Ben Vincent
6624f7aed1
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
- Create four RBAC roles with external YAML configuration:
* media-apps-operator: namespaced role for media-apps with selective permissions
* cluster-operator: cluster-wide read-only access to specific API groups
* cluster-admin: cluster-wide full access to specific API groups
* cluster-root: cluster-wide superuser access to all resources
- Add Vault policies for credential generation for each role
- Add admin policies for kubernetes auth backend configuration and role management
- Refactor kubernetes auth backend to use shared locals for CA certificate
- Update terraform-vault approle with required kubernetes policies
34 lines
1.0 KiB
HCL
34 lines
1.0 KiB
HCL
resource "vault_approle_auth_backend_role" "tf_vault" {
|
|
role_name = "tf_vault"
|
|
bind_secret_id = false
|
|
token_policies = [
|
|
"default_access",
|
|
"approle_token_create",
|
|
"auth/approle/approle_role_admin",
|
|
"auth/approle/approle_role_login",
|
|
"auth/kubernetes/k8s_auth_admin",
|
|
"auth/ldap/ldap_admin",
|
|
"auth/token/auth_token_create",
|
|
"auth/token/auth_token_self",
|
|
"auth/token/auth_token_roles_admin",
|
|
"kubernetes/au/config_admin",
|
|
"kubernetes/au/roles_admin",
|
|
"kv/service/glauth/services/svc_vault_read",
|
|
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
|
|
"kv/service/kubernetes/au/syd1/service_account_jwt/read",
|
|
"pki_int/pki_int_roles_admin",
|
|
"pki_root/pki_root_roles_admin",
|
|
"ssh-host-signer/ssh-host-signer_roles_admin",
|
|
"sshca/sshca_roles_admin",
|
|
"sys/sys_auth_admin",
|
|
"sys/sys_mounts_admin",
|
|
"sys/sys_policy_admin",
|
|
"transit/keys/admin",
|
|
]
|
|
token_ttl = 60
|
|
token_max_ttl = 120
|
|
token_bound_cidrs = [
|
|
"10.10.12.200/32",
|
|
]
|
|
}
|