From 7cafafd4831277dbb21d14d637adfb879afc234c Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 22 Feb 2026 22:28:21 +1100
Subject: [PATCH] feat: set max token life for auth_kubernetes_role

found kubernetes vaultauth resources never picking up new policies,
because they would infinitely renew their token.

- set default max token length for roles to 1 day
- changed all existing role token_max_ttl to match their token_ttl
---
 config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml       | 1 +
 .../k8s/au/syd1/cert_manager_issuer.yaml                    | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml    | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/identity.yaml       | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml     | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml         | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml        | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml       | 1 +
 config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml     | 1 +
 modules/vault_cluster/main.tf                               | 1 +
 modules/vault_cluster/modules/auth_kubernetes_role/main.tf  | 1 +
 .../vault_cluster/modules/auth_kubernetes_role/variables.tf | 6 ++++++
 modules/vault_cluster/variables.tf                          | 1 +
 13 files changed, 18 insertions(+)

diff --git a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
index 84f7572..cddac41 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
@@ -5,4 +5,5 @@ bound_service_account_namespaces:
   - csi-cephrbd
   - csi-cephfs
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
index 836776c..7cfa378 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - cert-manager
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
index 4d594b7..10af1f1 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - externaldns
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml b/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
index d200a9a..7f3961e 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/identity.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - identity
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
index cf6d07a..fbc9b3a 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - media-apps
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
index 1059164..285f7eb 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - puppet
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
index 8b0ed1a..b1dd5e7 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - cattle-system
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
index 0263419..dd15bea 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - repoflow
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml
index 2dfda00..403150d 100644
--- a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml
@@ -3,4 +3,5 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - woodpecker
 token_ttl: 600
+token_max_ttl: 600
 audience: vault
diff --git a/modules/vault_cluster/main.tf b/modules/vault_cluster/main.tf
index 92eea0b..6f00018 100644
--- a/modules/vault_cluster/main.tf
+++ b/modules/vault_cluster/main.tf
@@ -92,6 +92,7 @@ module "auth_kubernetes_role" {
   bound_service_account_names      = each.value.bound_service_account_names
   bound_service_account_namespaces = each.value.bound_service_account_namespaces
   token_ttl                        = each.value.token_ttl
+  token_max_ttl                    = each.value.token_max_ttl
   token_policies                   = var.policy_auth_map[each.value.backend][each.value.role_name]
   audience                         = each.value.audience
 
diff --git a/modules/vault_cluster/modules/auth_kubernetes_role/main.tf b/modules/vault_cluster/modules/auth_kubernetes_role/main.tf
index d2d08c8..90e49c9 100644
--- a/modules/vault_cluster/modules/auth_kubernetes_role/main.tf
+++ b/modules/vault_cluster/modules/auth_kubernetes_role/main.tf
@@ -4,6 +4,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
   bound_service_account_names      = var.bound_service_account_names
   bound_service_account_namespaces = var.bound_service_account_namespaces
   token_ttl                        = var.token_ttl
+  token_max_ttl                    = var.token_max_ttl
   token_policies                   = var.token_policies
   audience                         = var.audience
 }
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf b/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf
index 4a632c9..c3a6210 100644
--- a/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf
+++ b/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf
@@ -24,6 +24,12 @@ variable "token_ttl" {
   default     = 3600
 }
 
+variable "token_max_ttl" {
+  description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
+  type        = number
+  default     = 86400
+}
+
 variable "token_policies" {
   description = "List of policies to assign to the role (passed from policy_auth_map)"
   type        = list(string)
diff --git a/modules/vault_cluster/variables.tf b/modules/vault_cluster/variables.tf
index defe9bc..d9b03fc 100644
--- a/modules/vault_cluster/variables.tf
+++ b/modules/vault_cluster/variables.tf
@@ -83,6 +83,7 @@ variable "auth_kubernetes_role" {
     bound_service_account_names      = list(string)
     bound_service_account_namespaces = list(string)
     token_ttl                        = optional(number, 3600)
+    token_max_ttl                    = optional(number, 86400)
     audience                         = optional(string, "vault")
   }))
   default = {}