unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: unkin:9cc482d4713620ce13164ceca2d8dd5229276ed2
Branches Tags
unkin:master
..
compare: unkin:ad1118af85623e41cd764dc0cdcb30c208c9ae8c
Branches Tags
unkin:master

No commits in common. "9cc482d4713620ce13164ceca2d8dd5229276ed2" and "ad1118af85623e41cd764dc0cdcb30c208c9ae8c" have entirely different histories.
9cc482d471 ... ad1118af85

15 changed files with 25 additions and 204 deletions
Show Stats Expand all files Collapse all files

17
auth_approle_tf_vault.tf
View File

@ -3,27 +3,24 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
bind_secret_id = false bind_secret_id = false
token_policies = [ token_policies = [
"default_access", "default_access",
"approle_token_create",
"auth/approle/approle_role_admin",
"auth/approle/approle_role_login",
"auth/kubernetes/k8s_auth_admin",
"auth/ldap/ldap_admin",
"auth/token/auth_token_create", "auth/token/auth_token_create",
"auth/token/auth_token_self", "auth/token/auth_token_self",
"auth/token/auth_token_roles_admin", "auth/token/auth_token_roles_admin",
"kubernetes/au/config_admin", "auth/approle/approle_role_admin",
"kubernetes/au/roles_admin", "auth/approle/approle_role_login",
"kv/service/glauth/services/svc_vault_read", "approle_token_create",
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read", "auth/kubernetes/k8s_auth_admin",
"kv/service/kubernetes/au/syd1/service_account_jwt/read", "auth/ldap/ldap_admin",
"pki_int/pki_int_roles_admin", "pki_int/pki_int_roles_admin",
"pki_root/pki_root_roles_admin", "pki_root/pki_root_roles_admin",
"ssh-host-signer/ssh-host-signer_roles_admin", "ssh-host-signer/ssh-host-signer_roles_admin",
"sshca/sshca_roles_admin", "sshca/sshca_roles_admin",
"kv/service/glauth/services/svc_vault_read",
"sys/sys_auth_admin", "sys/sys_auth_admin",
"sys/sys_mounts_admin", "sys/sys_mounts_admin",
"sys/sys_policy_admin", "sys/sys_policy_admin",
"transit/keys/admin", "transit/keys/admin",
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
] ]
token_ttl = 60 token_ttl = 60
token_max_ttl = 120 token_max_ttl = 120

21
auth_backend_kubernetes.tf
View File

@ -6,8 +6,23 @@ resource "vault_auth_backend" "kubernetes" {
path = "kubernetes" path = "kubernetes"
} }
locals {
kubernetes_ca_cert = <<-EOT
-----BEGIN CERTIFICATE-----
MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
-----END CERTIFICATE-----
EOT
}
# Data source to read the token_reviewer_jwt from Vault KV # Data source to read the token_reviewer_jwt from Vault KV
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" { data "vault_kv_secret_v2" "token_reviewer_jwt" {
mount = "kv" mount = "kv"
name = "service/kubernetes/au/syd1/token_reviewer_jwt" name = "service/kubernetes/au/syd1/token_reviewer_jwt"
} }
@ -16,8 +31,8 @@ data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
resource "vault_kubernetes_auth_backend_config" "config" { resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://api-k8s.service.consul:6443" kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1 kubernetes_ca_cert = local.kubernetes_ca_cert
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"] token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
disable_iss_validation = true disable_iss_validation = true
use_annotations_as_alias_metadata = true use_annotations_as_alias_metadata = true
} }

48
engine_k8s_au_syd1.tf
View File

@ -1,48 +0,0 @@
# Data source to read the service_token_jwt from Vault KV
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/service_account_jwt"
}
resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
path = "kubernetes/au/syd1"
description = "kubernetes secret engine for au-syd1 cluster"
default_lease_ttl_seconds = 600
max_lease_ttl_seconds = 86400
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
service_account_jwt = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "media-apps-operator"
allowed_kubernetes_namespaces = ["media-apps"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
}
resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "cluster-operator"
allowed_kubernetes_namespaces = ["*"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
}
resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "cluster-admin"
allowed_kubernetes_namespaces = ["*"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
}
resource "vault_kubernetes_secret_backend_role" "cluster_root" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "cluster-root"
allowed_kubernetes_namespaces = ["*"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
}

