Commit graph

11 commits

Author SHA1 Message Date
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
165fc4559c go/secretsmgr: init
Currently this only handles signing SSH certificates, but let's see where we go from here.
2022-03-15 03:07:34 +00:00
c91a42948d journal2clickhouse: init 2022-01-01 15:08:52 +00:00
060f2cf96b nhsenglandtests: init 2021-12-31 07:00:32 +00:00
66875b327e go/trains: init 2021-11-18 22:24:20 +00:00
0621fbfbf1 go/streetworks: init, schedule on totoro 2021-11-08 20:08:56 +00:00
3a3acc4673 twitterchiver/viewer: swap openshiftauth for pomerium 2021-03-30 21:59:18 +01:00
576a45ae67 go: init twitternuke 2021-01-06 21:15:56 +00:00
013da6e7c3 go/minotarproxy: import 2020-11-04 17:10:15 +00:00
04c3a8431b go/openshiftauth: init
This is a small "library" for wrapping binaries with magic OAuth authentication based on the automatically-injected k8s service account tokens and OpenShift's OAuth service.

There's an example of this deployed at https://example-lukegb-openshiftauth-test.apps.k8s.lukegb.tech/.

The main pieces of setup that need to happen is:

* Set "serviceAccount" in pod definition
* Add Route for pod
* Edit serviceaccount and add metadata.annotations, e.g.:
    serviceaccounts.openshift.io/oauth-redirectreference.first: >-
      {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"example"}}
2020-10-04 14:38:56 +01:00
dd3c58548d go/twitterchiver: init 2020-10-04 01:07:59 +01:00