#-----------------------------------
# Enable kubernetes auth method
#-----------------------------------
resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
  path = "kubernetes"
}

locals {
  kubernetes_ca_cert = <<-EOT
-----BEGIN CERTIFICATE-----
MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
-----END CERTIFICATE-----
EOT
}

# Data source to read the token_reviewer_jwt from Vault KV
data "vault_kv_secret_v2" "token_reviewer_jwt" {
  mount = "kv"
  name  = "service/kubernetes/au/syd1/token_reviewer_jwt"
}

# Configure Kubernetes auth backend
resource "vault_kubernetes_auth_backend_config" "config" {
  backend                = vault_auth_backend.kubernetes.path
  kubernetes_host        = "https://kubernetes.default.svc.cluster.local"
  kubernetes_ca_cert     = local.kubernetes_ca_cert
  token_reviewer_jwt     = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
  disable_iss_validation = true
  use_annotations_as_alias_metadata = true
}