feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster

- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
This commit is contained in:
2025-11-27 23:22:13 +11:00
parent ad1118af85
commit 6624f7aed1
15 changed files with 204 additions and 25 deletions
+3
View File
@@ -0,0 +1,3 @@
path "kubernetes/au/+/config" {
capabilities = ["create", "update", "read", "delete", "list"]
}
+6
View File
@@ -0,0 +1,6 @@
path "kubernetes/au/+/roles" {
capabilities = ["list"]
}
path "kubernetes/au/+/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
@@ -0,0 +1,3 @@
path "kubernetes/au/syd1/creds/cluster-admin" {
capabilities = ["update"]
}
@@ -0,0 +1,3 @@
path "kubernetes/au/syd1/creds/cluster-operator" {
capabilities = ["update"]
}
@@ -0,0 +1,3 @@
path "kubernetes/au/syd1/creds/cluster-root" {
capabilities = ["update"]
}
@@ -0,0 +1,3 @@
path "kubernetes/au/syd1/creds/media-apps-operator" {
capabilities = ["update"]
}
@@ -0,0 +1,3 @@
path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
capabilities = ["read"]
}