arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow several k8s SA to take an app policy
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 15s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-11-27 22:52:02 +01:00
parent 56a5bf9e18
commit 50f8ea95be
7 changed files with 48 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
hashicorp-vault/iac/modules/app_policy/main.tf
View File

@@ -6,7 +6,9 @@
# - postgres role
locals {
name = lower(var.name)
name = lower(var.name)
bound_service_account_names = concat([var.name], var.service_account_names)
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
}
data "vault_policy_document" "ops" {
@@ -58,11 +60,11 @@ data "vault_policy_document" "ops" {
}
allowed_parameter {
key = "bound_service_account_names"
value = [jsonencode([local.name])]
value = [jsonencode(local.bound_service_account_names)]
}
allowed_parameter {
key = "bound_service_account_namespaces"
value = [jsonencode([local.name])]
value = [jsonencode(local.bound_service_account_namespaces)]
}
allowed_parameter {
key = "token_policies"

10
hashicorp-vault/iac/modules/app_policy/variables.tf
View File

@@ -7,4 +7,14 @@ variable "gitea_app_id" {
variable "policies" {
type = list(string)
default = []
}
variable "service_account_names" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account that can take this policy"
}
variable "service_account_namespaces" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
}