Merge pull request 'neoloc/incus' (#10) from neoloc/incus into master

Reviewed-on: https://git.query.consul/unkin/terraform-vault/pulls/10
2025-04-07 16:27:29 +10:00 · 2025-04-07 16:27:29 +10:00 · 80c14ef4e4
commit 80c14ef4e4
parent 2dc37cc8c4 feee7a265e
5 changed files with 21 additions and 134 deletions
--- a/auth_approle_terraform_incus.tf
+++ b/auth_approle_terraform_incus.tf
@ -0,0 +1,15 @@
+resource "vault_approle_auth_backend_role" "terraform_incus" {
+  role_name      = "terraform_incus"
+  bind_secret_id = false
+  token_policies = [
+    "default_access",
+    "incus",
+  ]
+  token_ttl     = 60
+  token_max_ttl = 120
+  token_bound_cidrs = [
+    "10.10.12.200/32",
+    "198.18.13.67/32",
+    "198.18.13.68/32",
+  ]
+}
--- a/engine_pki_k8s_etcd_ca.tf
+++ b/engine_pki_k8s_etcd_ca.tf
@ -1,85 +0,0 @@
-# PKI mount for etcd-ca
-resource "vault_mount" "k8s_etcd_ca" {
-  path                  = "k8s/etcd-ca"
-  type                  = "pki"
-  description           = "PKI for k8s etcd certificates"
-  max_lease_ttl_seconds = 86400 * 365 * 10
-}
-
-# Generate the root CA for etcd
-resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
-  backend     = vault_mount.k8s_etcd_ca.path
-  type        = "internal"
-  common_name = "etcd-ca"
-  ttl         = 86400 * 365 * 10
-  key_type    = "rsa"
-  key_bits    = 4096
-}
-
-# PKI role for kube-etcd
-resource "vault_pki_secret_backend_role" "kube_etcd" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-etcd"
-  allowed_domains    = ["kube-etcd", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = true
-  client_flag        = true
-}
-
-# PKI role for kube-etcd-peer
-resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-etcd-peer"
-  allowed_domains    = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = true
-  client_flag        = true
-}
-
-# PKI role for kube-etcd-healthcheck-client
-resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-etcd-healthcheck-client"
-  allowed_domains    = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = false
-  client_flag        = true
-}
-
-# PKI role for kube-apiserver-etcd-client
-resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-apiserver-etcd-client"
-  allowed_domains    = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = false
-  client_flag        = true
-}
--- a/engine_pki_k8s_kubernetes_ca.tf
+++ b/engine_pki_k8s_kubernetes_ca.tf
@ -1,49 +0,0 @@
-# Additional mounts and roles for Kubernetes CA and front-proxy CA
-resource "vault_mount" "k8s_kubernetes_ca" {
-  path                  = "k8s/kubernetes-ca"
-  type                  = "pki"
-  description           = "PKI for Kubernetes certificates"
-  max_lease_ttl_seconds = 86400 * 365 * 10
-}
-
-# Generate the root CA for etcd
-resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
-  backend     = vault_mount.k8s_kubernetes_ca.path
-  type        = "internal"
-  common_name = "kubernetes-ca"
-  ttl         = 86400 * 365 * 10
-  key_type    = "rsa"
-  key_bits    = 4096
-}
-
-resource "vault_pki_secret_backend_role" "kube_apiserver" {
-  backend            = vault_mount.k8s_kubernetes_ca.path
-  name               = "kube-apiserver"
-  allowed_domains    = ["kube-apiserver", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = true
-  client_flag        = false
-}
-
-resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
-  backend            = vault_mount.k8s_kubernetes_ca.path
-  name               = "kube-apiserver-kubelet-client"
-  allowed_domains    = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = false
-  client_flag        = true
-}
--- a/policies/kv/service/packer/packer_builder.hcl
+++ b/policies/kv/service/packer/packer_builder.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/packer/builder/env" {
+    capabilities = ["read"]
+}
--- a/policies/kv/service/terraform/incus.hcl
+++ b/policies/kv/service/terraform/incus.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/terraform/incus" {
+    capabilities = ["read"]
+}