# Additional mounts and roles for Kubernetes CA and front-proxy CA
resource "vault_mount" "k8s_kubernetes_ca" {
  path                  = "k8s/kubernetes-ca"
  type                  = "pki"
  description           = "PKI for Kubernetes certificates"
  max_lease_ttl_seconds = 86400 * 365 * 10
}

# Generate the root CA for etcd
resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
  backend     = vault_mount.k8s_kubernetes_ca.path
  type        = "internal"
  common_name = "kubernetes-ca"
  ttl         = 86400 * 365 * 10
  key_type    = "rsa"
  key_bits    = 4096
}

resource "vault_pki_secret_backend_role" "kube_apiserver" {
  backend            = vault_mount.k8s_kubernetes_ca.path
  name               = "kube-apiserver"
  allowed_domains    = ["kube-apiserver", "*.main.unkin.net", "localhost"]
  allow_ip_sans      = true
  enforce_hostnames  = true
  allow_subdomains   = true
  allow_glob_domains = true
  allow_localhost    = true
  max_ttl            = 86400 * 90
  ttl                = 86400 * 90
  key_usage          = ["DigitalSignature", "KeyEncipherment"]
  server_flag        = true
  client_flag        = false
}

resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
  backend            = vault_mount.k8s_kubernetes_ca.path
  name               = "kube-apiserver-kubelet-client"
  allowed_domains    = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
  allow_ip_sans      = true
  enforce_hostnames  = true
  allow_subdomains   = true
  allow_glob_domains = true
  allow_localhost    = true
  max_ttl            = 86400 * 90
  ttl                = 86400 * 90
  key_usage          = ["DigitalSignature", "KeyEncipherment"]
  server_flag        = false
  client_flag        = true
}