Initial bao authorization stuff for k8s service accounts working!

2024-09-10 09:19:25 -07:00 · 2024-09-10 09:19:25 -07:00 · de602d98f2
commit de602d98f2
parent e18324dfc4
7 changed files with 34 additions and 38 deletions
--- a/tf/bao-auth-backends.tf
+++ b/tf/bao-auth-backends.tf
@ -1,17 +1,12 @@
-resource "vault_jwt_auth_backend" "keycloak" {
-    description         = "Keycloak OIDC auth"
-    path                = "oidc"
-    type                = "oidc"
-    oidc_discovery_url  = "https://auth.janky.solutions/realms/janky.solutions"
-    oidc_client_id      = "openbao"
-    oidc_client_secret  = "secret123456"
-    bound_issuer        = "https://auth.janky.solutions/realms/janky.solutions"
-}
-
 resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
 }

+resource "vault_kubernetes_auth_backend_config" "example" {
+  backend                = vault_auth_backend.kubernetes.path
+  kubernetes_host        = "https://kubernetes.default.svc.cluster.local:443"
+}
+
 resource "vault_kubernetes_auth_backend_role" "k8s-default" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "kubernetes-default"
--- a/tf/bao-policies/k8s-default-sa.hcl
+++ b/tf/bao-policies/k8s-default-sa.hcl
@ -1,8 +1,3 @@
-path "test-kv/{{identity.entity.service_account_namespace}}/*" {
+path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
    capabilities = ["read"]
 }
-
-# Allow a token to manage its own cubbyhole
-path "cubbyhole/*" {
-    capabilities = ["create", "read", "update", "delete", "list"]
-}