arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow several k8s SA to take an app policy
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 15s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-11-27 22:52:02 +01:00
parent 56a5bf9e18
commit 50f8ea95be
7 changed files with 48 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
hashicorp-vault/iac/modules/app_policy/main.tf
View File

@@ -6,7 +6,9 @@
# - postgres role
locals {
name = lower(var.name)
name = lower(var.name)
bound_service_account_names = concat([var.name], var.service_account_names)
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
}
data "vault_policy_document" "ops" {
@@ -58,11 +60,11 @@ data "vault_policy_document" "ops" {
}
allowed_parameter {
key = "bound_service_account_names"
value = [jsonencode([local.name])]
value = [jsonencode(local.bound_service_account_names)]
}
allowed_parameter {
key = "bound_service_account_namespaces"
value = [jsonencode([local.name])]
value = [jsonencode(local.bound_service_account_namespaces)]
}
allowed_parameter {
key = "token_policies"

10
hashicorp-vault/iac/modules/app_policy/variables.tf
View File

@@ -7,4 +7,14 @@ variable "gitea_app_id" {
variable "policies" {
type = list(string)
default = []
}
variable "service_account_names" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account that can take this policy"
}
variable "service_account_namespaces" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
}

12
hashicorp-vault/iac/modules/app_roles/main.tf
View File

@@ -6,11 +6,19 @@ locals {
name = lower(var.name)
database = var.database == null ? local.name : var.database
bound_service_account_names = concat([var.name], var.service_account_names)
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
vault_mount_postgres = { path = "postgres" }
vault_mount_kvv2 = { path = "kvv2" }
}
moved {
from = vault_database_secret_backend_role.role
to = vault_database_secret_backend_role.role[0]
}
resource "vault_database_secret_backend_role" "role" {
count = var.disable_database ? 0 : 1
backend = local.vault_mount_postgres.path
name = local.name
db_name = "postgres"
@@ -29,8 +37,8 @@ resource "vault_database_secret_backend_role" "role" {
resource "vault_kubernetes_auth_backend_role" "role" {
backend = data.vault_auth_backend.kubernetes.path
role_name = local.name
bound_service_account_names = [local.name]
bound_service_account_namespaces = [local.name]
bound_service_account_names = local.bound_service_account_names
bound_service_account_namespaces = local.bound_service_account_namespaces
token_ttl = 3600
token_policies = ["default", local.name]
audience = "vault"

14
hashicorp-vault/iac/modules/app_roles/variables.tf
View File

@@ -5,4 +5,18 @@ variable "database" {
type = string
nullable = true
default = null
}
variable "disable_database" {
type = bool
default = false
}
variable "service_account_names" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account that can take this policy"
}
variable "service_account_namespaces" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
}