feat: manage k8s auth role integration

- add policies to sign/issue certificates - manage auth roles for ceph-csi, certmanager, externaldns, huntarr
2025-11-22 23:21:43 +11:00 · 2025-11-22 23:21:43 +11:00 · 7814551084
commit 7814551084
parent 85cda88a3b
6 changed files with 101 additions and 10 deletions
--- a/auth_kubernetes_roles.tf
+++ b/auth_kubernetes_roles.tf
@ -0,0 +1,73 @@
+resource "vault_kubernetes_auth_backend_role" "default" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "default"
+  bound_service_account_names      = ["default"]
+  bound_service_account_namespaces = ["*"]
+  token_ttl                        = 3600
+  token_policies = [
+    "default"
+  ]
+  audience = "vault"
+}
+
+resource "vault_kubernetes_auth_backend_role" "demo_default" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "demo_default"
+  bound_service_account_names      = ["default"]
+  bound_service_account_namespaces = ["demo"]
+  token_ttl                        = 60
+  token_policies = [
+    "kv/service/terraform/nomad"
+  ]
+  audience = "vault"
+}
+
+resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "huntarr-default"
+  bound_service_account_names      = ["default"]
+  bound_service_account_namespaces = ["huntarr"]
+  token_ttl                        = 60
+  token_policies = [
+    "pki_int/sign/servers_default",
+    "pki_int/issue/servers_default",
+  ]
+  audience = "vault"
+}
+
+resource "vault_kubernetes_auth_backend_role" "externaldns" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "externaldns"
+  bound_service_account_names      = ["externaldns"]
+  bound_service_account_namespaces = ["externaldns"]
+  token_ttl                        = 60
+  token_policies = [
+    "kv/service/kubernetes/au/syd1/externaldns/tsig/read",
+  ]
+  audience = "vault"
+}
+
+resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "cert-manager-issuer"
+  bound_service_account_names      = ["cert-manager-vault-issuer"]
+  bound_service_account_namespaces = ["cert-manager"]
+  token_ttl                        = 60
+  token_policies = [
+    "pki_int/sign/servers_default",
+    "pki_int/issue/servers_default",
+  ]
+  audience = "vault"
+}
+
+resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "ceph-csi"
+  bound_service_account_names      = ["ceph-csi-rbd-csi-rbdplugin-provisioner"]
+  bound_service_account_namespaces = ["ceph-csi"]
+  token_ttl                        = 60
+  token_policies = [
+    "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
+  ]
+  audience = "vault"
+}
--- a/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl
+++ b/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" {
+  capabilities = ["read"]
+}
--- a/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl
+++ b/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" {
+  capabilities = ["read"]
+}
--- a/policies/pki_int/issue/servers_default.hcl
+++ b/policies/pki_int/issue/servers_default.hcl
@ -0,0 +1,3 @@
+path "pki_int/issue/servers_default" {
+  capabilities = ["update"]
+}
--- a/policies/pki_int/sign/servers_default.hcl
+++ b/policies/pki_int/sign/servers_default.hcl
@ -0,0 +1,3 @@
+path "pki_int/sign/servers_default" {
+  capabilities = ["update"]
+}
--- a/role_pki_int_servers_default.tf
+++ b/role_pki_int_servers_default.tf
@ -2,14 +2,20 @@ resource "vault_pki_secret_backend_role" "servers_default" {
  backend = "pki_int"
  name    = "servers_default"
  #issuer_ref         = data.vault_pki_secret_backend_issuer.pki_int_issuer.default
-  allow_ip_sans      = true
-  allowed_domains    = ["unkin.net", "*.unkin.net", "localhost"]
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_bare_domains = true
-  enforce_hostnames  = true
-  allow_any_name     = true
-  max_ttl            = 2160 * 3600
-  key_bits           = 4096
-  country            = ["Australia"]
+  allow_ip_sans = true
+  allowed_domains = [
+    "unkin.net",
+    "*.unkin.net",
+    "localhost"
+  ]
+  allow_subdomains    = true
+  allow_glob_domains  = true
+  allow_bare_domains  = true
+  enforce_hostnames   = true
+  allow_any_name      = true
+  max_ttl             = 2160 * 3600
+  key_bits            = 4096
+  country             = ["Australia"]
+  use_csr_common_name = true
+  use_csr_sans        = true
 }