feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster

- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
This commit is contained in:
2025-11-27 23:22:13 +11:00
parent ad1118af85
commit 6624f7aed1
15 changed files with 204 additions and 25 deletions
@@ -0,0 +1,23 @@
---
rules:
- apiGroups:
- ""
- "postgresql.cnpg.io"
- "cert-manager.io"
- "rbac.authorization.k8s.io"
- "batch"
- "secrets.hashicorp.com"
- "storage.k8s.io"
- "apps"
- "apiextensions.k8s.io"
- "externaldns.k8s.io"
- "autoscaling"
- "networking.k8s.io"
- "purelb.io"
- "nfd.k8s-sigs.io"
- "policy"
- "metrics.k8s.io"
resources:
- "*"
verbs:
- "*"
@@ -0,0 +1,25 @@
---
rules:
- apiGroups:
- ""
- "postgresql.cnpg.io"
- "cert-manager.io"
- "rbac.authorization.k8s.io"
- "batch"
- "secrets.hashicorp.com"
- "storage.k8s.io"
- "apps"
- "apiextensions.k8s.io"
- "externaldns.k8s.io"
- "autoscaling"
- "networking.k8s.io"
- "purelb.io"
- "nfd.k8s-sigs.io"
- "policy"
- "metrics.k8s.io"
resources:
- "*"
verbs:
- "get"
- "list"
- "watch"
@@ -0,0 +1,8 @@
---
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
@@ -0,0 +1,49 @@
---
rules:
- apiGroups:
- ""
resources:
- "pods"
- "services"
- "configmaps"
- "secrets"
- "endpoints"
- "persistentvolumeclaims"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "pods/log"
verbs:
- "get"
- "list"
- apiGroups:
- ""
resources:
- "pods/exec"
verbs:
- "create"
- apiGroups:
- "apps"
resources:
- "deployments"
- "replicasets"
- "statefulsets"
- "daemonsets"
verbs:
- "get"
- "list"
- "watch"
- "patch"
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- "ingresses"
verbs:
- "get"
- "list"
- "watch"