this repo has no description
refactor(vault): move policies to separate file
Change-Id: I74bc45385cc7e27219711fd6852811934169dbd1
+39
-24
+28
-16
infra/modules/vault-policies/main.tf
+28
-16
infra/modules/vault-policies/main.tf
···
15
15
type = "kv-v2"
16
16
}
17
17
18
-
resource "vault_kubernetes_auth_backend_config" "k8s" {
18
+
resource "vault_kubernetes_auth_backend_config" "kubernetes" {
19
19
backend = vault_auth_backend.kubernetes.path
20
20
kubernetes_host = "https://kubernetes.default.svc.cluster.local"
21
21
}
22
22
23
+
########
24
+
# User #
25
+
########
26
+
27
+
# TODO remove, just testing
28
+
# resource "vault_generic_endpoint" "khuedoan" {
29
+
# path = "auth/${vault_auth_backend.userpass.path}/users/khuedoan"
30
+
# ignore_absent_fields = true
31
+
# data_json = jsonencode({
32
+
# token_policies = [
33
+
# "default",
34
+
# ],
35
+
# password = "testing"
36
+
# })
37
+
# }
38
+
23
39
#############
24
40
# App level #
25
41
#############
26
42
27
-
resource "vault_policy" "internal_app" {
28
-
name = "internal-app"
29
-
policy = <<EOT
30
-
path "secret/data/db-pass" {
31
-
capabilities = ["read"]
43
+
# TODO remove, just testing
44
+
resource "vault_policy" "kubernetes_default" {
45
+
name = "kubernetes-default"
46
+
policy = file("${path.module}/policies/kubernetes_default.hcl")
32
47
}
33
-
EOT
34
-
}
35
-
36
-
resource "vault_kubernetes_auth_backend_role" "database" {
48
+
resource "vault_kubernetes_auth_backend_role" "kubernetes_default" {
37
49
backend = vault_auth_backend.kubernetes.path
38
-
role_name = "database"
50
+
role_name = "kubernetes-default"
39
51
bound_service_account_names = [
40
52
"webapp-sa"
41
53
]
···
44
56
]
45
57
token_ttl = 60 * 20
46
58
token_policies = [
47
-
vault_policy.internal_app.name
59
+
vault_policy.kubernetes_default.name
48
60
]
49
61
}
50
62
51
-
# TODO remove, just testing
52
-
resource "vault_generic_secret" "example" {
53
-
path = "${vault_mount.secret.path}/db-pass"
63
+
resource "vault_kv_secret_v2" "db-pass" {
64
+
mount = vault_mount.secret.path
65
+
name = "default/webapp-sa"
54
66
55
67
data_json = jsonencode({
56
-
"password": "db-secret-password",
68
+
password = "db-secret-password"
57
69
})
58
70
}
+3
infra/modules/vault-policies/policies/kubernetes_default.hcl
+3
infra/modules/vault-policies/policies/kubernetes_default.hcl
+8
-8
infra/modules/vault-policies/test.yaml
+8
-8
infra/modules/vault-policies/test.yaml
···
7
7
provider: vault
8
8
parameters:
9
9
vaultAddress: "http://vault-openbao.vault.svc.cluster.internal:8200"
10
-
roleName: "database"
10
+
roleName: "kubernetes-default"
11
11
objects: |
12
12
- objectName: "db-password"
13
-
secretPath: "secret/data/db-pass"
13
+
secretPath: "secret/data/default/webapp-sa"
14
14
secretKey: "password"
15
15
---
16
16
apiVersion: v1
···
27
27
spec:
28
28
serviceAccountName: webapp-sa
29
29
containers:
30
-
- image: stefanprodan/podinfo
31
-
name: webapp
32
-
volumeMounts:
33
-
- name: secrets-store-inline
34
-
mountPath: "/mnt/secrets-store"
35
-
readOnly: true
30
+
- image: stefanprodan/podinfo
31
+
name: webapp
32
+
volumeMounts:
33
+
- name: secrets-store-inline
34
+
mountPath: "/mnt/secrets"
35
+
readOnly: true
36
36
volumes:
37
37
- name: secrets-store-inline
38
38
csi: