From cbee19b5f94c5ff30d493f5993d1b7cd2a3b6c82 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 16 Nov 2025 12:42:18 +1100
Subject: [PATCH] feat: move k8s secrets into vault

- update kubernetes_host to match value in jwt
- regenerate jwt token and store in vault
- add policy to enable access to jwt token
- update tf_deploy user with access to token
---
 auth_approle_tf_vault.tf                      |  1 +
 auth_backend_kubernetes.tf                    | 27 ++++++++++++++++---
 policies.tf                                   |  1 +
 .../au/syd1/token_reviewer_jwt/read.hcl       |  3 +++
 4 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl

diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf
index 3e552b3..0d38624 100644
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@@ -21,6 +21,7 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
     "sys/sys_mounts_admin",
     "sys/sys_policy_admin",
     "transit/keys/admin",
+    "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
   ]
   token_ttl     = 60
   token_max_ttl = 120
diff --git a/auth_backend_kubernetes.tf b/auth_backend_kubernetes.tf
index fc9455e..000ddf9 100644
--- a/auth_backend_kubernetes.tf
+++ b/auth_backend_kubernetes.tf
@@ -6,12 +6,33 @@ resource "vault_auth_backend" "kubernetes" {
   path = "kubernetes"
 }
 
+locals {
+  kubernetes_ca_cert = <<-EOT
+-----BEGIN CERTIFICATE-----
+MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
+cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
+NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
+a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
+/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
+fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
+NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
+-----END CERTIFICATE-----
+EOT
+}
+
+# Data source to read the token_reviewer_jwt from Vault KV
+data "vault_kv_secret_v2" "token_reviewer_jwt" {
+  mount = "kv"
+  name  = "service/kubernetes/au/syd1/token_reviewer_jwt"
+}
+
 # Configure Kubernetes auth backend
 resource "vault_kubernetes_auth_backend_config" "config" {
   backend                = vault_auth_backend.kubernetes.path
-  kubernetes_host        = "https://api-k8s.service.consul:6443"
-  kubernetes_ca_cert     = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlakNDQVIrZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWtNU0l3SUFZRFZRUUREQmx5YTJVeUxYTmwKY25abGNpMWpZVUF4TnpVNU1ESTNOVGcwTUI0WERUSTFNRGt5T0RBeU5EWXlORm9YRFRNMU1Ea3lOakF5TkRZeQpORm93SkRFaU1DQUdBMVVFQXd3WmNtdGxNaTF6WlhKMlpYSXRZMkZBTVRjMU9UQXlOelU0TkRCWk1CTUdCeXFHClNNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLZnNURDR0S3pLY25IeXViV3NlS2psSVBwaEJWdmVWMW42UlV4bWkKYTNINnM5cU1tVDNkbGRZSnlhYWxaSTBOY3RTZFc0dWNQaEJONVRIQ1VyOHNPbWVqUWpCQU1BNEdBMVVkRHdFQgovd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUkZiMHBmK3BDL3ZvV3ZiczF6CmZVL2RxQjBSeGpBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQS8wemVKUnJnd3BIRlBSc3FnTytFaG13QngxWTgKTkgzRmNrdEY5SjZQZlBRQ0lRRDQvSXBPaGRqZjlybW8wY2tHMW5wTkV4NVY4K09ROFpUTTdzMURMNitEZkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
-  token_reviewer_jwt     = "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJGSlQtckZDOURTQ2hCVkVGYzkyT1dkOUVlMEJvMVhrTUZKM0hhYTVNVWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1zZWNyZXRzLW9wZXJhdG9yLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2YXVsdC1hdXRoLXNhLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InZhdWx0LWF1dGgtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjVjMTI4MS1kNTYxLTQ3ZDAtODFiMC0wZjIwOWM2YTRhMTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dmF1bHQtc2VjcmV0cy1vcGVyYXRvci1zeXN0ZW06dmF1bHQtYXV0aC1zYSJ9.gxO6q4oQRHGGhBxV0ZH6Gkprq-vTUdWB44XW5Xmql7s9_JTqsN-ahnEuNX6I38sLMVR2iWsB4Hnp79-rjfL_u1xdBfU7T82K_Rn7mpL35jRDv1LzSrNQJ3b40MMS03yMKEe2SFFgA2lina3fKudpce9DuDDxWiJBdJ4whm9ivrbJkZ59coDU0pdNlojH5cYigArJ034z5s4-Q37JeYi0hfvIRUJ0TbK23ZyClR30N22eAetBZrCgQi3qQxG2r-VwezRTwg7CFkK1z9JWndXOqL2rYlxLb0bsw9jWkX-wB6Wb-538LtGJcYw_HcXwcOKMO1KSWVkwe30erp5wieX2mw"
+  kubernetes_host        = "https://kubernetes.default.svc.cluster.local"
+  kubernetes_ca_cert     = local.kubernetes_ca_cert
+  token_reviewer_jwt     = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
   disable_iss_validation = true
   use_annotations_as_alias_metadata = true
 }
diff --git a/policies.tf b/policies.tf
index 4fe0947..5fdaccc 100644
--- a/policies.tf
+++ b/policies.tf
@@ -22,6 +22,7 @@ locals {
     "policies/kv/service/puppet/certificates",
     "policies/kv/service/puppetapi",
     "policies/kv/service/terraform",
+    "policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt",
   ]
 }
 
diff --git a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl
new file mode 100644
index 0000000..85cc6b9
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
+  capabilities = ["read"]
+}
\ No newline at end of file