diff --git a/auth_approle_terraform_incus.tf b/auth_approle_terraform_incus.tf new file mode 100644 index 0000000..b6a30f9 --- /dev/null +++ b/auth_approle_terraform_incus.tf @@ -0,0 +1,15 @@ +resource "vault_approle_auth_backend_role" "terraform_incus" { + role_name = "terraform_incus" + bind_secret_id = false + token_policies = [ + "default_access", + "incus", + ] + token_ttl = 60 + token_max_ttl = 120 + token_bound_cidrs = [ + "10.10.12.200/32", + "198.18.13.67/32", + "198.18.13.68/32", + ] +} diff --git a/engine_pki_k8s_etcd_ca.tf b/engine_pki_k8s_etcd_ca.tf deleted file mode 100644 index ef17bc9..0000000 --- a/engine_pki_k8s_etcd_ca.tf +++ /dev/null @@ -1,85 +0,0 @@ -# PKI mount for etcd-ca -resource "vault_mount" "k8s_etcd_ca" { - path = "k8s/etcd-ca" - type = "pki" - description = "PKI for k8s etcd certificates" - max_lease_ttl_seconds = 86400 * 365 * 10 -} - -# Generate the root CA for etcd -resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" { - backend = vault_mount.k8s_etcd_ca.path - type = "internal" - common_name = "etcd-ca" - ttl = 86400 * 365 * 10 - key_type = "rsa" - key_bits = 4096 -} - -# PKI role for kube-etcd -resource "vault_pki_secret_backend_role" "kube_etcd" { - backend = vault_mount.k8s_etcd_ca.path - name = "kube-etcd" - allowed_domains = ["kube-etcd", "*.main.unkin.net", "localhost"] - allow_ip_sans = true - enforce_hostnames = true - allow_subdomains = true - allow_glob_domains = true - allow_localhost = true - max_ttl = 86400 * 90 - ttl = 86400 * 90 - key_usage = ["DigitalSignature", "KeyEncipherment"] - server_flag = true - client_flag = true -} - -# PKI role for kube-etcd-peer -resource "vault_pki_secret_backend_role" "kube_etcd_peer" { - backend = vault_mount.k8s_etcd_ca.path - name = "kube-etcd-peer" - allowed_domains = ["kube-etcd-peer", "*.main.unkin.net", "localhost"] - allow_ip_sans = true - enforce_hostnames = true - allow_subdomains = true - allow_glob_domains = true - allow_localhost = true - max_ttl = 86400 * 90 - ttl = 86400 * 90 - key_usage = ["DigitalSignature", "KeyEncipherment"] - server_flag = true - client_flag = true -} - -# PKI role for kube-etcd-healthcheck-client -resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" { - backend = vault_mount.k8s_etcd_ca.path - name = "kube-etcd-healthcheck-client" - allowed_domains = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"] - allow_ip_sans = true - enforce_hostnames = true - allow_subdomains = true - allow_glob_domains = true - allow_localhost = true - max_ttl = 86400 * 90 - ttl = 86400 * 90 - key_usage = ["DigitalSignature", "KeyEncipherment"] - server_flag = false - client_flag = true -} - -# PKI role for kube-apiserver-etcd-client -resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" { - backend = vault_mount.k8s_etcd_ca.path - name = "kube-apiserver-etcd-client" - allowed_domains = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"] - allow_ip_sans = true - enforce_hostnames = true - allow_subdomains = true - allow_glob_domains = true - allow_localhost = true - max_ttl = 86400 * 90 - ttl = 86400 * 90 - key_usage = ["DigitalSignature", "KeyEncipherment"] - server_flag = false - client_flag = true -} diff --git a/engine_pki_k8s_kubernetes_ca.tf b/engine_pki_k8s_kubernetes_ca.tf deleted file mode 100644 index 4f72b2d..0000000 --- a/engine_pki_k8s_kubernetes_ca.tf +++ /dev/null @@ -1,49 +0,0 @@ -# Additional mounts and roles for Kubernetes CA and front-proxy CA -resource "vault_mount" "k8s_kubernetes_ca" { - path = "k8s/kubernetes-ca" - type = "pki" - description = "PKI for Kubernetes certificates" - max_lease_ttl_seconds = 86400 * 365 * 10 -} - -# Generate the root CA for etcd -resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" { - backend = vault_mount.k8s_kubernetes_ca.path - type = "internal" - common_name = "kubernetes-ca" - ttl = 86400 * 365 * 10 - key_type = "rsa" - key_bits = 4096 -} - -resource "vault_pki_secret_backend_role" "kube_apiserver" { - backend = vault_mount.k8s_kubernetes_ca.path - name = "kube-apiserver" - allowed_domains = ["kube-apiserver", "*.main.unkin.net", "localhost"] - allow_ip_sans = true - enforce_hostnames = true - allow_subdomains = true - allow_glob_domains = true - allow_localhost = true - max_ttl = 86400 * 90 - ttl = 86400 * 90 - key_usage = ["DigitalSignature", "KeyEncipherment"] - server_flag = true - client_flag = false -} - -resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" { - backend = vault_mount.k8s_kubernetes_ca.path - name = "kube-apiserver-kubelet-client" - allowed_domains = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"] - allow_ip_sans = true - enforce_hostnames = true - allow_subdomains = true - allow_glob_domains = true - allow_localhost = true - max_ttl = 86400 * 90 - ttl = 86400 * 90 - key_usage = ["DigitalSignature", "KeyEncipherment"] - server_flag = false - client_flag = true -} diff --git a/policies/kv/service/packer/packer_builder.hcl b/policies/kv/service/packer/packer_builder.hcl new file mode 100644 index 0000000..7da8a57 --- /dev/null +++ b/policies/kv/service/packer/packer_builder.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/packer/builder/env" { + capabilities = ["read"] +} diff --git a/policies/kv/service/terraform/incus.hcl b/policies/kv/service/terraform/incus.hcl new file mode 100644 index 0000000..7173116 --- /dev/null +++ b/policies/kv/service/terraform/incus.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/terraform/incus" { + capabilities = ["read"] +}