unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
terraform-vault/auth_backend_kubernetes.tf
Ben Vincent 6624f7aed1 feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster 
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
2025-11-27 23:22:13 +11:00

24 lines
896 B
HCL
Raw Permalink Blame History

#-----------------------------------
# Enable kubernetes auth method
#-----------------------------------
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "kubernetes"
}
# Data source to read the token_reviewer_jwt from Vault KV
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
}
# Configure Kubernetes auth backend
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
disable_iss_validation = true
use_annotations_as_alias_metadata = true
}
Reference in New Issue View Git Blame Copy Permalink