auth_kubernetes_roles.tf

@@ -1,73 +0,0 @@
-resource "vault_kubernetes_auth_backend_role" "default" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "default"
-  bound_service_account_names      = ["default"]
-  bound_service_account_namespaces = ["*"]
-  token_ttl                        = 3600
-  token_policies = [
-    "default"
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "demo_default" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "demo_default"
-  bound_service_account_names      = ["default"]
-  bound_service_account_namespaces = ["demo"]
-  token_ttl                        = 60
-  token_policies = [
-    "kv/service/terraform/nomad"
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "huntarr-default"
-  bound_service_account_names      = ["default"]
-  bound_service_account_namespaces = ["huntarr"]
-  token_ttl                        = 60
-  token_policies = [
-    "pki_int/sign/servers_default",
-    "pki_int/issue/servers_default",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "externaldns" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "externaldns"
-  bound_service_account_names      = ["externaldns"]
-  bound_service_account_namespaces = ["externaldns"]
-  token_ttl                        = 60
-  token_policies = [
-    "kv/service/kubernetes/au/syd1/externaldns/tsig/read",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "cert-manager-issuer"
-  bound_service_account_names      = ["cert-manager-vault-issuer"]
-  bound_service_account_namespaces = ["cert-manager"]
-  token_ttl                        = 60
-  token_policies = [
-    "pki_int/sign/servers_default",
-    "pki_int/issue/servers_default",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "ceph-csi"
-  bound_service_account_names      = ["ceph-csi-rbd-csi-rbdplugin-provisioner"]
-  bound_service_account_namespaces = ["ceph-csi"]
-  token_ttl                        = 60
-  token_policies = [
-    "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
-  ]
-  audience = "vault"
-}

policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl

@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" {
-  capabilities = ["read"]
-}

policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl

@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" {
-  capabilities = ["read"]
-}

policies/pki_int/issue/servers_default.hcl

@@ -1,3 +0,0 @@
-path "pki_int/issue/servers_default" {
-  capabilities = ["update"]
-}

policies/pki_int/sign/servers_default.hcl

@@ -1,3 +0,0 @@
-path "pki_int/sign/servers_default" {
-  capabilities = ["update"]
-}

role_pki_int_servers_default.tf

@@ -2,20 +2,14 @@ resource "vault_pki_secret_backend_role" "servers_default" {
   backend = "pki_int"
   name    = "servers_default"
   #issuer_ref         = data.vault_pki_secret_backend_issuer.pki_int_issuer.default
-  allow_ip_sans = true
+  allow_ip_sans      = true
-  allowed_domains = [
+  allowed_domains    = ["unkin.net", "*.unkin.net", "localhost"]
-    "unkin.net",
+  allow_subdomains   = true
-    "*.unkin.net",
+  allow_glob_domains = true
-    "localhost"
+  allow_bare_domains = true
-  ]
+  enforce_hostnames  = true
-  allow_subdomains    = true
+  allow_any_name     = true
-  allow_glob_domains  = true
+  max_ttl            = 2160 * 3600
-  allow_bare_domains  = true
+  key_bits           = 4096
-  enforce_hostnames   = true
+  country            = ["Australia"]
-  allow_any_name      = true
-  max_ttl             = 2160 * 3600
-  key_bits            = 4096
-  country             = ["Australia"]
-  use_csr_common_name = true
-  use_csr_sans        = true
 }