feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
- Create four RBAC roles with external YAML configuration:
* media-apps-operator: namespaced role for media-apps with selective permissions
* cluster-operator: cluster-wide read-only access to specific API groups
* cluster-admin: cluster-wide full access to specific API groups
* cluster-root: cluster-wide superuser access to all resources
- Add Vault policies for credential generation for each role
- Add admin policies for kubernetes auth backend configuration and role management
- Refactor kubernetes auth backend to use shared locals for CA certificate
- Update terraform-vault approle with required kubernetes policies
This commit is contained in:
@@ -0,0 +1,3 @@
|
||||
path "kubernetes/au/+/config" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
path "kubernetes/au/+/roles" {
|
||||
capabilities = ["list"]
|
||||
}
|
||||
path "kubernetes/au/+/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "kubernetes/au/syd1/creds/cluster-admin" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "kubernetes/au/syd1/creds/cluster-operator" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "kubernetes/au/syd1/creds/cluster-root" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "kubernetes/au/syd1/creds/media-apps-operator" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
Reference in New Issue
Block a user