Compare commits
77 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 6f27546207 | |||
| 933de177fa | |||
| ce1185deba | |||
| 3d59758324 | |||
| 8bb071ae46 | |||
| 0dba5e00a6 | |||
| a400e5dc7e | |||
| 95e7a81b2e | |||
| bbde79d2a6 | |||
| f2c54888de | |||
| 36d7afbb65 | |||
| c33dcdc447 | |||
| be9bd96cf3 | |||
| bb5f6922fa | |||
| 346cf9fa43 | |||
| 1288057b81 | |||
| 3876fa818d | |||
| a548bf1cb1 | |||
| 93ba86baf3 | |||
| 098830c10b | |||
| 9cbac6d3ef | |||
| 73aaaaeb99 | |||
| 7c60a5fd53 | |||
| 27f12f183e | |||
| c61434b692 | |||
| 172ceac2fc | |||
| 48a4fd0dd1 | |||
| 4dc09547ef | |||
| 546a9efe44 | |||
| 679cec4bc1 | |||
| 71789f9f32 | |||
| 4cbcec58d3 | |||
| 9c93e185f8 | |||
| d6c8474bd3 | |||
| 42351000ee | |||
| f7d1330c37 | |||
| d9e07e432e | |||
| 14a258de7d | |||
| be8bcc3743 | |||
| dc257b1bcd | |||
| 66119e5207 | |||
| 9e6de4dc32 | |||
| 7cafafd483 | |||
| c94b2af196 | |||
| dd44146d88 | |||
| 18a62332f6 | |||
| 8fa68e2670 | |||
| 4cad39989f | |||
| c825962490 | |||
| 51bc3fffc0 | |||
| dca26029c0 | |||
| d398911108 | |||
| c093d5830d | |||
| 4b176846f2 | |||
| 90b765d713 | |||
| 3fb5a64a17 | |||
| 33a746e545 | |||
| 4fe0e0de73 | |||
| a47f841028 | |||
| 9192879c03 | |||
| 5cdf6b410d | |||
| b51617c009 | |||
| 66ee6430fa | |||
| fd03727ec2 | |||
| 5536869a38 | |||
| f8f1185b42 | |||
| 75e9db1aa6 | |||
| f47804ffdf | |||
| 24c124d6eb | |||
| 9d54b4cfcc | |||
| 33af7010fb | |||
| cb1b383035 | |||
| f6d06cb319 | |||
| 1c9e063310 | |||
| 8070b6f66b | |||
| b115b7d28a | |||
| 25e3d48337 |
@@ -1,3 +1,4 @@
|
||||
.terraform
|
||||
.terraform.lock.hcl
|
||||
env
|
||||
.terragrunt-cache
|
||||
|
||||
@@ -1,9 +1,16 @@
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.4.0
|
||||
hooks:
|
||||
- id: end-of-file-fixer
|
||||
types: [yaml]
|
||||
- id: trailing-whitespace
|
||||
types: [yaml]
|
||||
- repo: https://github.com/gruntwork-io/pre-commit
|
||||
rev: v0.1.30
|
||||
hooks:
|
||||
- id: terraform-fmt
|
||||
- id: terraform-validate
|
||||
- id: tofu-fmt
|
||||
- id: tofu-validate
|
||||
- id: tflint
|
||||
- id: terragrunt-hcl-fmt
|
||||
- repo: https://github.com/adrienverge/yamllint.git
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
when:
|
||||
- event: push
|
||||
branch: master
|
||||
|
||||
steps:
|
||||
- name: apply
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
environment:
|
||||
VAULT_AUTH_METHOD: kubernetes
|
||||
commands:
|
||||
- dnf install vault -y
|
||||
- make plan
|
||||
- make apply
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: terraform-vault
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,21 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: plan
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
environment:
|
||||
VAULT_AUTH_METHOD: kubernetes
|
||||
commands:
|
||||
- dnf install vault -y
|
||||
- make plan
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: terraform-vault
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,18 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: pre-commit
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
commands:
|
||||
- uvx pre-commit run --all-files
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: default
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -1,20 +1,35 @@
|
||||
.PHONY: init plan apply help
|
||||
.PHONY: init plan apply format
|
||||
|
||||
# Default target
|
||||
help:
|
||||
@echo "Available targets:"
|
||||
@echo " init - Initialize Terraform"
|
||||
@echo " plan - Plan Terraform changes"
|
||||
@echo " apply - Apply Terraform changes"
|
||||
VAULT_AUTH_METHOD ?= approle
|
||||
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
|
||||
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
|
||||
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
|
||||
# Define vault_env function to set up vault environment
|
||||
define vault_env
|
||||
@export VAULT_ADDR="https://vault.service.consul:8200" && \
|
||||
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
|
||||
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
|
||||
else \
|
||||
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
|
||||
fi && \
|
||||
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
|
||||
endef
|
||||
|
||||
init:
|
||||
@echo "Sourcing environment and initializing Terraform..."