3
policies/kubernetes/au/config_admin.hcl
View File

@ -1,3 +0,0 @@
path "kubernetes/au/+/config" {
capabilities = ["create", "update", "read", "delete", "list"]
}

6
policies/kubernetes/au/roles_admin.hcl
View File

@ -1,6 +0,0 @@
path "kubernetes/au/+/roles" {
capabilities = ["list"]
}
path "kubernetes/au/+/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}

3
policies/kubernetes/au/syd1/creds/cluster-admin.hcl
View File

@ -1,3 +0,0 @@
path "kubernetes/au/syd1/creds/cluster-admin" {
capabilities = ["update"]
}

3
policies/kubernetes/au/syd1/creds/cluster-operator.hcl
View File

@ -1,3 +0,0 @@
path "kubernetes/au/syd1/creds/cluster-operator" {
capabilities = ["update"]
}

3
policies/kubernetes/au/syd1/creds/cluster-root.hcl
View File

@ -1,3 +0,0 @@
path "kubernetes/au/syd1/creds/cluster-root" {
capabilities = ["update"]
}

3
policies/kubernetes/au/syd1/creds/media-apps-operator.hcl
View File

@ -1,3 +0,0 @@
path "kubernetes/au/syd1/creds/media-apps-operator" {
capabilities = ["update"]
}

3
policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl
View File

@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
capabilities = ["read"]
}

23
resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
View File

@ -1,23 +0,0 @@
---
rules:
- apiGroups:
- ""
- "postgresql.cnpg.io"
- "cert-manager.io"
- "rbac.authorization.k8s.io"
- "batch"
- "secrets.hashicorp.com"
- "storage.k8s.io"
- "apps"
- "apiextensions.k8s.io"
- "externaldns.k8s.io"
- "autoscaling"
- "networking.k8s.io"
- "purelb.io"
- "nfd.k8s-sigs.io"
- "policy"
- "metrics.k8s.io"
resources:
- "*"
verbs:
- "*"

25
resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
View File

@ -1,25 +0,0 @@
---
rules:
- apiGroups:
- ""
- "postgresql.cnpg.io"
- "cert-manager.io"
- "rbac.authorization.k8s.io"
- "batch"
- "secrets.hashicorp.com"
- "storage.k8s.io"
- "apps"
- "apiextensions.k8s.io"
- "externaldns.k8s.io"
- "autoscaling"
- "networking.k8s.io"
- "purelb.io"
- "nfd.k8s-sigs.io"
- "policy"
- "metrics.k8s.io"
resources:
- "*"
verbs:
- "get"
- "list"
- "watch"

8
resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml
View File

@ -1,8 +0,0 @@
---
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"

49
resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml
View File

@ -1,49 +0,0 @@
---
rules:
- apiGroups:
- ""
resources:
- "pods"
- "services"
- "configmaps"
- "secrets"
- "endpoints"
- "persistentvolumeclaims"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "pods/log"
verbs:
- "get"
- "list"
- apiGroups:
- ""
resources:
- "pods/exec"
verbs:
- "create"
- apiGroups:
- "apps"
resources:
- "deployments"
- "replicasets"
- "statefulsets"
- "daemonsets"
verbs:
- "get"
- "list"
- "watch"
- "patch"
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- "ingresses"
verbs:
- "get"
- "list"
- "watch"

14
shared_locals.tf
View File

@ -1,14 +0,0 @@
locals {
kubernetes_ca_cert_au_syd1 = <<-EOT
-----BEGIN CERTIFICATE-----
MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
-----END CERTIFICATE-----
EOT
}