unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6624f7aed1
terraform-vault/engine_k8s_au_syd1.tf
Ben Vincent 6624f7aed1 feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster 
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
  - Create four RBAC roles with external YAML configuration:
    * media-apps-operator: namespaced role for media-apps with selective permissions
    * cluster-operator: cluster-wide read-only access to specific API groups
    * cluster-admin: cluster-wide full access to specific API groups
    * cluster-root: cluster-wide superuser access to all resources
  - Add Vault policies for credential generation for each role
  - Add admin policies for kubernetes auth backend configuration and role management
  - Refactor kubernetes auth backend to use shared locals for CA certificate
  - Update terraform-vault approle with required kubernetes policies
2025-11-27 23:22:13 +11:00

49 lines
2.1 KiB
HCL
Raw Blame History

# Data source to read the service_token_jwt from Vault KV
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/service_account_jwt"
}
resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
path = "kubernetes/au/syd1"
description = "kubernetes secret engine for au-syd1 cluster"
default_lease_ttl_seconds = 600
max_lease_ttl_seconds = 86400
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
service_account_jwt = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "media-apps-operator"
allowed_kubernetes_namespaces = ["media-apps"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
}
resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "cluster-operator"
allowed_kubernetes_namespaces = ["*"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
}
resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "cluster-admin"
allowed_kubernetes_namespaces = ["*"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
}
resource "vault_kubernetes_secret_backend_role" "cluster_root" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "cluster-root"
allowed_kubernetes_namespaces = ["*"]
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
}
Reference in New Issue View Git Blame Copy Permalink