this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(infra): basic Vault CSI provider integration

Change-Id: Ifbd85588ef9c1ab78d600df9a5b6706048f7dd69

Khue Doan fec05605 fabd5ac1

+167
+58
infra/modules/vault-policies/main.tf
··· 1 + ################ 2 + # System level # 3 + ################ 4 + 5 + resource "vault_auth_backend" "kubernetes" { 6 + type = "kubernetes" 7 + } 8 + 9 + resource "vault_auth_backend" "userpass" { 10 + type = "userpass" 11 + } 12 + 13 + resource "vault_mount" "secret" { 14 + path = "secret" 15 + type = "kv-v2" 16 + } 17 + 18 + resource "vault_kubernetes_auth_backend_config" "k8s" { 19 + backend = vault_auth_backend.kubernetes.path 20 + kubernetes_host = "https://kubernetes.default.svc.cluster.local" 21 + } 22 + 23 + ############# 24 + # App level # 25 + ############# 26 + 27 + resource "vault_policy" "internal_app" { 28 + name = "internal-app" 29 + policy = <<EOT 30 + path "secret/data/db-pass" { 31 + capabilities = ["read"] 32 + } 33 + EOT 34 + } 35 + 36 + resource "vault_kubernetes_auth_backend_role" "database" { 37 + backend = vault_auth_backend.kubernetes.path 38 + role_name = "database" 39 + bound_service_account_names = [ 40 + "webapp-sa" 41 + ] 42 + bound_service_account_namespaces = [ 43 + "default" 44 + ] 45 + token_ttl = 60 * 20 46 + token_policies = [ 47 + vault_policy.internal_app.name 48 + ] 49 + } 50 + 51 + # TODO remove, just testing 52 + resource "vault_generic_secret" "example" { 53 + path = "${vault_mount.secret.path}/db-pass" 54 + 55 + data_json = jsonencode({ 56 + "password": "db-secret-password", 57 + }) 58 + }
+42
infra/modules/vault-policies/test.yaml
··· 1 + apiVersion: secrets-store.csi.x-k8s.io/v1 2 + kind: SecretProviderClass 3 + metadata: 4 + name: vault-database 5 + namespace: default 6 + spec: 7 + provider: vault 8 + parameters: 9 + vaultAddress: "http://vault-openbao.vault.svc.cluster.internal:8200" 10 + roleName: "database" 11 + objects: | 12 + - objectName: "db-password" 13 + secretPath: "secret/data/db-pass" 14 + secretKey: "password" 15 + --- 16 + apiVersion: v1 17 + kind: ServiceAccount 18 + metadata: 19 + name: webapp-sa 20 + namespace: default 21 + --- 22 + kind: Pod 23 + apiVersion: v1 24 + metadata: 25 + name: webapp 26 + namespace: default 27 + spec: 28 + serviceAccountName: webapp-sa 29 + containers: 30 + - image: stefanprodan/podinfo 31 + name: webapp 32 + volumeMounts: 33 + - name: secrets-store-inline 34 + mountPath: "/mnt/secrets-store" 35 + readOnly: true 36 + volumes: 37 + - name: secrets-store-inline 38 + csi: 39 + driver: secrets-store.csi.k8s.io 40 + readOnly: true 41 + volumeAttributes: 42 + secretProviderClass: "vault-database"
+14
infra/modules/vault-policies/versions.tf
··· 1 + terraform { 2 + required_providers { 3 + vault = { 4 + source = "hashicorp/vault" 5 + version = "~> 5.1.0" 6 + } 7 + } 8 + } 9 + 10 + provider "vault" { 11 + # Configure this provider through the environment variables: 12 + # - VAULT_ADDR 13 + # - VAULT_TOKEN 14 + }
+41
infra/production/oracle/vault-policies/.terraform.lock.hcl
··· 1 + # This file is maintained automatically by "tofu init". 2 + # Manual edits may be lost in future updates. 3 + 4 + provider "registry.opentofu.org/hashicorp/oci" { 5 + version = "7.10.0" 6 + hashes = [ 7 + "h1:fte2iarPJxuqm8S5AJTgY/eEQnH6LS/qVRxmDkBie4s=", 8 + "zh:03ad7ab20c4aa4a496cedb29cc439cb6e6c6eadcce964a44c227d605a30aec0f", 9 + "zh:08184bf3df20ab6f2bc764f28cefc356090d34bdf02c41ab91939d91f7462c3c", 10 + "zh:0bafa208306be66d0f92d17da7eed0f981543d7d0720462da167795e54f9a1c5", 11 + "zh:14204946c0e462544961eaf8cf07e069c2543c34559efca6a6b8df297c2b9195", 12 + "zh:19c1e56a372167a1a85accc5d0dc9d5db4cbec9e980928d1914c278a8216150c", 13 + "zh:43a10dc7af9ea197a869d24b15013f833c3dc8fa7b90ce0716629df5ee18ef29", 14 + "zh:5bac0be19c09b6537f3db92c60226510b550a074bf1add49b0a8af5314f345e0", 15 + "zh:614d30d3ade2eeda2c2d0e3a03d50b754d48c6f29d952f8a88bc036bdeeccfd5", 16 + "zh:7050fa97d107812799e4c1f708c92fb6e7f2af11f646184937acc8d006a9e911", 17 + "zh:7b6803021b83a39283d06942a349bf6ba5d04107de620f39a3e41730ac303cda", 18 + "zh:85b583aef078998ff5e1b4a147e1c672fd9ce2da3581440c374dbe6fc88217e5", 19 + "zh:8f09b98d0650af0ea1c124ab00d359cc1864f947e6e990f1f51275188ade072f", 20 + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", 21 + "zh:a239d6c426ea34c41e22ef9d997592c0afebebb8154252e6ed0ab0e3e12a0b56", 22 + "zh:ee23f693a06359b453d4a988e21bfd8df96ef82c2403ad7458d2b6b59a114359", 23 + ] 24 + } 25 + 26 + provider "registry.opentofu.org/hashicorp/vault" { 27 + version = "5.1.0" 28 + constraints = "~> 5.1.0" 29 + hashes = [ 30 + "h1:s1muvkI/r+MsuA3nzENAPPO/U+Q6rhXqpcScxDpUgFo=", 31 + "zh:014bb39a4987b0f89cadb764912f868f5da9e7696e6086ea62031ae221e60450", 32 + "zh:03e57b259ca3d546704775c1ec5fa47818bcb25dfadee6f7ef64eb43fa203894", 33 + "zh:15f1e48f94aadfb9234992215cb0d1aab6c82a9085684e9120149fa631f8e9d9", 34 + "zh:5d0b5a70c711209c2267e75ca64a73768497fdc800aed1a2f65b44ee72d39f07", 35 + "zh:5edc8671054cd38bbe74b95845cae114e98c15da7d36fad709ba05ac253b7b49", 36 + "zh:6a2cb411887a75b526d3f739a5815205e522864990e38ad199399bb356c92319", 37 + "zh:78d5eb7b2b697aa8482421997c57fee8c1e6a1e602117f888dff2d011308b3d0", 38 + "zh:b50a90b525c7d56c06fff26c4b5ad5a06beec0f5f7e064fdea0cff91e3f74bca", 39 + "zh:c6bcca38ae8d3db7351b7bd513b1716c0fc84d0f13f7a3916be5c1adaac7a972", 40 + ] 41 + }
+12
infra/production/oracle/vault-policies/terragrunt.hcl
··· 1 + include "root" { 2 + path = find_in_parent_folders("root.hcl") 3 + } 4 + 5 + terraform { 6 + source = "../../../modules//vault-policies" 7 + } 8 + 9 + # TODO wait for Vault API or unseal hook 10 + 11 + inputs = { 12 + }