|
||||
@source ./env && terraform init
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --non-interactive init -- -upgrade
|
||||
|
||||
plan:
|
||||
@echo "Sourcing environment and planning Terraform changes..."
|
||||
@source ./env && terraform plan
|
||||
plan: init
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --parallelism 4 --non-interactive plan
|
||||
|
||||
apply:
|
||||
@echo "Sourcing environment and applying Terraform changes..."
|
||||
@source ./env && terraform apply -auto-approve
|
||||
apply: init
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --parallelism 2 --non-interactive apply
|
||||
|
||||
format:
|
||||
@echo "Formatting OpenTofu files..."
|
||||
@tofu fmt -recursive .
|
||||
@echo "Formatting Terragrunt files..."
|
||||
@terragrunt hcl fmt
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "certmanager" {
|
||||
role_name = "certmanager"
|
||||
bind_secret_id = false
|
||||
token_policies = ["pki_int/certmanager"]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "incus_cluster" {
|
||||
role_name = "incus_cluster"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/incus/incus-cluster-join-tokens"
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.13.77/32",
|
||||
"198.18.13.78/32",
|
||||
"198.18.13.79/32"
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "packer_builder" {
|
||||
role_name = "packer_builder"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/packer/packer_builder",
|
||||
]
|
||||
token_ttl = 300 # builds can take a few minutes
|
||||
token_max_ttl = 600
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "puppetapi" {
|
||||
role_name = "puppetapi"
|
||||
bind_secret_id = false
|
||||
token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "rpmbuilder" {
|
||||
role_name = "rpmbuilder"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"kv/service/github/neoloc/tokens/read-only-token/read",
|
||||
"kv/service/gitea/unkinben/tokens/read-only-packages/read",
|
||||
]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "rundeck-role" {
|
||||
role_name = "rundeck-role"
|
||||
bind_secret_id = true
|
||||
token_policies = ["rundeck/rundeck"]
|
||||
token_ttl = 1 * 3600
|
||||
token_max_ttl = 4 * 3600
|
||||
token_bound_cidrs = ["198.18.13.59/32"]
|
||||
secret_id_bound_cidrs = ["198.18.13.59/32"]
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "sshsign-host-role" {
|
||||
role_name = "sshsign-host-role"
|
||||
bind_secret_id = false
|
||||
token_policies = ["ssh-host-signer/sshsign-host-policy"]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "sshsigner" {
|
||||
role_name = "sshsigner"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"ssh-host-signer/sshsigner",
|
||||
"sshca_signhost"
|
||||
]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "terraform_incus" {
|
||||
role_name = "terraform_incus"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/terraform/incus",
|
||||
"kv/service/puppet/certificates/terraform_puppet_cert",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "terraform_nomad" {
|
||||
role_name = "terraform_nomad"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/terraform/nomad",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "terraform_repoflow" {
|
||||
role_name = "terraform_repoflow"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/repoflow/unkinadmin/tokens/terraform/read",
|
||||
"kv/service/terraform/repoflow",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,33 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "tf_vault" {
|
||||
role_name = "tf_vault"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"approle_token_create",
|
||||
"auth/approle/approle_role_admin",
|
||||
"auth/approle/approle_role_login",
|
||||
"auth/kubernetes/k8s_auth_admin",
|
||||
"auth/ldap/ldap_admin",
|
||||
"auth/token/auth_token_create",
|
||||
"auth/token/auth_token_self",
|
||||
"auth/token/auth_token_roles_admin",
|
||||
"kubernetes/au/config_admin",
|
||||
"kubernetes/au/roles_admin",
|
||||
"kv/service/glauth/services/svc_vault_read",
|
||||
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
|
||||
"kv/service/kubernetes/au/syd1/service_account_jwt/read",
|
||||
"pki_int/pki_int_roles_admin",
|
||||
"pki_root/pki_root_roles_admin",
|
||||
"ssh-host-signer/ssh-host-signer_roles_admin",
|
||||
"sshca/sshca_roles_admin",
|
||||
"sys/sys_auth_admin",
|
||||
"sys/sys_mounts_admin",
|
||||
"sys/sys_policy_admin",
|
||||
"transit/keys/admin",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
]
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
#----------------------------
|
||||
# Enable approle auth method
|
||||
#----------------------------
|
||||
resource "vault_auth_backend" "approle" {
|
||||
type = "approle"
|
||||
path = "approle"
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
#-----------------------------------
|
||||
# Enable kubernetes auth method
|
||||
#-----------------------------------
|
||||
resource "vault_auth_backend" "kubernetes" {
|
||||
type = "kubernetes"
|
||||
path = "kubernetes"
|
||||
}
|
||||
|
||||
# Data source to read the token_reviewer_jwt from Vault KV
|
||||
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
|
||||
mount = "kv"
|
||||
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
|
||||
}
|
||||
|
||||
# Configure Kubernetes auth backend
|
||||
resource "vault_kubernetes_auth_backend_config" "config" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
kubernetes_host = "https://api-k8s.service.consul:6443"
|
||||
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
|
||||
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
|
||||
disable_iss_validation = true
|
||||
use_annotations_as_alias_metadata = true
|
||||
}
|
||||
@@ -1,40 +0,0 @@
|
||||
#--------------------------------
|
||||
# Enable ldap auth method
|
||||
#--------------------------------
|
||||
|
||||
# retrieve the bindpass from Vault
|
||||
data "vault_generic_secret" "svc_vault" {
|
||||
path = "kv/service/glauth/services/svc_vault"
|
||||
}
|
||||
|
||||
# create the ldap backend
|
||||
resource "vault_ldap_auth_backend" "ldap" {
|
||||
path = "ldap"
|
||||
url = "ldap://ldap.service.consul"
|
||||
userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
||||
userattr = "uid"
|
||||
upndomain = "users.main.unkin.net"
|
||||
discoverdn = false
|
||||
groupdn = "ou=users,dc=main,dc=unkin,dc=net"
|
||||
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
||||
groupattr = "uid"
|
||||
binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
|
||||
bindpass = data.vault_generic_secret.svc_vault.data["pass"]
|
||||
}
|
||||
|
||||
resource "vault_ldap_auth_backend_group" "vault_access" {
|
||||
groupname = "vault_access"
|
||||
policies = [
|
||||
"default_access",
|
||||
]
|
||||
backend = vault_ldap_auth_backend.ldap.path
|
||||
}
|
||||
|
||||
resource "vault_ldap_auth_backend_group" "vault_admin" {
|
||||
groupname = "vault_admin"
|
||||
policies = [
|
||||
"default_access",
|
||||
"global-admin",
|
||||
]
|
||||
backend = vault_ldap_auth_backend.ldap.path
|
||||
}
|
||||
@@ -1,118 +0,0 @@
|
||||
resource "vault_kubernetes_auth_backend_role" "default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "default"
|
||||
bound_service_account_names = ["default"]
|
||||
bound_service_account_namespaces = ["*"]
|
||||
token_ttl = 3600
|
||||
token_policies = [
|
||||
"default"
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "demo_default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "demo_default"
|
||||
bound_service_account_names = ["default"]
|
||||
bound_service_account_namespaces = ["demo"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/terraform/nomad"
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "huntarr-default"
|
||||
bound_service_account_names = ["default"]
|
||||
bound_service_account_namespaces = ["huntarr"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"pki_int/sign/servers_default",
|
||||
"pki_int/issue/servers_default",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "externaldns" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "externaldns"
|
||||
bound_service_account_names = ["externaldns"]
|
||||
bound_service_account_namespaces = ["externaldns"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "cert-manager-issuer"
|
||||
bound_service_account_names = ["cert-manager-vault-issuer"]
|
||||
bound_service_account_namespaces = ["cert-manager"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"pki_int/sign/servers_default",
|
||||
"pki_int/issue/servers_default",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "ceph-csi"
|
||||
bound_service_account_names = [
|
||||
"ceph-csi-rbd-csi-rbd-provisioner",
|
||||
"ceph-csi-cephfs-csi-cephfs-provisioner",
|
||||
]
|
||||
bound_service_account_namespaces = [
|
||||
"csi-cephrbd",
|
||||
"csi-cephfs",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
|
||||
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "media-apps" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "media-apps"
|
||||
bound_service_account_names = [
|
||||
"media-apps-vault-reader",
|
||||
]
|
||||
bound_service_account_namespaces = [
|
||||
"media-apps",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/media-apps/prowlarr/read",
|
||||
"kv/service/media-apps/radarr/read",
|
||||
"kv/service/media-apps/sonarr/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "repoflow" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "repoflow"
|
||||
bound_service_account_names = [
|
||||
"default",
|
||||
]
|
||||
bound_service_account_namespaces = [
|
||||
"repoflow",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/repoflow/au/syd1/ceph-s3/read",
|
||||
"kv/service/repoflow/au/syd1/elasticsearch/read",
|
||||
"kv/service/repoflow/au/syd1/hasura/read",
|
||||
"kv/service/repoflow/au/syd1/postgres/read",
|
||||
"kv/service/repoflow/au/syd1/repoflow-server/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
default_lease_ttl: 60s
|
||||
max_lease_ttl: 24h
|
||||
@@ -0,0 +1,11 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "198.18.25.5/32"
|
||||
- "198.18.26.3/32"
|
||||
- "198.18.27.89/32"
|
||||
- "198.18.28.8/32"
|
||||
- "198.18.29.33/32"
|
||||
- "198.18.29.239/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.13.77/32"
|
||||
- "198.18.13.78/32"
|
||||
- "198.18.13.79/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 300
|
||||
token_max_ttl: 600
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,11 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "198.18.25.5/32"
|
||||
- "198.18.26.3/32"
|
||||
- "198.18.27.89/32"
|
||||
- "198.18.28.8/32"
|
||||
- "198.18.29.33/32"
|
||||
- "198.18.29.239/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,6 @@
|
||||
token_ttl: 3600
|
||||
token_max_ttl: 14400
|
||||
bind_secret_id: true
|
||||
token_bound_cidrs:
|
||||
- "198.18.13.59/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,11 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "198.18.25.5/32"
|
||||
- "198.18.26.3/32"
|
||||
- "198.18.27.89/32"
|
||||
- "198.18.28.8/32"
|
||||
- "198.18.29.33/32"
|
||||
- "198.18.29.239/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,6 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,5 @@
|
||||
kubernetes_host: https://api-k8s.service.consul:6443
|
||||
disable_iss_validation: true
|
||||
use_annotations_as_alias_metadata: false # doesnt work with openbao yet
|
||||
default_lease_ttl: 1h
|
||||
max_lease_ttl: 24h
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- artifactapi
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,9 @@
|
||||
bound_service_account_names:
|
||||
- ceph-csi-rbd-csi-rbd-provisioner
|
||||
- ceph-csi-cephfs-csi-cephfs-provisioner
|
||||
bound_service_account_namespaces:
|
||||
- csi-cephrbd
|
||||
- csi-cephfs
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- cert-manager-vault-issuer
|
||||
bound_service_account_namespaces:
|
||||
- cert-manager
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,6 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces: ['*']
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- externaldns
|
||||
bound_service_account_namespaces:
|
||||
- externaldns
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,6 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- huntarr
|
||||
token_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- identity
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- media-apps-vault-reader
|
||||
bound_service_account_namespaces:
|
||||
- media-apps
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- puppet
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- rancher
|
||||
bound_service_account_namespaces:
|
||||
- cattle-system
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- repoflow
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,8 @@
|
||||
# rpmbuilder is deployed in woodpeckerci
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-artifactapi
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-authentik
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-git
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-prowlarr
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-radarr
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-rancher
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-sonarr
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-vault
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,10 @@
|
||||
userdn: "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
||||
userattr: "uid"
|
||||
upndomain: "users.main.unkin.net"
|
||||
discoverdn: false
|
||||
groupdn: "ou=users,dc=main,dc=unkin,dc=net"
|
||||
groupfilter: "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
||||
groupattr: "uid"
