this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

refactor(vault): move policies to separate file

Change-Id: I74bc45385cc7e27219711fd6852811934169dbd1

Khue Doan 5a4e662a fec05605

+39 -24
+28 -16
infra/modules/vault-policies/main.tf
··· 15 15 type = "kv-v2" 16 16 } 17 17 18 - resource "vault_kubernetes_auth_backend_config" "k8s" { 18 + resource "vault_kubernetes_auth_backend_config" "kubernetes" { 19 19 backend = vault_auth_backend.kubernetes.path 20 20 kubernetes_host = "https://kubernetes.default.svc.cluster.local" 21 21 } 22 22 23 + ######## 24 + # User # 25 + ######## 26 + 27 + # TODO remove, just testing 28 + # resource "vault_generic_endpoint" "khuedoan" { 29 + # path = "auth/${vault_auth_backend.userpass.path}/users/khuedoan" 30 + # ignore_absent_fields = true 31 + # data_json = jsonencode({ 32 + # token_policies = [ 33 + # "default", 34 + # ], 35 + # password = "testing" 36 + # }) 37 + # } 38 + 23 39 ############# 24 40 # App level # 25 41 ############# 26 42 27 - resource "vault_policy" "internal_app" { 28 - name = "internal-app" 29 - policy = <<EOT 30 - path "secret/data/db-pass" { 31 - capabilities = ["read"] 43 + # TODO remove, just testing 44 + resource "vault_policy" "kubernetes_default" { 45 + name = "kubernetes-default" 46 + policy = file("${path.module}/policies/kubernetes_default.hcl") 32 47 } 33 - EOT 34 - } 35 - 36 - resource "vault_kubernetes_auth_backend_role" "database" { 48 + resource "vault_kubernetes_auth_backend_role" "kubernetes_default" { 37 49 backend = vault_auth_backend.kubernetes.path 38 - role_name = "database" 50 + role_name = "kubernetes-default" 39 51 bound_service_account_names = [ 40 52 "webapp-sa" 41 53 ] ··· 44 56 ] 45 57 token_ttl = 60 * 20 46 58 token_policies = [ 47 - vault_policy.internal_app.name 59 + vault_policy.kubernetes_default.name 48 60 ] 49 61 } 50 62 51 - # TODO remove, just testing 52 - resource "vault_generic_secret" "example" { 53 - path = "${vault_mount.secret.path}/db-pass" 63 + resource "vault_kv_secret_v2" "db-pass" { 64 + mount = vault_mount.secret.path 65 + name = "default/webapp-sa" 54 66 55 67 data_json = jsonencode({ 56 - "password": "db-secret-password", 68 + password = "db-secret-password" 57 69 }) 58 70 }
+3
infra/modules/vault-policies/policies/kubernetes_default.hcl
··· 1 + path "secret/data/default/webapp-sa" { 2 + capabilities = ["read"] 3 + }
+8 -8
infra/modules/vault-policies/test.yaml
··· 7 7 provider: vault 8 8 parameters: 9 9 vaultAddress: "http://vault-openbao.vault.svc.cluster.internal:8200" 10 - roleName: "database" 10 + roleName: "kubernetes-default" 11 11 objects: | 12 12 - objectName: "db-password" 13 - secretPath: "secret/data/db-pass" 13 + secretPath: "secret/data/default/webapp-sa" 14 14 secretKey: "password" 15 15 --- 16 16 apiVersion: v1 ··· 27 27 spec: 28 28 serviceAccountName: webapp-sa 29 29 containers: 30 - - image: stefanprodan/podinfo 31 - name: webapp 32 - volumeMounts: 33 - - name: secrets-store-inline 34 - mountPath: "/mnt/secrets-store" 35 - readOnly: true 30 + - image: stefanprodan/podinfo 31 + name: webapp 32 + volumeMounts: 33 + - name: secrets-store-inline 34 + mountPath: "/mnt/secrets" 35 + readOnly: true 36 36 volumes: 37 37 - name: secrets-store-inline 38 38 csi: