119 lines
3.6 KiB
HCL
119 lines
3.6 KiB
HCL
resource "vault_kubernetes_auth_backend_role" "default" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "default"
|
|
bound_service_account_names = ["default"]
|
|
bound_service_account_namespaces = ["*"]
|
|
token_ttl = 3600
|
|
token_policies = [
|
|
"default"
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "demo_default" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "demo_default"
|
|
bound_service_account_names = ["default"]
|
|
bound_service_account_namespaces = ["demo"]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"kv/service/terraform/nomad"
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "huntarr-default"
|
|
bound_service_account_names = ["default"]
|
|
bound_service_account_namespaces = ["huntarr"]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"pki_int/sign/servers_default",
|
|
"pki_int/issue/servers_default",
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "externaldns" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "externaldns"
|
|
bound_service_account_names = ["externaldns"]
|
|
bound_service_account_namespaces = ["externaldns"]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "cert-manager-issuer"
|
|
bound_service_account_names = ["cert-manager-vault-issuer"]
|
|
bound_service_account_namespaces = ["cert-manager"]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"pki_int/sign/servers_default",
|
|
"pki_int/issue/servers_default",
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "ceph-csi"
|
|
bound_service_account_names = [
|
|
"ceph-csi-rbd-csi-rbd-provisioner",
|
|
"ceph-csi-cephfs-csi-cephfs-provisioner",
|
|
]
|
|
bound_service_account_namespaces = [
|
|
"csi-cephrbd",
|
|
"csi-cephfs",
|
|
]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
|
|
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "media-apps" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "media-apps"
|
|
bound_service_account_names = [
|
|
"media-apps-vault-reader",
|
|
]
|
|
bound_service_account_namespaces = [
|
|
"media-apps",
|
|
]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"kv/service/media-apps/prowlarr/read",
|
|
"kv/service/media-apps/radarr/read",
|
|
"kv/service/media-apps/sonarr/read",
|
|
]
|
|
audience = "vault"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "repoflow" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "repoflow"
|
|
bound_service_account_names = [
|
|
"default",
|
|
]
|
|
bound_service_account_namespaces = [
|
|
"repoflow",
|
|
]
|
|
token_ttl = 60
|
|
token_policies = [
|
|
"kv/service/repoflow/au/syd1/ceph-s3/read",
|
|
"kv/service/repoflow/au/syd1/elasticsearch/read",
|
|
"kv/service/repoflow/au/syd1/hasura/read",
|
|
"kv/service/repoflow/au/syd1/postgres/read",
|
|
"kv/service/repoflow/au/syd1/repoflow-server/read",
|
|
]
|
|
audience = "vault"
|
|
}
|