unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
605aa204a9
terraform-vault/auth_kubernetes_roles.tf
Ben Vincent 4cf1b43960 chore: update k8s csi roles 
- ensure the new service accounts can read cephrbd/cephfs
- ensure correct namespace is allowed
2025-11-26 21:01:31 +11:00

81 lines
2.6 KiB
HCL
Raw Blame History

resource "vault_kubernetes_auth_backend_role" "default" {
backend = vault_auth_backend.kubernetes.path
role_name = "default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["*"]
token_ttl = 3600
token_policies = [
"default"
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "demo_default" {
backend = vault_auth_backend.kubernetes.path
role_name = "demo_default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["demo"]
token_ttl = 60
token_policies = [
"kv/service/terraform/nomad"
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
backend = vault_auth_backend.kubernetes.path
role_name = "huntarr-default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["huntarr"]
token_ttl = 60
token_policies = [
"pki_int/sign/servers_default",
"pki_int/issue/servers_default",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "externaldns" {
backend = vault_auth_backend.kubernetes.path
role_name = "externaldns"
bound_service_account_names = ["externaldns"]
bound_service_account_namespaces = ["externaldns"]
token_ttl = 60
token_policies = [
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
backend = vault_auth_backend.kubernetes.path
role_name = "cert-manager-issuer"
bound_service_account_names = ["cert-manager-vault-issuer"]
bound_service_account_namespaces = ["cert-manager"]
token_ttl = 60
token_policies = [
"pki_int/sign/servers_default",
"pki_int/issue/servers_default",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
backend = vault_auth_backend.kubernetes.path
role_name = "ceph-csi"
bound_service_account_names = [
"ceph-csi-rbd-csi-rbd-provisioner",
"ceph-csi-cephfs-csi-cephfs-provisioner",
]
bound_service_account_namespaces = [
"csi-cephrbd",
"csi-cephfs",
]
token_ttl = 60
token_policies = [
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
]
audience = "vault"
}
Reference in New Issue View Git Blame Copy Permalink