From c770bbf2ea11d8c2c3b5b68efe502e0e86765943 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Fri, 26 Jan 2024 16:55:11 +0000
Subject: [PATCH] Switch vault to vault.services.fedcloud.eu

---
 README.md                                      | 14 ++++++++------
 cesnet-central/inventory/99-all.yaml           |  2 +-
 cesnet-central/playbooks/repository-nexus.yaml |  8 ++++----
 cesnet-mcc/inventory/99-all.yaml               |  2 +-
 cesnet-mcc/playbooks/gateway.yaml              |  2 +-
 5 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 1690f56..c00c7ae 100644
--- a/README.md
+++ b/README.md
@@ -9,18 +9,20 @@ Notebooks.
 
 Prepare environment for interrating with Hashicorp Vault:
 
-    export VAULT_ADDR=https://vault.egi.zcu.cz:8200
+    export VAULT_ADDR=https://vault.services.fedcloud.eu:8200
 
-    # replace $LOGIN for real user name in vault
-    vault login -method=userpass username=$LOGIN
+Login:
 
-Check environment:
+    # get the service token
+    read OIDC_ACCESS_TOKEN
 
-    vault kv get -mount=eosc/dev -field 'data' -format=json test
+    # login to vault
+    export VAULT_TOKEN=$(vault write auth/jwt/login jwt=$OIDC_ACCESS_TOKEN | grep -Po 'token\s+\K[^\s]+$')
 
 Note: values were created as admin by commands (replace $SECRET\_NAME and $VALUE):
 
-    vault kv put -mount=eosc/dev $SECRET_NAME value=$VALUE
+    prefix=/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-dev
+    vault kv put -mount=secret vault kv put -mount secrets $prefix/nexus_admin_password/$SECRET_NAME value=$VALUE
 
 ## Sites
 
diff --git a/cesnet-central/inventory/99-all.yaml b/cesnet-central/inventory/99-all.yaml
index 54f7e62..54febfd 100644
--- a/cesnet-central/inventory/99-all.yaml
+++ b/cesnet-central/inventory/99-all.yaml
@@ -10,7 +10,7 @@ all:
     ansible_user: egi
 
     site_name: cesnet-central
-    vault_mount_point: eosc/dev
+    vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-dev
 
     binder_hostname: replay.eosc.zcu.cz
     old_binder_hostname: binder.eosc.zcu.cz
diff --git a/cesnet-central/playbooks/repository-nexus.yaml b/cesnet-central/playbooks/repository-nexus.yaml
index b6f4b7e..96c9cfb 100644
--- a/cesnet-central/playbooks/repository-nexus.yaml
+++ b/cesnet-central/playbooks/repository-nexus.yaml
@@ -3,11 +3,11 @@
   hosts: master
   vars:
     nexus_url: "https://{{ nexus_hostname }}/service/rest/v1"
-    nexus_admin_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_admin_password:value', token_validate=false) }}"
-    nexus_binder_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_binder_password:value', token_validate=false) }}"
-    nexus_notebooks_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_notebooks_password:value',
+    nexus_admin_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_admin_password:value', token_validate=false) }}"
+    nexus_binder_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_binder_password:value', token_validate=false) }}"
+    nexus_notebooks_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_notebooks_password:value',
       token_validate=false) }}"
-    nexus_writer_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/nexus_writer_password:value', token_validate=false) }}"
+    nexus_writer_password: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/nexus_writer_password:value', token_validate=false) }}"
     nexus_blobstore_name: default
     nexus_blobstore_type: file
     nexus_repository_name: container-notebooks
diff --git a/cesnet-mcc/inventory/99-all.yaml b/cesnet-mcc/inventory/99-all.yaml
index 509e2f4..9c872de 100644
--- a/cesnet-mcc/inventory/99-all.yaml
+++ b/cesnet-mcc/inventory/99-all.yaml
@@ -11,7 +11,7 @@ all:
     ansible_become: yes
     ansible_user: egi
     site_name: cesnet-mcc
-    vault_mount_point: eosc/dev
+    vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-dev
 
     gateway_hostname: gateway-cesnet.eosc.zcu.cz
     grafana_hostname: grafana-cesnet.eosc.zcu.cz
diff --git a/cesnet-mcc/playbooks/gateway.yaml b/cesnet-mcc/playbooks/gateway.yaml
index f6e1d37..fe6a265 100644
--- a/cesnet-mcc/playbooks/gateway.yaml
+++ b/cesnet-mcc/playbooks/gateway.yaml
@@ -11,7 +11,7 @@
         dest: /tmp/gateway.yaml
         mode: 0640
         content: |
-          authToken: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/data/gateway_authtoken:value', token_validate=true) }}"
+          authToken: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/gateway_authtoken:value', token_validate=true) }}"
           global:
             rbac: true
           deployment:
-- 
GitLab