resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
}

resource "vault_kubernetes_auth_backend_config" "example" {
  backend                = vault_auth_backend.kubernetes.path
  kubernetes_host        = "https://kubernetes.default.svc.cluster.local:443"
}

resource "vault_kubernetes_auth_backend_role" "k8s-default" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "kubernetes-default"
  bound_service_account_names      = ["default"]
  bound_service_account_namespaces = ["*"]
  token_ttl                        = 3600
  token_policies                   = [
    vault_policy.k8s_default.name
  ]
}

resource "vault_mount" "static_secrets" {
  path        = "static-secrets"
  type        = "kv"
  options     = { version = "2" }
  description = "Static secrets, organized by <k8s-namespace>/<service-account>/*"
}

resource "vault_policy" "k8s_default" {
  name = "k8s-default"

  policy = templatefile("bao-policies/k8s-default.hcl", {
    k8s_auth_backend_accessor = vault_auth_backend.kubernetes.accessor,
    k8s_secrets_path = vault_mount.static_secrets.path,
  })
}