unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: unkin:2dc37cc8c4a0eef3c28390562d0bf45f08523715
Branches Tags
unkin:master
..
compare: unkin:cd9c006203d6d5c3a31445683287a9f902577673
Branches Tags
unkin:master

No commits in common. "2dc37cc8c4a0eef3c28390562d0bf45f08523715" and "cd9c006203d6d5c3a31445683287a9f902577673" have entirely different histories.
2dc37cc8c4 ... cd9c006203

5 changed files with 0 additions and 139 deletions
Show Stats Expand all files Collapse all files

1
auth_approle_tf_vault.tf
View File

@ -9,7 +9,6 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
"approle_role_admin", "approle_role_admin",
"approle_role_login", "approle_role_login",
"approle_token_create", "approle_token_create",
"k8s_pki_roles_admin",
"ldap_admin", "ldap_admin",
"pki_int_roles_admin", "pki_int_roles_admin",
"pki_root_roles_admin", "pki_root_roles_admin",

85
engine_pki_k8s_etcd_ca.tf
View File

@ -1,85 +0,0 @@
# PKI mount for etcd-ca
resource "vault_mount" "k8s_etcd_ca" {
path = "k8s/etcd-ca"
type = "pki"
description = "PKI for k8s etcd certificates"
max_lease_ttl_seconds = 86400 * 365 * 10
}
# Generate the root CA for etcd
resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
backend = vault_mount.k8s_etcd_ca.path
type = "internal"
common_name = "etcd-ca"
ttl = 86400 * 365 * 10
key_type = "rsa"
key_bits = 4096
}
# PKI role for kube-etcd
resource "vault_pki_secret_backend_role" "kube_etcd" {
backend = vault_mount.k8s_etcd_ca.path
name = "kube-etcd"
allowed_domains = ["kube-etcd", "*.main.unkin.net", "localhost"]
allow_ip_sans = true
enforce_hostnames = true
allow_subdomains = true
allow_glob_domains = true
allow_localhost = true
max_ttl = 86400 * 90
ttl = 86400 * 90
key_usage = ["DigitalSignature", "KeyEncipherment"]
server_flag = true
client_flag = true
}
# PKI role for kube-etcd-peer
resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
backend = vault_mount.k8s_etcd_ca.path
name = "kube-etcd-peer"
allowed_domains = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
allow_ip_sans = true
enforce_hostnames = true
allow_subdomains = true
allow_glob_domains = true
allow_localhost = true
max_ttl = 86400 * 90
ttl = 86400 * 90
key_usage = ["DigitalSignature", "KeyEncipherment"]
server_flag = true
client_flag = true
}
# PKI role for kube-etcd-healthcheck-client
resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
backend = vault_mount.k8s_etcd_ca.path
name = "kube-etcd-healthcheck-client"
allowed_domains = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
allow_ip_sans = true
enforce_hostnames = true
allow_subdomains = true
allow_glob_domains = true
allow_localhost = true
max_ttl = 86400 * 90
ttl = 86400 * 90
key_usage = ["DigitalSignature", "KeyEncipherment"]
server_flag = false
client_flag = true
}
# PKI role for kube-apiserver-etcd-client
resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
backend = vault_mount.k8s_etcd_ca.path
name = "kube-apiserver-etcd-client"
allowed_domains = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
allow_ip_sans = true
enforce_hostnames = true
allow_subdomains = true
allow_glob_domains = true
allow_localhost = true
max_ttl = 86400 * 90
ttl = 86400 * 90
key_usage = ["DigitalSignature", "KeyEncipherment"]
server_flag = false
client_flag = true
}

49
engine_pki_k8s_kubernetes_ca.tf
View File

@ -1,49 +0,0 @@
# Additional mounts and roles for Kubernetes CA and front-proxy CA
resource "vault_mount" "k8s_kubernetes_ca" {
path = "k8s/kubernetes-ca"
type = "pki"
description = "PKI for Kubernetes certificates"
max_lease_ttl_seconds = 86400 * 365 * 10
}
# Generate the root CA for etcd
resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
backend = vault_mount.k8s_kubernetes_ca.path
type = "internal"
common_name = "kubernetes-ca"
ttl = 86400 * 365 * 10
key_type = "rsa"
key_bits = 4096
}
resource "vault_pki_secret_backend_role" "kube_apiserver" {
backend = vault_mount.k8s_kubernetes_ca.path
name = "kube-apiserver"
allowed_domains = ["kube-apiserver", "*.main.unkin.net", "localhost"]
allow_ip_sans = true
enforce_hostnames = true
allow_subdomains = true
allow_glob_domains = true
allow_localhost = true
max_ttl = 86400 * 90
ttl = 86400 * 90
key_usage = ["DigitalSignature", "KeyEncipherment"]
server_flag = true
client_flag = false
}
resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
backend = vault_mount.k8s_kubernetes_ca.path
name = "kube-apiserver-kubelet-client"
allowed_domains = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
allow_ip_sans = true
enforce_hostnames = true
allow_subdomains = true
allow_glob_domains = true
allow_localhost = true
max_ttl = 86400 * 90
ttl = 86400 * 90
key_usage = ["DigitalSignature", "KeyEncipherment"]
server_flag = false
client_flag = true
}

1
policies.tf
View File

@ -6,7 +6,6 @@ locals {
"policies/auth/approle", "policies/auth/approle",
"policies/auth/ldap", "policies/auth/ldap",
"policies/auth/token", "policies/auth/token",
"policies/k8s",
"policies/pki_int", "policies/pki_int",
"policies/pki_root", "policies/pki_root",
"policies/rundeck", "policies/rundeck",

3
policies/k8s/k8s_pki_roles_admin.hcl
View File

@ -1,3 +0,0 @@
path "k8s/+/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}