feat: add pki for k8s

- add pki for k8s
- add policy to manage k8s/*/roles/*

auth_approle_tf_vault.tf

@@ -9,6 +9,7 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
     "approle_role_admin",
     "approle_role_login",
     "approle_token_create",
+    "k8s_pki_roles_admin",
     "ldap_admin",
     "pki_int_roles_admin",
     "pki_root_roles_admin",

engine_pki_k8s_etcd_ca.tf

@@ -0,0 +1,85 @@
+# PKI mount for etcd-ca
+resource "vault_mount" "k8s_etcd_ca" {
+  path                  = "k8s/etcd-ca"
+  type                  = "pki"
+  description           = "PKI for k8s etcd certificates"
+  max_lease_ttl_seconds = 86400 * 365 * 10
+}
+
+# Generate the root CA for etcd
+resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
+  backend     = vault_mount.k8s_etcd_ca.path
+  type        = "internal"
+  common_name = "etcd-ca"
+  ttl         = 86400 * 365 * 10
+  key_type    = "rsa"
+  key_bits    = 4096
+}
+
+# PKI role for kube-etcd
+resource "vault_pki_secret_backend_role" "kube_etcd" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd"
+  allowed_domains    = ["kube-etcd", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = true
+}
+
+# PKI role for kube-etcd-peer
+resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd-peer"
+  allowed_domains    = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = true
+}
+
+# PKI role for kube-etcd-healthcheck-client
+resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd-healthcheck-client"
+  allowed_domains    = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
+
+# PKI role for kube-apiserver-etcd-client
+resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-apiserver-etcd-client"
+  allowed_domains    = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}

engine_pki_k8s_kubernetes_ca.tf

@@ -0,0 +1,49 @@
+# Additional mounts and roles for Kubernetes CA and front-proxy CA
+resource "vault_mount" "k8s_kubernetes_ca" {
+  path                  = "k8s/kubernetes-ca"
+  type                  = "pki"
+  description           = "PKI for Kubernetes certificates"
+  max_lease_ttl_seconds = 86400 * 365 * 10
+}
+
+# Generate the root CA for etcd
+resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
+  backend     = vault_mount.k8s_kubernetes_ca.path
+  type        = "internal"
+  common_name = "kubernetes-ca"
+  ttl         = 86400 * 365 * 10
+  key_type    = "rsa"
+  key_bits    = 4096
+}
+
+resource "vault_pki_secret_backend_role" "kube_apiserver" {
+  backend            = vault_mount.k8s_kubernetes_ca.path
+  name               = "kube-apiserver"
+  allowed_domains    = ["kube-apiserver", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = false
+}
+
+resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
+  backend            = vault_mount.k8s_kubernetes_ca.path
+  name               = "kube-apiserver-kubelet-client"
+  allowed_domains    = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}

policies.tf

@@ -6,6 +6,7 @@ locals {
     "policies/auth/approle",
     "policies/auth/ldap",
     "policies/auth/token",
+    "policies/k8s",
     "policies/pki_int",
     "policies/pki_root",
     "policies/rundeck",

policies/k8s/k8s_pki_roles_admin.hcl

@@ -0,0 +1,3 @@
+path "k8s/+/roles/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}