arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow several k8s SA to take an app policy
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 15s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-11-27 22:52:02 +01:00
parent 56a5bf9e18
commit 50f8ea95be
7 changed files with 48 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hashicorp-vault/iac/main.tf
View File

@@ -79,5 +79,7 @@ module "app_policies" {
for_each = { for app in var.applications : app.name => app } for_each = { for app in var.applications : app.name => app }
name = each.value.name name = each.value.name
policies = each.value.policies policies = each.value.policies
service_account_names = each.value.service_account_names
service_account_namespaces = each.value.service_account_namespaces
gitea_app_id = var.gitea_app_id gitea_app_id = var.gitea_app_id
} }

8
hashicorp-vault/iac/modules/app_policy/main.tf
View File

@@ -6,7 +6,9 @@
# - postgres role # - postgres role
locals { locals {
name = lower(var.name) name = lower(var.name)
bound_service_account_names = concat([var.name], var.service_account_names)
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
} }
data "vault_policy_document" "ops" { data "vault_policy_document" "ops" {
@@ -58,11 +60,11 @@ data "vault_policy_document" "ops" {
} }
allowed_parameter { allowed_parameter {
key = "bound_service_account_names" key = "bound_service_account_names"
value = [jsonencode([local.name])] value = [jsonencode(local.bound_service_account_names)]
} }
allowed_parameter { allowed_parameter {
key = "bound_service_account_namespaces" key = "bound_service_account_namespaces"
value = [jsonencode([local.name])] value = [jsonencode(local.bound_service_account_namespaces)]
} }
allowed_parameter { allowed_parameter {
key = "token_policies" key = "token_policies"

10
hashicorp-vault/iac/modules/app_policy/variables.tf
View File

@@ -8,3 +8,13 @@ variable "policies" {
type = list(string) type = list(string)
default = [] default = []
} }
variable "service_account_names" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account that can take this policy"
}
variable "service_account_namespaces" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
}

12
hashicorp-vault/iac/modules/app_roles/main.tf
View File

@@ -6,11 +6,19 @@ locals {
name = lower(var.name) name = lower(var.name)
database = var.database == null ? local.name : var.database database = var.database == null ? local.name : var.database
bound_service_account_names = concat([var.name], var.service_account_names)
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
vault_mount_postgres = { path = "postgres" } vault_mount_postgres = { path = "postgres" }
vault_mount_kvv2 = { path = "kvv2" } vault_mount_kvv2 = { path = "kvv2" }
} }
moved {
from = vault_database_secret_backend_role.role
to = vault_database_secret_backend_role.role[0]
}
resource "vault_database_secret_backend_role" "role" { resource "vault_database_secret_backend_role" "role" {
count = var.disable_database ? 0 : 1
backend = local.vault_mount_postgres.path backend = local.vault_mount_postgres.path
name = local.name name = local.name
db_name = "postgres" db_name = "postgres"
@@ -29,8 +37,8 @@ resource "vault_database_secret_backend_role" "role" {
resource "vault_kubernetes_auth_backend_role" "role" { resource "vault_kubernetes_auth_backend_role" "role" {
backend = data.vault_auth_backend.kubernetes.path backend = data.vault_auth_backend.kubernetes.path
role_name = local.name role_name = local.name
bound_service_account_names = [local.name] bound_service_account_names = local.bound_service_account_names
bound_service_account_namespaces = [local.name] bound_service_account_namespaces = local.bound_service_account_namespaces
token_ttl = 3600 token_ttl = 3600
token_policies = ["default", local.name] token_policies = ["default", local.name]
audience = "vault" audience = "vault"

14
hashicorp-vault/iac/modules/app_roles/variables.tf
View File

@@ -6,3 +6,17 @@ variable "database" {
nullable = true nullable = true
default = null default = null
} }
variable "disable_database" {
type = bool
default = false
}
variable "service_account_names" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account that can take this policy"
}
variable "service_account_namespaces" {
type = list(string)
default = []
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
}

6
hashicorp-vault/iac/terraform.tfvars
View File

@@ -1,5 +1,9 @@
applications = [ applications = [
{ name = "webapp" }, { name = "webapp" },
{ name = "erp" }, { name = "erp" },
{ name = "cms", policies = ["factory__cf_r2_arcodange_tf"] }, {
name = "cms"
policies = ["factory__cf_r2_arcodange_tf"]
service_account_names = ["cloudflared"]
},
] ]

2
hashicorp-vault/iac/variables.tf
View File

@@ -13,5 +13,7 @@ variable "applications" {
type = set(object({ type = set(object({
name = string name = string
policies = optional(list(string), []) policies = optional(list(string), [])
service_account_names = optional(list(string), [])
service_account_namespaces = optional(list(string), [])
})) }))
} }