unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add kubernetes auth engine

Browse Source 
- add kubernetes authentication
- add policy to manage kubernetes auth engine roles/config
This commit is contained in:
Ben Vincent 2025-11-15 10:50:17 +11:00
parent 9f4b77a765
commit bc9b4eebdc
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
auth_backend_kubernetes.tf Normal file
View File

@ -0,0 +1,16 @@
#-----------------------------------
# Enable kubernetes auth method
#-----------------------------------
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "kubernetes"
}
# Configure Kubernetes auth backend
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlakNDQVIrZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWtNU0l3SUFZRFZRUUREQmx5YTJVeUxYTmwKY25abGNpMWpZVUF4TnpVNU1ESTNOVGcwTUI0WERUSTFNRGt5T0RBeU5EWXlORm9YRFRNMU1Ea3lOakF5TkRZeQpORm93SkRFaU1DQUdBMVVFQXd3WmNtdGxNaTF6WlhKMlpYSXRZMkZBTVRjMU9UQXlOelU0TkRCWk1CTUdCeXFHClNNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLZnNURDR0S3pLY25IeXViV3NlS2psSVBwaEJWdmVWMW42UlV4bWkKYTNINnM5cU1tVDNkbGRZSnlhYWxaSTBOY3RTZFc0dWNQaEJONVRIQ1VyOHNPbWVqUWpCQU1BNEdBMVVkRHdFQgovd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUkZiMHBmK3BDL3ZvV3ZiczF6CmZVL2RxQjBSeGpBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQS8wemVKUnJnd3BIRlBSc3FnTytFaG13QngxWTgKTkgzRmNrdEY5SjZQZlBRQ0lRRDQvSXBPaGRqZjlybW8wY2tHMW5wTkV4NVY4K09ROFpUTTdzMURMNitEZkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
token_reviewer_jwt = "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJGSlQtckZDOURTQ2hCVkVGYzkyT1dkOUVlMEJvMVhrTUZKM0hhYTVNVWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1zZWNyZXRzLW9wZXJhdG9yLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2YXVsdC1hdXRoLXNhLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InZhdWx0LWF1dGgtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjVjMTI4MS1kNTYxLTQ3ZDAtODFiMC0wZjIwOWM2YTRhMTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dmF1bHQtc2VjcmV0cy1vcGVyYXRvci1zeXN0ZW06dmF1bHQtYXV0aC1zYSJ9.gxO6q4oQRHGGhBxV0ZH6Gkprq-vTUdWB44XW5Xmql7s9_JTqsN-ahnEuNX6I38sLMVR2iWsB4Hnp79-rjfL_u1xdBfU7T82K_Rn7mpL35jRDv1LzSrNQJ3b40MMS03yMKEe2SFFgA2lina3fKudpce9DuDDxWiJBdJ4whm9ivrbJkZ59coDU0pdNlojH5cYigArJ034z5s4-Q37JeYi0hfvIRUJ0TbK23ZyClR30N22eAetBZrCgQi3qQxG2r-VwezRTwg7CFkK1z9JWndXOqL2rYlxLb0bsw9jWkX-wB6Wb-538LtGJcYw_HcXwcOKMO1KSWVkwe30erp5wieX2mw"
disable_iss_validation = true
}

14
policies/auth/kubernetes/k8s_auth_admin.hcl Normal file
View File

@ -0,0 +1,14 @@
# Allow configuration of Kubernetes authentication backend
path "auth/kubernetes/config" {
capabilities = ["create", "update", "read", "delete"]
}
# Allow management of Kubernetes auth roles
path "auth/kubernetes/role/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
# Allow listing auth/kubernetes/role
path "auth/kubernetes/role" {
capabilities = ["list"]
}