feat: rework policies file

- policy files are now found automatically
Merge pull request 'feat: move k8s secrets into vault' (#22 ) from benvin/kubernetes_secret_handling into master
2025-11-16 13:08:50 +11:00 · 2025-11-16 12:44:40 +11:00 · 2025-11-16 12:42:18 +11:00 · 2025-11-16 12:40:25 +11:00 · 2025-11-16 12:39:32 +11:00
5 changed files with 49 additions and 4 deletions
--- a/20
+++ b/20
@ -0,0 +1,20 @@
+.PHONY: init plan apply help
+
+# Default target
+help:
+	@echo "Available targets:"
+	@echo "  init  - Initialize Terraform"
+	@echo "  plan  - Plan Terraform changes"
+	@echo "  apply - Apply Terraform changes"
+
+init:
+	@echo "Sourcing environment and initializing Terraform..."
+	@source ./env && terraform init
+
+plan:
+	@echo "Sourcing environment and planning Terraform changes..."
+	@source ./env && terraform plan
+
+apply:
+	@echo "Sourcing environment and applying Terraform changes..."
+	@source ./env && terraform apply -auto-approve
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@ -21,6 +21,7 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
    "sys/sys_mounts_admin",
    "sys/sys_policy_admin",
    "transit/keys/admin",
+    "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_backend_kubernetes.tf
+++ b/auth_backend_kubernetes.tf
@ -6,12 +6,33 @@ resource "vault_auth_backend" "kubernetes" {
  path = "kubernetes"
 }

+locals {
+  kubernetes_ca_cert = <<-EOT
+-----BEGIN CERTIFICATE-----
+MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
+cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
+NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
+a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
+/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
+fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
+NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
+-----END CERTIFICATE-----
+EOT
+}
+
+# Data source to read the token_reviewer_jwt from Vault KV
+data "vault_kv_secret_v2" "token_reviewer_jwt" {
+  mount = "kv"
+  name  = "service/kubernetes/au/syd1/token_reviewer_jwt"
+}
+
 # Configure Kubernetes auth backend
 resource "vault_kubernetes_auth_backend_config" "config" {
  backend                = vault_auth_backend.kubernetes.path
-  kubernetes_host        = "https://api-k8s.service.consul:6443"
-  kubernetes_ca_cert     = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlakNDQVIrZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWtNU0l3SUFZRFZRUUREQmx5YTJVeUxYTmwKY25abGNpMWpZVUF4TnpVNU1ESTNOVGcwTUI0WERUSTFNRGt5T0RBeU5EWXlORm9YRFRNMU1Ea3lOakF5TkRZeQpORm93SkRFaU1DQUdBMVVFQXd3WmNtdGxNaTF6WlhKMlpYSXRZMkZBTVRjMU9UQXlOelU0TkRCWk1CTUdCeXFHClNNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLZnNURDR0S3pLY25IeXViV3NlS2psSVBwaEJWdmVWMW42UlV4bWkKYTNINnM5cU1tVDNkbGRZSnlhYWxaSTBOY3RTZFc0dWNQaEJONVRIQ1VyOHNPbWVqUWpCQU1BNEdBMVVkRHdFQgovd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUkZiMHBmK3BDL3ZvV3ZiczF6CmZVL2RxQjBSeGpBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQS8wemVKUnJnd3BIRlBSc3FnTytFaG13QngxWTgKTkgzRmNrdEY5SjZQZlBRQ0lRRDQvSXBPaGRqZjlybW8wY2tHMW5wTkV4NVY4K09ROFpUTTdzMURMNitEZkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
-  token_reviewer_jwt     = "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJGSlQtckZDOURTQ2hCVkVGYzkyT1dkOUVlMEJvMVhrTUZKM0hhYTVNVWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1zZWNyZXRzLW9wZXJhdG9yLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2YXVsdC1hdXRoLXNhLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InZhdWx0LWF1dGgtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjVjMTI4MS1kNTYxLTQ3ZDAtODFiMC0wZjIwOWM2YTRhMTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dmF1bHQtc2VjcmV0cy1vcGVyYXRvci1zeXN0ZW06dmF1bHQtYXV0aC1zYSJ9.gxO6q4oQRHGGhBxV0ZH6Gkprq-vTUdWB44XW5Xmql7s9_JTqsN-ahnEuNX6I38sLMVR2iWsB4Hnp79-rjfL_u1xdBfU7T82K_Rn7mpL35jRDv1LzSrNQJ3b40MMS03yMKEe2SFFgA2lina3fKudpce9DuDDxWiJBdJ4whm9ivrbJkZ59coDU0pdNlojH5cYigArJ034z5s4-Q37JeYi0hfvIRUJ0TbK23ZyClR30N22eAetBZrCgQi3qQxG2r-VwezRTwg7CFkK1z9JWndXOqL2rYlxLb0bsw9jWkX-wB6Wb-538LtGJcYw_HcXwcOKMO1KSWVkwe30erp5wieX2mw"
+  kubernetes_host        = "https://kubernetes.default.svc.cluster.local"
+  kubernetes_ca_cert     = local.kubernetes_ca_cert
+  token_reviewer_jwt     = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
  disable_iss_validation = true
  use_annotations_as_alias_metadata = true
 }
--- a/policies.tf
+++ b/policies.tf
@ -14,4 +14,4 @@ resource "vault_policy" "policies" {

  name   = each.key
  policy = file(each.value.path)
-}
+}
--- a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl
+++ b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
+  capabilities = ["read"]
+}
Author	SHA1	Message	Date
Ben Vincent	49889eaf22	feat: rework policies file - policy files are now found automatically	2025-11-16 13:08:50 +11:00
Ben Vincent	d2acaeb7bc	Merge pull request 'feat: move k8s secrets into vault' (#22 ) from benvin/kubernetes_secret_handling into master Reviewed-on: #22	2025-11-16 12:44:40 +11:00
Ben Vincent	cbee19b5f9	feat: move k8s secrets into vault - update kubernetes_host to match value in jwt - regenerate jwt token and store in vault - add policy to enable access to jwt token - update tf_deploy user with access to token	2025-11-16 12:42:18 +11:00
Ben Vincent	353d726510	Merge pull request 'feat: add makefile' (#21 ) from benvin/makefile into master Reviewed-on: #21	2025-11-16 12:40:25 +11:00
Ben Vincent	537cc9013a	feat: add makefile - add init, plan and apply to makefile	2025-11-16 12:39:32 +11:00