35 lines
1.1 KiB
HCL
35 lines
1.1 KiB
HCL
resource "vault_auth_backend" "kubernetes" {
|
|
type = "kubernetes"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_config" "example" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
kubernetes_host = "https://kubernetes.default.svc.cluster.local:443"
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "k8s-default" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "kubernetes-default"
|
|
bound_service_account_names = ["default"]
|
|
bound_service_account_namespaces = ["*"]
|
|
token_ttl = 3600
|
|
token_policies = [
|
|
vault_policy.k8s_default.name
|
|
]
|
|
}
|
|
|
|
resource "vault_mount" "static_secrets" {
|
|
path = "static-secrets"
|
|
type = "kv"
|
|
options = { version = "2" }
|
|
description = "Static secrets, organized by <k8s-namespace>/<service-account>/*"
|
|
}
|
|
|
|
resource "vault_policy" "k8s_default" {
|
|
name = "k8s-default"
|
|
|
|
policy = templatefile("bao-policies/k8s-default.hcl", {
|
|
k8s_auth_backend_accessor = vault_auth_backend.kubernetes.accessor,
|
|
k8s_secrets_path = vault_mount.static_secrets.path,
|
|
})
|
|
}
|