vault mounts: drop test, create a more prod kv store

2024-09-10 12:11:33 -07:00 · 2024-09-10 12:11:33 -07:00 · 2e16e58e6c
commit 2e16e58e6c
parent f497e9ba55
4 changed files with 10 additions and 7 deletions
--- a/tf/bao-auth-backends.tf
+++ b/tf/bao-auth-backends.tf
@ -14,6 +14,6 @@ resource "vault_kubernetes_auth_backend_role" "k8s-default" {
  bound_service_account_namespaces = ["*"]
  token_ttl                        = 3600
  token_policies                   = [
-    vault_policy.k8s_default_sa.name
+    vault_policy.k8s_default.name
  ]
 }
--- a/tf/bao-mounts.tf
+++ b/tf/bao-mounts.tf
@ -1,6 +1,6 @@
-resource "vault_mount" "test-kv" {
-  path        = "test-kv"
+resource "vault_mount" "static_secrets" {
+  path        = "static-secrets"
  type        = "kv"
  options     = { version = "2" }
-  description = "Testing KV for evaluating how OpenBao works"
+  description = "Static secrets, organized by <k8s-namespace>/<service-account>/*"
 }
--- a/tf/bao-policies.tf
+++ b/tf/bao-policies.tf
@ -1,5 +1,8 @@
 resource "vault_policy" "k8s_default" {
-  name = "k8s-default-sa"
+  name = "k8s-default"

-  policy = templatefile("bao-policies/k8s-default.hcl", { k8s_auth_backend = vault_auth_backend.kubernetes.accessor })
+  policy = templatefile("bao-policies/k8s-default.hcl", {
+    k8s_auth_backend_accessor = vault_auth_backend.kubernetes.accessor,
+    k8s_secrets_path = vault_mount.static_secrets.path,
+  })
 }
--- a/tf/bao-policies/k8s-default.hcl
+++ b/tf/bao-policies/k8s-default.hcl
@ -1,3 +1,3 @@
-path "test-kv/data/{{identity.entity.aliases.${k8s_auth_backend}.metadata.service_account_namespace}}/*" {
+path "${k8s_secrets_path}/data/{{identity.entity.aliases.${k8s_auth_backend_accessor}.metadata.service_account_namespace}}/{{identity.entity.aliases.${k8s_auth_backend_accessor}.metadata.service_account_name}}/*" {
    capabilities = ["read"]
 }