50 lines
1.7 KiB
HCL
50 lines
1.7 KiB
HCL
# Additional mounts and roles for Kubernetes CA and front-proxy CA
|
|
resource "vault_mount" "k8s_kubernetes_ca" {
|
|
path = "k8s/kubernetes-ca"
|
|
type = "pki"
|
|
description = "PKI for Kubernetes certificates"
|
|
max_lease_ttl_seconds = 86400 * 365 * 10
|
|
}
|
|
|
|
# Generate the root CA for etcd
|
|
resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
|
|
backend = vault_mount.k8s_kubernetes_ca.path
|
|
type = "internal"
|
|
common_name = "kubernetes-ca"
|
|
ttl = 86400 * 365 * 10
|
|
key_type = "rsa"
|
|
key_bits = 4096
|
|
}
|
|
|
|
resource "vault_pki_secret_backend_role" "kube_apiserver" {
|
|
backend = vault_mount.k8s_kubernetes_ca.path
|
|
name = "kube-apiserver"
|
|
allowed_domains = ["kube-apiserver", "*.main.unkin.net", "localhost"]
|
|
allow_ip_sans = true
|
|
enforce_hostnames = true
|
|
allow_subdomains = true
|
|
allow_glob_domains = true
|
|
allow_localhost = true
|
|
max_ttl = 86400 * 90
|
|
ttl = 86400 * 90
|
|
key_usage = ["DigitalSignature", "KeyEncipherment"]
|
|
server_flag = true
|
|
client_flag = false
|
|
}
|
|
|
|
resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
|
|
backend = vault_mount.k8s_kubernetes_ca.path
|
|
name = "kube-apiserver-kubelet-client"
|
|
allowed_domains = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
|
|
allow_ip_sans = true
|
|
enforce_hostnames = true
|
|
allow_subdomains = true
|
|
allow_glob_domains = true
|
|
allow_localhost = true
|
|
max_ttl = 86400 * 90
|
|
ttl = 86400 * 90
|
|
key_usage = ["DigitalSignature", "KeyEncipherment"]
|
|
server_flag = false
|
|
client_flag = true
|
|
}
|