Merge pull request 'feat: add pki for k8s' (#9) from neoloc/k8s_pki into master

Reviewed-on: https://git.query.consul/unkin/terraform-vault/pulls/9
2025-01-27 21:06:30 +11:00 · 2025-01-27 21:06:30 +11:00 · 2dc37cc8c4
commit 2dc37cc8c4
parent cd9c006203 9b9afdce58
5 changed files with 139 additions and 0 deletions
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@ -9,6 +9,7 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
    "approle_role_admin",
    "approle_role_login",
    "approle_token_create",
+    "k8s_pki_roles_admin",
    "ldap_admin",
    "pki_int_roles_admin",
    "pki_root_roles_admin",
--- a/engine_pki_k8s_etcd_ca.tf
+++ b/engine_pki_k8s_etcd_ca.tf
@ -0,0 +1,85 @@
+# PKI mount for etcd-ca
+resource "vault_mount" "k8s_etcd_ca" {
+  path                  = "k8s/etcd-ca"
+  type                  = "pki"
+  description           = "PKI for k8s etcd certificates"
+  max_lease_ttl_seconds = 86400 * 365 * 10
+}
+
+# Generate the root CA for etcd
+resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
+  backend     = vault_mount.k8s_etcd_ca.path
+  type        = "internal"
+  common_name = "etcd-ca"
+  ttl         = 86400 * 365 * 10
+  key_type    = "rsa"
+  key_bits    = 4096
+}
+
+# PKI role for kube-etcd
+resource "vault_pki_secret_backend_role" "kube_etcd" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd"
+  allowed_domains    = ["kube-etcd", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = true
+}
+
+# PKI role for kube-etcd-peer
+resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd-peer"
+  allowed_domains    = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = true
+}
+
+# PKI role for kube-etcd-healthcheck-client
+resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd-healthcheck-client"
+  allowed_domains    = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
+
+# PKI role for kube-apiserver-etcd-client
+resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-apiserver-etcd-client"
+  allowed_domains    = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
--- a/engine_pki_k8s_kubernetes_ca.tf
+++ b/engine_pki_k8s_kubernetes_ca.tf
@ -0,0 +1,49 @@
+# Additional mounts and roles for Kubernetes CA and front-proxy CA
+resource "vault_mount" "k8s_kubernetes_ca" {
+  path                  = "k8s/kubernetes-ca"
+  type                  = "pki"
+  description           = "PKI for Kubernetes certificates"
+  max_lease_ttl_seconds = 86400 * 365 * 10
+}
+
+# Generate the root CA for etcd
+resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
+  backend     = vault_mount.k8s_kubernetes_ca.path
+  type        = "internal"
+  common_name = "kubernetes-ca"
+  ttl         = 86400 * 365 * 10
+  key_type    = "rsa"
+  key_bits    = 4096
+}
+
+resource "vault_pki_secret_backend_role" "kube_apiserver" {
+  backend            = vault_mount.k8s_kubernetes_ca.path
+  name               = "kube-apiserver"
+  allowed_domains    = ["kube-apiserver", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = false
+}
+
+resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
+  backend            = vault_mount.k8s_kubernetes_ca.path
+  name               = "kube-apiserver-kubelet-client"
+  allowed_domains    = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
--- a/policies.tf
+++ b/policies.tf
@ -6,6 +6,7 @@ locals {
    "policies/auth/approle",
    "policies/auth/ldap",
    "policies/auth/token",
+    "policies/k8s",
    "policies/pki_int",
    "policies/pki_root",
    "policies/rundeck",
--- a/policies/k8s/k8s_pki_roles_admin.hcl
+++ b/policies/k8s/k8s_pki_roles_admin.hcl
@ -0,0 +1,3 @@
+path "k8s/+/roles/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}