From 7814551084eb852c763c1655f45ab647198e53f7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 22 Nov 2025 23:21:43 +1100 Subject: [PATCH] feat: manage k8s auth role integration - add policies to sign/issue certificates - manage auth roles for ceph-csi, certmanager, externaldns, huntarr --- auth_kubernetes_roles.tf | 73 +++++++++++++++++++ .../au/syd1/csi/ceph-rbd-secret/read.hcl | 3 + .../au/syd1/externaldns/tsig/read.hcl | 3 + policies/pki_int/issue/servers_default.hcl | 3 + policies/pki_int/sign/servers_default.hcl | 3 + role_pki_int_servers_default.tf | 26 ++++--- 6 files changed, 101 insertions(+), 10 deletions(-) create mode 100644 auth_kubernetes_roles.tf create mode 100644 policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl create mode 100644 policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl create mode 100644 policies/pki_int/issue/servers_default.hcl create mode 100644 policies/pki_int/sign/servers_default.hcl diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf new file mode 100644 index 0000000..74b2622 --- /dev/null +++ b/auth_kubernetes_roles.tf @@ -0,0 +1,73 @@ +resource "vault_kubernetes_auth_backend_role" "default" { + backend = vault_auth_backend.kubernetes.path + role_name = "default" + bound_service_account_names = ["default"] + bound_service_account_namespaces = ["*"] + token_ttl = 3600 + token_policies = [ + "default" + ] + audience = "vault" +} + +resource "vault_kubernetes_auth_backend_role" "demo_default" { + backend = vault_auth_backend.kubernetes.path + role_name = "demo_default" + bound_service_account_names = ["default"] + bound_service_account_namespaces = ["demo"] + token_ttl = 60 + token_policies = [ + "kv/service/terraform/nomad" + ] + audience = "vault" +} + +resource "vault_kubernetes_auth_backend_role" "huntarr-default" { + backend = vault_auth_backend.kubernetes.path + role_name = "huntarr-default" + bound_service_account_names = ["default"] + bound_service_account_namespaces = ["huntarr"] + token_ttl = 60 + token_policies = [ + "pki_int/sign/servers_default", + "pki_int/issue/servers_default", + ] + audience = "vault" +} + +resource "vault_kubernetes_auth_backend_role" "externaldns" { + backend = vault_auth_backend.kubernetes.path + role_name = "externaldns" + bound_service_account_names = ["externaldns"] + bound_service_account_namespaces = ["externaldns"] + token_ttl = 60 + token_policies = [ + "kv/service/kubernetes/au/syd1/externaldns/tsig/read", + ] + audience = "vault" +} + +resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" { + backend = vault_auth_backend.kubernetes.path + role_name = "cert-manager-issuer" + bound_service_account_names = ["cert-manager-vault-issuer"] + bound_service_account_namespaces = ["cert-manager"] + token_ttl = 60 + token_policies = [ + "pki_int/sign/servers_default", + "pki_int/issue/servers_default", + ] + audience = "vault" +} + +resource "vault_kubernetes_auth_backend_role" "ceph-csi" { + backend = vault_auth_backend.kubernetes.path + role_name = "ceph-csi" + bound_service_account_names = ["ceph-csi-rbd-csi-rbdplugin-provisioner"] + bound_service_account_namespaces = ["ceph-csi"] + token_ttl = 60 + token_policies = [ + "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read", + ] + audience = "vault" +} diff --git a/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl b/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl new file mode 100644 index 0000000..b80913b --- /dev/null +++ b/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" { + capabilities = ["read"] +} diff --git a/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl b/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl new file mode 100644 index 0000000..fba1b64 --- /dev/null +++ b/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" { + capabilities = ["read"] +} diff --git a/policies/pki_int/issue/servers_default.hcl b/policies/pki_int/issue/servers_default.hcl new file mode 100644 index 0000000..14200c8 --- /dev/null +++ b/policies/pki_int/issue/servers_default.hcl @@ -0,0 +1,3 @@ +path "pki_int/issue/servers_default" { + capabilities = ["update"] +} diff --git a/policies/pki_int/sign/servers_default.hcl b/policies/pki_int/sign/servers_default.hcl new file mode 100644 index 0000000..84749e8 --- /dev/null +++ b/policies/pki_int/sign/servers_default.hcl @@ -0,0 +1,3 @@ +path "pki_int/sign/servers_default" { + capabilities = ["update"] +} diff --git a/role_pki_int_servers_default.tf b/role_pki_int_servers_default.tf index ce0ea8c..e095c86 100644 --- a/role_pki_int_servers_default.tf +++ b/role_pki_int_servers_default.tf @@ -2,14 +2,20 @@ resource "vault_pki_secret_backend_role" "servers_default" { backend = "pki_int" name = "servers_default" #issuer_ref = data.vault_pki_secret_backend_issuer.pki_int_issuer.default - allow_ip_sans = true - allowed_domains = ["unkin.net", "*.unkin.net", "localhost"] - allow_subdomains = true - allow_glob_domains = true - allow_bare_domains = true - enforce_hostnames = true - allow_any_name = true - max_ttl = 2160 * 3600 - key_bits = 4096 - country = ["Australia"] + allow_ip_sans = true + allowed_domains = [ + "unkin.net", + "*.unkin.net", + "localhost" + ] + allow_subdomains = true + allow_glob_domains = true + allow_bare_domains = true + enforce_hostnames = true + allow_any_name = true + max_ttl = 2160 * 3600 + key_bits = 4096 + country = ["Australia"] + use_csr_common_name = true + use_csr_sans = true }