feat: set max token life for auth_kubernetes_role
found kubernetes vaultauth resources never picking up new policies, because they would infinitely renew their token. - set default max token length for roles to 1 day - changed all existing role token_max_ttl to match their token_ttl
This commit is contained in:
parent
c94b2af196
commit
7cafafd483
@ -5,4 +5,5 @@ bound_service_account_namespaces:
|
||||
- csi-cephrbd
|
||||
- csi-cephfs
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- cert-manager
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- externaldns
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- identity
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- media-apps
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- puppet
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- cattle-system
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- repoflow
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@ -92,6 +92,7 @@ module "auth_kubernetes_role" {
|
||||
bound_service_account_names = each.value.bound_service_account_names
|
||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||
audience = each.value.audience
|
||||
|
||||
|
||||
@ -4,6 +4,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
|
||||
bound_service_account_names = var.bound_service_account_names
|
||||
bound_service_account_namespaces = var.bound_service_account_namespaces
|
||||
token_ttl = var.token_ttl
|
||||
token_max_ttl = var.token_max_ttl
|
||||
token_policies = var.token_policies
|
||||
audience = var.audience
|
||||
}
|
||||
@ -24,6 +24,12 @@ variable "token_ttl" {
|
||||
default = 3600
|
||||
}
|
||||
|
||||
variable "token_max_ttl" {
|
||||
description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
|
||||
type = number
|
||||
default = 86400
|
||||
}
|
||||
|
||||
variable "token_policies" {
|
||||
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
||||
type = list(string)
|
||||
|
||||
@ -83,6 +83,7 @@ variable "auth_kubernetes_role" {
|
||||
bound_service_account_names = list(string)
|
||||
bound_service_account_namespaces = list(string)
|
||||
token_ttl = optional(number, 3600)
|
||||
token_max_ttl = optional(number, 86400)
|
||||
audience = optional(string, "vault")
|
||||
}))
|
||||
default = {}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user