+4

infra/.modules/bootstrap/vault-policies/allow_secrets.hcl

reviewed

··· 1 1 + # TODO optimize this 2 2 + path "secret/*" { 3 3 + capabilities = ["create", "read", "update", "delete", "list"] 4 4 + }

+25

infra/.modules/bootstrap/vault-test.yaml

reviewed

··· 1 1 + # TODO vault kv put secret/demosecret/aws AWS_SECRET_ACCESS_KEY=s3cr3t 2 2 + # TODO kubectl apply -f test-vault.yaml 3 3 + apiVersion: apps/v1 4 4 + kind: Deployment 5 5 + metadata: 6 6 + name: vault-test 7 7 + namespace: default 8 8 + spec: 9 9 + replicas: 1 10 10 + selector: 11 11 + matchLabels: 12 12 + app.kubernetes.io/name: vault 13 13 + template: 14 14 + metadata: 15 15 + labels: 16 16 + app.kubernetes.io/name: vault 17 17 + spec: 18 18 + serviceAccountName: default 19 19 + containers: 20 20 + - name: alpine 21 21 + image: alpine 22 22 + command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"] 23 23 + env: 24 24 + - name: AWS_SECRET_ACCESS_KEY 25 25 + value: vault:secret/data/demosecret/aws#AWS_SECRET_ACCESS_KEY

+67

infra/.modules/bootstrap/vault.tf

reviewed

··· 25 25 }) 26 26 } 27 27 28 28 + resource "kubectl_manifest" "vault_secrets_webhook" { 29 29 + server_side_apply = true 30 30 + yaml_body = yamlencode({ 31 31 + apiVersion = "argoproj.io/v1alpha1" 32 32 + kind = "Application" 33 33 + metadata = { 34 34 + name = "vault-secrets-webhook" 35 35 + namespace = helm_release.argocd.namespace 36 36 + finalizers = ["resources-finalizer.argocd.argoproj.io"] 37 37 + labels = local.common_labels 38 38 + } 39 39 + spec = { 40 40 + project = "default" 41 41 + destination = { 42 42 + name = "in-cluster" 43 43 + namespace = "vault" 44 44 + } 45 45 + syncPolicy = local.sync_policy 46 46 + source = { 47 47 + repoURL = "ghcr.io" 48 48 + chart = "bank-vaults/helm-charts/vault-secrets-webhook" 49 49 + targetRevision = "1.22.0" 50 50 + helm = { 51 51 + valuesObject = { 52 52 + env = { 53 53 + VAULT_ADDR = "http://vault-cluster.vault.svc.cluster.local:8200" 54 54 + } 55 55 + } 56 56 + } 57 57 + } 58 58 + } 59 59 + }) 60 60 + } 61 61 + 28 62 resource "kubectl_manifest" "vault" { 29 63 server_side_apply = true 30 64 yaml_body = yamlencode({ ··· 76 110 kubernetes = { 77 111 secretNamespace = "{{ .Release.Namespace }}" 78 112 } 113 113 + } 114 114 + externalConfig = { 115 115 + secrets = [ 116 116 + { 117 117 + path = "secret" 118 118 + type = "kv" 119 119 + options = { 120 120 + version = 2 121 121 + } 122 122 + } 123 123 + ] 124 124 + policies = [ 125 125 + { 126 126 + name = "allow_secrets" 127 127 + # TODO make it less ugly 128 128 + rules = file("${path.module}/vault-policies/allow_secrets.hcl") 129 129 + } 130 130 + ] 131 131 + auth = [ 132 132 + { 133 133 + type = "kubernetes" 134 134 + roles = [ 135 135 + { 136 136 + # TODO optimize this 137 137 + name = "default" 138 138 + bound_service_account_names: ["default"] 139 139 + bound_service_account_namespaces: ["default"] 140 140 + policies: ["allow_secrets"] 141 141 + ttl: "1h" 142 142 + } 143 143 + ] 144 144 + } 145 145 + ] 79 146 } 80 147 volumes = [{ 81 148 name = "vault-data"