|
||||
username_as_alias: true
|
||||
default_lease_ttl: 24h
|
||||
max_lease_ttl: 168h
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,222 @@
|
||||
# =============================================================================
|
||||
# VAULT MODULE CONFIGURATION SYSTEM
|
||||
# =============================================================================
|
||||
#
|
||||
# This file automatically discovers and organizes YAML configuration files
|
||||
# for Vault modules, creating structured configuration maps for Terraform.
|
||||
#
|
||||
# HOW IT WORKS:
|
||||
# 1. Scans all subdirectories for *.yaml files
|
||||
# 2. Groups files by module type based on directory structure
|
||||
# 3. Creates unique resource keys to prevent naming conflicts
|
||||
# 4. Adds computed fields like name, backend, etc. from file paths
|
||||
#
|
||||
# DIRECTORY STRUCTURE:
|
||||
# config/
|
||||
# ├── auth_approle_role/
|
||||
# │ └── approle/
|
||||
# │ ├── certmanager.yaml # Creates key: "approle/certmanager"
|
||||
# │ └── myapp.yaml # Creates key: "approle/myapp"
|
||||
# ├── auth_kubernetes_role/
|
||||
# │ └── k8s/au/syd1/
|
||||
# │ ├── default.yaml # Creates key: "k8s/au/syd1/default"
|
||||
# │ └── myapp.yaml # Creates key: "k8s/au/syd1/myapp"
|
||||
# └── kv_secret_backend/
|
||||
# ├── kv.yaml # Creates key: "kv"
|
||||
# └── secrets.yaml # Creates key: "secrets"
|
||||
#
|
||||
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
|
||||
# ```yaml
|
||||
# token_ttl: 3600
|
||||
# token_max_ttl: 7200
|
||||
# bind_secret_id: true
|
||||
# token_bound_cidrs:
|
||||
# - "10.0.0.0/8"
|
||||
# ```
|
||||
#
|
||||
# This becomes:
|
||||
# ```hcl
|
||||
# auth_approle_role = {
|
||||
# "approle/myapp" = {
|
||||
# approle_name = "myapp" # Auto-computed from filename
|
||||
# mount_path = "approle" # Auto-computed from directory
|
||||
# token_ttl = 3600 # From YAML content
|
||||
# token_max_ttl = 7200 # From YAML content
|
||||
# bind_secret_id = true # From YAML content
|
||||
# token_bound_cidrs = ["10.0.0.0/8"]
|
||||
# }
|
||||
# }
|
||||
# ```
|
||||
#
|
||||
# KEY NAMING PATTERNS:
|
||||
# - Simple backends: filename only (e.g., "kv", "transit")
|
||||
# - Role-based resources: full path without extension (e.g., "approle/myapp")
|
||||
# - This ensures uniqueness when multiple backends have similar role names
|
||||
#
|
||||
# GENERATED OUTPUTS:
|
||||
# - config.auth_approle_backend, config.auth_approle_role, etc.
|
||||
# - Each module gets its own map with properly structured configuration
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
locals {
|
||||
# Find all YAML files in subdirectories
|
||||
config_files = fileset(".", "**/*.yaml")
|
||||
|
||||
# Create a flat map of all files with their content
|
||||
all_configs = {
|
||||
for file_path in local.config_files :
|
||||
file_path => yamldecode(file(file_path))
|
||||
}
|
||||
|
||||
# Group by module directory (first part of path)
|
||||
config = {
|
||||
auth_approle_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "auth_approle_backend/")
|
||||
}
|
||||
auth_approle_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
|
||||
approle_name = trimsuffix(basename(file_path), ".yaml")
|
||||
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
|
||||
})
|
||||
if startswith(file_path, "auth_approle_role/")
|
||||
}
|
||||
auth_ldap_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "auth_ldap_backend/")
|
||||
}
|
||||
auth_ldap_group = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
|
||||
groupname = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
|
||||
})
|
||||
if startswith(file_path, "auth_ldap_group/")
|
||||
}
|
||||
auth_kubernetes_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "auth_kubernetes_backend/")
|
||||
}
|
||||
auth_kubernetes_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
|
||||
role_name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "auth_kubernetes_role/")
|
||||
}
|
||||
kv_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "kv_secret_backend/")
|
||||
}
|
||||
transit_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "transit_secret_backend/")
|
||||
}
|
||||
transit_secret_backend_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "transit_secret_backend_key/")
|
||||
}
|
||||
ssh_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "ssh_secret_backend/")
|
||||
}
|
||||
ssh_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "ssh_secret_backend_role/")
|
||||
}
|
||||
pki_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "pki_secret_backend/")
|
||||
}
|
||||
pki_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "pki_secret_backend_role/")
|
||||
}
|
||||
kubernetes_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "kubernetes_secret_backend/")
|
||||
}
|
||||
kubernetes_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "kubernetes_secret_backend_role/")
|
||||
}
|
||||
consul_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "consul_secret_backend/")
|
||||
}
|
||||
consul_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "consul_secret_backend_role/")
|
||||
}
|
||||
pki_mount_only = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "pki_mount_only/")
|
||||
}
|
||||
litellm_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "litellm_secret_backend/")
|
||||
}
|
||||
litellm_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "litellm_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "litellm_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "litellm_secret_backend_role/")
|
||||
}
|
||||
plugins = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
})
|
||||
if startswith(file_path, "plugins/")
|
||||
}
|
||||
gpg_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "gpg_secret_backend/")
|
||||
}
|
||||
gpg_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "gpg_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "gpg_key/")
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
description: "consul secret engine for au-syd1 cluster"
|
||||
default_lease_ttl_seconds: 600
|
||||
max_lease_ttl_seconds: 86400
|
||||
address: "consul.service.au-syd1.consul"
|
||||
scheme: https
|
||||
bootstrap: false
|
||||
datacenter: au-syd1
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-artifactapi
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-authentik
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-git
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-incus
|
||||
ttl: 300
|
||||
max_ttl: 600
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-k8s
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-ldap
|
||||
ttl: 60
|
||||
max_ttl: 60
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-nomad
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-prowlarr
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-radarr
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-rancher
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-repoflow
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-sonarr
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-vault
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,7 @@
|
||||
# config/gpg_key/gpg/pass.yaml
|
||||
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
||||
# stays in Vault; clients import the exported public key to encrypt and delegate
|
||||
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
||||
algorithm: rsa-4096
|
||||
identity: "pass <pass@unkin.net>"
|
||||
exportable: false
|
||||
@@ -0,0 +1,4 @@
|
||||
# config/gpg_secret_backend/gpg.yaml
|
||||
# Mounts the gpg secrets engine at "gpg". The plugin itself is registered in the
|
||||
# catalog separately (see config/plugins/vault-plugin-secrets-gpg.yaml).
|
||||
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "kubernetes secret engine for au-syd1 cluster"
|
||||
default_lease_ttl_seconds: 600
|
||||
max_lease_ttl_seconds: 86400
|
||||
kubernetes_host: "https://api-k8s.service.consul:6443"
|
||||
disable_local_ca_jwt: false
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "*"
|
||||
kubernetes_role_type: "ClusterRole"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "*"
|
||||
kubernetes_role_type: "ClusterRole"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "*"
|
||||
kubernetes_role_type: "ClusterRole"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "media-apps"
|
||||
kubernetes_role_type: "Role"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
type: kv-v2
|
||||
description: "Key-Value secrets engine"
|
||||
version: "2"
|
||||
max_versions: 10
|
||||
@@ -0,0 +1,4 @@
|
||||
type: kv-v2
|
||||
description: "Rundeck secrets engine"
|
||||
version: "2"
|
||||
max_versions: 5
|
||||
@@ -0,0 +1,6 @@
|
||||
# Mounts the LiteLLM dynamic secrets engine at "litellm" and writes its config.
|
||||
# The master key is sensitive and read from KV, not stored here:
|
||||
# kv/service/vault/au/syd1/secret_backend/litellm -> key "master_key"
|
||||
description: "LiteLLM dynamic virtual keys"
|
||||
base_url: "https://litellm.k8s.syd1.au.unkin.net"
|
||||
request_timeout_seconds: 30
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
models:
|
||||
- claude-opus-4-7
|
||||
max_budget: 5
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 86400 # seconds (24h)
|
||||
metadata:
|
||||
team: testuser
|
||||
env: prod
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
models:
|
||||
- claude-haiku-4-5
|
||||
- claude-sonnet-4-6
|
||||
max_budget: 50
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 86400 # seconds (24h)
|
||||
metadata:
|
||||
team: mailfiltering
|
||||
env: prod
|
||||
@@ -0,0 +1,17 @@
|
||||
description: "PKI Intermediate CA"
|
||||
max_lease_ttl_seconds: 157680000 # 43800 hours * 3600
|
||||
issuer_ref: "default"
|
||||
issuing_certificates:
|
||||
- "https://vault.service.consul:8200/v1/pki_int/ca"
|
||||
crl_distribution_points:
|
||||
- "https://vault.service.consul:8200/v1/pki_int/crl"
|
||||
ocsp_servers: []
|
||||
enable_templating: false
|
||||
default_issuer_ref: null
|
||||
default_follows_latest_issuer: false
|
||||
crl_expiry: "72h"
|
||||
crl_disable: false
|
||||
ocsp_disable: false
|
||||
auto_rebuild: false
|
||||
enable_delta: false
|
||||
delta_rebuild_interval: null
|
||||
@@ -0,0 +1,17 @@
|
||||
description: "PKI Root CA"
|
||||
max_lease_ttl_seconds: 315360000 # 10 years
|
||||
issuer_ref: "default"
|
||||
issuing_certificates:
|
||||
- "https://vault.service.consul:8200/v1/pki_root/ca"
|
||||
crl_distribution_points:
|
||||
- "https://vault.service.consul:8200/v1/pki_root/crl"
|
||||
ocsp_servers: []
|
||||
enable_templating: false
|
||||
default_issuer_ref: null
|
||||
default_follows_latest_issuer: false
|
||||
crl_expiry: "72h"
|
||||
crl_disable: false
|
||||
ocsp_disable: false
|
||||
auto_rebuild: false
|
||||
enable_delta: false
|
||||
delta_rebuild_interval: null
|
||||
@@ -0,0 +1,18 @@
|
||||
description: "PKI Root CA AU SYD1"
|
||||
max_lease_ttl_seconds: 315360000 # 87600 * 3600
|
||||
common_name: "unkin.net AU SYD1 Root CA"
|
||||
issuer_name: "UNKIN_AU_SYD1_ROOTCA_2024"
|
||||
ttl: 315360000 # 87600 * 3600
|
||||
format: "pem"
|
||||
issuing_certificates:
|
||||
- "https://vault.service.consul:8200/v1/pki/au/syd1/ca"
|
||||
crl_distribution_points:
|
||||
- "https://vault.service.consul:8200/v1/pki/au/syd1/crl"
|
||||
ocsp_servers: []
|
||||
enable_templating: false
|
||||
default_follows_latest_issuer: false
|
||||
crl_expiry: "72h"
|
||||
crl_disable: false
|
||||
ocsp_disable: false
|
||||
auto_rebuild: false
|
||||
enable_delta: false
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user