feat: set max token life for auth_kubernetes_role
found kubernetes vaultauth resources never picking up new policies, because they would infinitely renew their token. - set default max token length for roles to 1 day - changed all existing role token_max_ttl to match their token_ttl
This commit is contained in:
@@ -92,6 +92,7 @@ module "auth_kubernetes_role" {
|
||||
bound_service_account_names = each.value.bound_service_account_names
|
||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||
audience = each.value.audience
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
|
||||
bound_service_account_names = var.bound_service_account_names
|
||||
bound_service_account_namespaces = var.bound_service_account_namespaces
|
||||
token_ttl = var.token_ttl
|
||||
token_max_ttl = var.token_max_ttl
|
||||
token_policies = var.token_policies
|
||||
audience = var.audience
|
||||
}
|
||||
@@ -24,6 +24,12 @@ variable "token_ttl" {
|
||||
default = 3600
|
||||
}
|
||||
|
||||
variable "token_max_ttl" {
|
||||
description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
|
||||
type = number
|
||||
default = 86400
|
||||
}
|
||||
|
||||
variable "token_policies" {
|
||||
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
||||
type = list(string)
|
||||
|
||||
@@ -83,6 +83,7 @@ variable "auth_kubernetes_role" {
|
||||
bound_service_account_names = list(string)
|
||||
bound_service_account_namespaces = list(string)
|
||||
token_ttl = optional(number, 3600)
|
||||
token_max_ttl = optional(number, 86400)
|
||||
audience = optional(string, "vault")
|
||||
}))
|
||||
default = {}
|
||||
|
||||
Reference in New Issue
Block a user