unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: label kubernetes ephemeral serviceaccounts

Browse Source 
- ensure all service accounts are labelled with role/cluster
- add additional api endpoints to cluster roles
This commit is contained in:
Ben Vincent 2025-12-07 12:41:37 +11:00
parent 3bada72838
commit c88b19a216
3 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
engine_k8s_au_syd1.tf
View File

@ -22,6 +22,11 @@ resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
kubernetes_role_type = "Role" kubernetes_role_type = "Role"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml") generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-media-apps-operator"
}
} }
resource "vault_kubernetes_secret_backend_role" "cluster_operator" { resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
@ -31,6 +36,11 @@ resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
kubernetes_role_type = "ClusterRole" kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml") generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-operator"
}
} }
resource "vault_kubernetes_secret_backend_role" "cluster_admin" { resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
@ -40,6 +50,11 @@ resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
kubernetes_role_type = "ClusterRole" kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml") generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-admin"
}
} }
resource "vault_kubernetes_secret_backend_role" "cluster_root" { resource "vault_kubernetes_secret_backend_role" "cluster_root" {
@ -49,4 +64,9 @@ resource "vault_kubernetes_secret_backend_role" "cluster_root" {
kubernetes_role_type = "ClusterRole" kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml") generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-root"
}
} }

3
resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
View File

@ -17,6 +17,9 @@ rules:
- "nfd.k8s-sigs.io" - "nfd.k8s-sigs.io"
- "policy" - "policy"
- "metrics.k8s.io" - "metrics.k8s.io"
- "logstash.k8s.elastic.co"
- "elasticsearch.k8s.elastic.co"
- "kibana.k8s.elastic.co"
resources: resources:
- "*" - "*"
verbs: verbs:

3
resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
View File

@ -17,6 +17,9 @@ rules:
- "nfd.k8s-sigs.io" - "nfd.k8s-sigs.io"
- "policy" - "policy"
- "metrics.k8s.io" - "metrics.k8s.io"
- "logstash.k8s.elastic.co"
- "elasticsearch.k8s.elastic.co"
- "kibana.k8s.elastic.co"
resources: resources:
- "*" - "*"
verbs: verbs: