infra/tf/bao-auth-backends.tf

resource "vault_jwt_auth_backend" "keycloak" {
    description         = "Keycloak OIDC auth"
    path                = "oidc"
    type                = "oidc"
    oidc_discovery_url  = "https://auth.janky.solutions/realms/janky.solutions"
    oidc_client_id      = "openbao"
    oidc_client_secret  = "secret123456"
    bound_issuer        = "https://auth.janky.solutions/realms/janky.solutions"
}

resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
}

resource "vault_kubernetes_auth_backend_role" "k8s-default" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "kubernetes-default"
  bound_service_account_names      = ["default"]
  bound_service_account_namespaces = ["*"]
  token_ttl                        = 3600
  token_policies                   = [
    vault_policy.k8s_default_sa.name
  ]
}
use opentofu to configure openbao + other bao fixes 2024-09-10 07:32:41 +00:00			`resource "vault_jwt_auth_backend" "keycloak" {`
			`description = "Keycloak OIDC auth"`
			`path = "oidc"`
			`type = "oidc"`
			`oidc_discovery_url = "https://auth.janky.solutions/realms/janky.solutions"`
			`oidc_client_id = "openbao"`
			`oidc_client_secret = "secret123456"`
			`bound_issuer = "https://auth.janky.solutions/realms/janky.solutions"`
			`}`

			`resource "vault_auth_backend" "kubernetes" {`
			`type = "kubernetes"`
			`}`

			`resource "vault_kubernetes_auth_backend_role" "k8s-default" {`
			`backend = vault_auth_backend.kubernetes.path`
			`role_name = "kubernetes-default"`
			`bound_service_account_names = ["default"]`
			`bound_service_account_namespaces = ["*"]`
			`token_ttl = 3600`
			`token_policies = [`
			`vault_policy.k8s_default_sa.name`
			`]`
			`}`