5 changed files with 134 additions and 21 deletions
--- a/auth_approle_terraform_incus.tf
+++ b/auth_approle_terraform_incus.tf
@ -1,15 +0,0 @@
-resource "vault_approle_auth_backend_role" "terraform_incus" {
-  role_name      = "terraform_incus"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "incus",
-  ]
-  token_ttl     = 60
-  token_max_ttl = 120
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.13.67/32",
-    "198.18.13.68/32",
-  ]
-}
--- a/engine_pki_k8s_etcd_ca.tf
+++ b/engine_pki_k8s_etcd_ca.tf
@ -0,0 +1,85 @@
+# PKI mount for etcd-ca
+resource "vault_mount" "k8s_etcd_ca" {
+  path                  = "k8s/etcd-ca"
+  type                  = "pki"
+  description           = "PKI for k8s etcd certificates"
+  max_lease_ttl_seconds = 86400 * 365 * 10
+}
+
+# Generate the root CA for etcd
+resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
+  backend     = vault_mount.k8s_etcd_ca.path
+  type        = "internal"
+  common_name = "etcd-ca"
+  ttl         = 86400 * 365 * 10
+  key_type    = "rsa"
+  key_bits    = 4096
+}
+
+# PKI role for kube-etcd
+resource "vault_pki_secret_backend_role" "kube_etcd" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd"
+  allowed_domains    = ["kube-etcd", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = true
+}
+
+# PKI role for kube-etcd-peer
+resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd-peer"
+  allowed_domains    = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = true
+}
+
+# PKI role for kube-etcd-healthcheck-client
+resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-etcd-healthcheck-client"
+  allowed_domains    = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
+
+# PKI role for kube-apiserver-etcd-client
+resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
+  backend            = vault_mount.k8s_etcd_ca.path
+  name               = "kube-apiserver-etcd-client"
+  allowed_domains    = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
--- a/engine_pki_k8s_kubernetes_ca.tf
+++ b/engine_pki_k8s_kubernetes_ca.tf
@ -0,0 +1,49 @@
+# Additional mounts and roles for Kubernetes CA and front-proxy CA
+resource "vault_mount" "k8s_kubernetes_ca" {
+  path                  = "k8s/kubernetes-ca"
+  type                  = "pki"
+  description           = "PKI for Kubernetes certificates"
+  max_lease_ttl_seconds = 86400 * 365 * 10
+}
+
+# Generate the root CA for etcd
+resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
+  backend     = vault_mount.k8s_kubernetes_ca.path
+  type        = "internal"
+  common_name = "kubernetes-ca"
+  ttl         = 86400 * 365 * 10
+  key_type    = "rsa"
+  key_bits    = 4096
+}
+
+resource "vault_pki_secret_backend_role" "kube_apiserver" {
+  backend            = vault_mount.k8s_kubernetes_ca.path
+  name               = "kube-apiserver"
+  allowed_domains    = ["kube-apiserver", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = true
+  client_flag        = false
+}
+
+resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
+  backend            = vault_mount.k8s_kubernetes_ca.path
+  name               = "kube-apiserver-kubelet-client"
+  allowed_domains    = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
+  allow_ip_sans      = true
+  enforce_hostnames  = true
+  allow_subdomains   = true
+  allow_glob_domains = true
+  allow_localhost    = true
+  max_ttl            = 86400 * 90
+  ttl                = 86400 * 90
+  key_usage          = ["DigitalSignature", "KeyEncipherment"]
+  server_flag        = false
+  client_flag        = true
+}
--- a/policies/kv/service/packer/packer_builder.hcl
+++ b/policies/kv/service/packer/packer_builder.hcl
@ -1,3 +0,0 @@
-path "kv/data/service/packer/builder/env" {
-    capabilities = ["read"]
-}
--- a/policies/kv/service/terraform/incus.hcl
+++ b/policies/kv/service/terraform/incus.hcl
@ -1,3 +0,0 @@
-path "kv/data/service/terraform/incus" {
-    capabilities = ["read"]
-}