexus_binder_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_binder_password:value', token_validate=false) }}"
-    nexus_notebooks_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_notebooks_password:value',
+    nexus_admin_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_admin_password:value', token_validate=false) }}"
+    nexus_binder_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_binder_password:value', token_validate=false) }}"
+    nexus_notebooks_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_notebooks_password:value',
       token_validate=false) }}"
-    nexus_writer_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_writer_password:value', token_validate=false) }}"
+    nexus_writer_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_writer_password:value', token_validate=false) }}"
     nexus_blobstore_name: default
     nexus_blobstore_type: file
     nexus_repository_name: container-notebooks

cesnet-mcc/inventory/99-all.yaml

@@ -11,7 +11,7 @@ all:
     ansible_become: yes
     ansible_user: egi
     site_name: cesnet-mcc
-    vault_mount_point: eosc/dev
+    vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-dev
 
     gateway_hostname: gateway-cesnet.eosc.zcu.cz
     grafana_hostname: grafana-cesnet.eosc.zcu.cz

cesnet-mcc/playbooks/gateway.yaml

@@ -11,7 +11,7 @@
         dest: /tmp/gateway.yaml
         mode: 0640
         content: |
-          authToken: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/gateway_authtoken:value', token_validate=true) }}"
+          authToken: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/gateway_authtoken:value', token_validate=true) }}"
           global:
             rbac: true
           deployment: