Ben Vincent
cbee19b5f9
- update kubernetes_host to match value in jwt - regenerate jwt token and store in vault - add policy to enable access to jwt token - update tf_deploy user with access to token
39 lines
1.4 KiB
HCL
39 lines
1.4 KiB
HCL
#-----------------------------------
|
|
# Enable kubernetes auth method
|
|
#-----------------------------------
|
|
resource "vault_auth_backend" "kubernetes" {
|
|
type = "kubernetes"
|
|
path = "kubernetes"
|
|
}
|
|
|
|
locals {
|
|
kubernetes_ca_cert = <<-EOT
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
|
|
cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
|
|
NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
|
|
SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
|
|
a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
|
|
/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
|
|
fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
|
|
NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
|
|
-----END CERTIFICATE-----
|
|
EOT
|
|
}
|
|
|
|
# Data source to read the token_reviewer_jwt from Vault KV
|
|
data "vault_kv_secret_v2" "token_reviewer_jwt" {
|
|
mount = "kv"
|
|
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
|
|
}
|
|
|
|
# Configure Kubernetes auth backend
|
|
resource "vault_kubernetes_auth_backend_config" "config" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
kubernetes_host = "https://kubernetes.default.svc.cluster.local"
|
|
kubernetes_ca_cert = local.kubernetes_ca_cert
|
|
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
|
|
disable_iss_validation = true
|
|
use_annotations_as_alias_metadata = true
|
|
}
|