config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml

@@ -5,5 +5,4 @@ bound_service_account_namespaces:
   - csi-cephrbd
   - csi-cephfs
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - cert-manager
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - externaldns
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/identity.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - identity
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - media-apps
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/puppet.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - puppet
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/rancher.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - cattle-system
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - repoflow
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/woodpecker.yaml

@@ -3,5 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - woodpecker
 token_ttl: 600
-token_max_ttl: 600
 audience: vault

modules/vault_cluster/main.tf

@@ -92,7 +92,6 @@ module "auth_kubernetes_role" {
   bound_service_account_names      = each.value.bound_service_account_names
   bound_service_account_namespaces = each.value.bound_service_account_namespaces
   token_ttl                        = each.value.token_ttl
-  token_max_ttl                    = each.value.token_max_ttl
   token_policies                   = var.policy_auth_map[each.value.backend][each.value.role_name]
   audience                         = each.value.audience
 

modules/vault_cluster/modules/auth_kubernetes_role/main.tf

@@ -4,7 +4,6 @@ resource "vault_kubernetes_auth_backend_role" "role" {
   bound_service_account_names      = var.bound_service_account_names
   bound_service_account_namespaces = var.bound_service_account_namespaces
   token_ttl                        = var.token_ttl
-  token_max_ttl                    = var.token_max_ttl
   token_policies                   = var.token_policies
   audience                         = var.audience
 }

modules/vault_cluster/modules/auth_kubernetes_role/variables.tf

@@ -24,12 +24,6 @@ variable "token_ttl" {
   default     = 3600
 }
 
-variable "token_max_ttl" {
-  description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
-  type        = number
-  default     = 86400
-}
-
 variable "token_policies" {
   description = "List of policies to assign to the role (passed from policy_auth_map)"
   type        = list(string)

modules/vault_cluster/variables.tf

@@ -83,7 +83,6 @@ variable "auth_kubernetes_role" {
     bound_service_account_names      = list(string)
     bound_service_account_namespaces = list(string)
     token_ttl                        = optional(number, 3600)
-    token_max_ttl                    = optional(number, 86400)
     audience                         = optional(string, "vault")
   }))
   default = {}