feat: set max token life for auth_kubernetes_role
found kubernetes vaultauth resources never picking up new policies, because they would infinitely renew their token. - set default max token length for roles to 1 day - changed all existing role token_max_ttl to match their token_ttl
This commit is contained in:
parent
c94b2af196
commit
7cafafd483
@ -5,4 +5,5 @@ bound_service_account_namespaces:
|
|||||||
- csi-cephrbd
|
- csi-cephrbd
|
||||||
- csi-cephfs
|
- csi-cephfs
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- cert-manager
|
- cert-manager
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- externaldns
|
- externaldns
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- identity
|
- identity
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- media-apps
|
- media-apps
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- puppet
|
- puppet
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- cattle-system
|
- cattle-system
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- repoflow
|
- repoflow
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -3,4 +3,5 @@ bound_service_account_names:
|
|||||||
bound_service_account_namespaces:
|
bound_service_account_namespaces:
|
||||||
- woodpecker
|
- woodpecker
|
||||||
token_ttl: 600
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
audience: vault
|
audience: vault
|
||||||
|
|||||||
@ -92,6 +92,7 @@ module "auth_kubernetes_role" {
|
|||||||
bound_service_account_names = each.value.bound_service_account_names
|
bound_service_account_names = each.value.bound_service_account_names
|
||||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||||
token_ttl = each.value.token_ttl
|
token_ttl = each.value.token_ttl
|
||||||
|
token_max_ttl = each.value.token_max_ttl
|
||||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||||
audience = each.value.audience
|
audience = each.value.audience
|
||||||
|
|
||||||
|
|||||||
@ -4,6 +4,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
|
|||||||
bound_service_account_names = var.bound_service_account_names
|
bound_service_account_names = var.bound_service_account_names
|
||||||
bound_service_account_namespaces = var.bound_service_account_namespaces
|
bound_service_account_namespaces = var.bound_service_account_namespaces
|
||||||
token_ttl = var.token_ttl
|
token_ttl = var.token_ttl
|
||||||
|
token_max_ttl = var.token_max_ttl
|
||||||
token_policies = var.token_policies
|
token_policies = var.token_policies
|
||||||
audience = var.audience
|
audience = var.audience
|
||||||
}
|
}
|
||||||
@ -24,6 +24,12 @@ variable "token_ttl" {
|
|||||||
default = 3600
|
default = 3600
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "token_max_ttl" {
|
||||||
|
description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
|
||||||
|
type = number
|
||||||
|
default = 86400
|
||||||
|
}
|
||||||
|
|
||||||
variable "token_policies" {
|
variable "token_policies" {
|
||||||
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
||||||
type = list(string)
|
type = list(string)
|
||||||
|
|||||||
@ -83,6 +83,7 @@ variable "auth_kubernetes_role" {
|
|||||||
bound_service_account_names = list(string)
|
bound_service_account_names = list(string)
|
||||||
bound_service_account_namespaces = list(string)
|
bound_service_account_namespaces = list(string)
|
||||||
token_ttl = optional(number, 3600)
|
token_ttl = optional(number, 3600)
|
||||||
|
token_max_ttl = optional(number, 86400)
|
||||||
audience = optional(string, "vault")
|
audience = optional(string, "vault")
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user