diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf index c78201a..a5faf47 100644 --- a/auth_approle_tf_vault.tf +++ b/auth_approle_tf_vault.tf @@ -9,6 +9,7 @@ resource "vault_approle_auth_backend_role" "tf_vault" { "approle_role_admin", "approle_role_login", "approle_token_create", + "k8s_pki_roles_admin", "ldap_admin", "pki_int_roles_admin", "pki_root_roles_admin", diff --git a/engine_pki_k8s_etcd_ca.tf b/engine_pki_k8s_etcd_ca.tf new file mode 100644 index 0000000..ef17bc9 --- /dev/null +++ b/engine_pki_k8s_etcd_ca.tf @@ -0,0 +1,85 @@ +# PKI mount for etcd-ca +resource "vault_mount" "k8s_etcd_ca" { + path = "k8s/etcd-ca" + type = "pki" + description = "PKI for k8s etcd certificates" + max_lease_ttl_seconds = 86400 * 365 * 10 +} + +# Generate the root CA for etcd +resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" { + backend = vault_mount.k8s_etcd_ca.path + type = "internal" + common_name = "etcd-ca" + ttl = 86400 * 365 * 10 + key_type = "rsa" + key_bits = 4096 +} + +# PKI role for kube-etcd +resource "vault_pki_secret_backend_role" "kube_etcd" { + backend = vault_mount.k8s_etcd_ca.path + name = "kube-etcd" + allowed_domains = ["kube-etcd", "*.main.unkin.net", "localhost"] + allow_ip_sans = true + enforce_hostnames = true + allow_subdomains = true + allow_glob_domains = true + allow_localhost = true + max_ttl = 86400 * 90 + ttl = 86400 * 90 + key_usage = ["DigitalSignature", "KeyEncipherment"] + server_flag = true + client_flag = true +} + +# PKI role for kube-etcd-peer +resource "vault_pki_secret_backend_role" "kube_etcd_peer" { + backend = vault_mount.k8s_etcd_ca.path + name = "kube-etcd-peer" + allowed_domains = ["kube-etcd-peer", "*.main.unkin.net", "localhost"] + allow_ip_sans = true + enforce_hostnames = true + allow_subdomains = true + allow_glob_domains = true + allow_localhost = true + max_ttl = 86400 * 90 + ttl = 86400 * 90 + key_usage = ["DigitalSignature", "KeyEncipherment"] + server_flag = true + client_flag = true +} + +# PKI role for kube-etcd-healthcheck-client +resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" { + backend = vault_mount.k8s_etcd_ca.path + name = "kube-etcd-healthcheck-client" + allowed_domains = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"] + allow_ip_sans = true + enforce_hostnames = true + allow_subdomains = true + allow_glob_domains = true + allow_localhost = true + max_ttl = 86400 * 90 + ttl = 86400 * 90 + key_usage = ["DigitalSignature", "KeyEncipherment"] + server_flag = false + client_flag = true +} + +# PKI role for kube-apiserver-etcd-client +resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" { + backend = vault_mount.k8s_etcd_ca.path + name = "kube-apiserver-etcd-client" + allowed_domains = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"] + allow_ip_sans = true + enforce_hostnames = true + allow_subdomains = true + allow_glob_domains = true + allow_localhost = true + max_ttl = 86400 * 90 + ttl = 86400 * 90 + key_usage = ["DigitalSignature", "KeyEncipherment"] + server_flag = false + client_flag = true +} diff --git a/engine_pki_k8s_kubernetes_ca.tf b/engine_pki_k8s_kubernetes_ca.tf new file mode 100644 index 0000000..4f72b2d --- /dev/null +++ b/engine_pki_k8s_kubernetes_ca.tf @@ -0,0 +1,49 @@ +# Additional mounts and roles for Kubernetes CA and front-proxy CA +resource "vault_mount" "k8s_kubernetes_ca" { + path = "k8s/kubernetes-ca" + type = "pki" + description = "PKI for Kubernetes certificates" + max_lease_ttl_seconds = 86400 * 365 * 10 +} + +# Generate the root CA for etcd +resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" { + backend = vault_mount.k8s_kubernetes_ca.path + type = "internal" + common_name = "kubernetes-ca" + ttl = 86400 * 365 * 10 + key_type = "rsa" + key_bits = 4096 +} + +resource "vault_pki_secret_backend_role" "kube_apiserver" { + backend = vault_mount.k8s_kubernetes_ca.path + name = "kube-apiserver" + allowed_domains = ["kube-apiserver", "*.main.unkin.net", "localhost"] + allow_ip_sans = true + enforce_hostnames = true + allow_subdomains = true + allow_glob_domains = true + allow_localhost = true + max_ttl = 86400 * 90 + ttl = 86400 * 90 + key_usage = ["DigitalSignature", "KeyEncipherment"] + server_flag = true + client_flag = false +} + +resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" { + backend = vault_mount.k8s_kubernetes_ca.path + name = "kube-apiserver-kubelet-client" + allowed_domains = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"] + allow_ip_sans = true + enforce_hostnames = true + allow_subdomains = true + allow_glob_domains = true + allow_localhost = true + max_ttl = 86400 * 90 + ttl = 86400 * 90 + key_usage = ["DigitalSignature", "KeyEncipherment"] + server_flag = false + client_flag = true +} diff --git a/policies.tf b/policies.tf index 30c00de..891de5c 100644 --- a/policies.tf +++ b/policies.tf @@ -6,6 +6,7 @@ locals { "policies/auth/approle", "policies/auth/ldap", "policies/auth/token", + "policies/k8s", "policies/pki_int", "policies/pki_root", "policies/rundeck", diff --git a/policies/k8s/k8s_pki_roles_admin.hcl b/policies/k8s/k8s_pki_roles_admin.hcl new file mode 100644 index 0000000..eae4dcc --- /dev/null +++ b/policies/k8s/k8s_pki_roles_admin.hcl @@ -0,0 +1,3 @@ +path "k8s/+/roles/*" { + capabilities = ["create", "update", "read", "delete", "list"] +}