arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

documentation and fmt
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 16s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-08-31 11:33:27 +02:00
parent 3f6604def2
commit be6e6135d7
6 changed files with 230 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
hashicorp-vault/iac/main.tf
View File

@@ -2,8 +2,8 @@ resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
}
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://kubernetes.default.svc:443"
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://kubernetes.default.svc:443"
}
resource "vault_mount" "kvv2" {
@@ -29,18 +29,18 @@ resource "vault_database_secret_backend_connection" "postgres" {
postgresql {
connection_url = "postgresql://{{username}}:{{password}}@pgbouncer.tools:5432/postgres?sslmode=disable"
username = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
password = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
username = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
password = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
}
}
resource "vault_mount" "transit" {
path = "transit"
type = "transit"
description = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
# default_lease_ttl_seconds = 3600
# max_lease_ttl_seconds = 86400
path = "transit"
type = "transit"
description = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
# default_lease_ttl_seconds = 3600
# max_lease_ttl_seconds = 86400
}
resource "vault_transit_secret_backend_key" "vso_client_cache" {
backend = vault_mount.transit.path
@@ -49,17 +49,17 @@ resource "vault_transit_secret_backend_key" "vso_client_cache" {
data "vault_policy_document" "vso_client_cache" {
rule {
path = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
path = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
capabilities = ["create", "update"]
}
rule {
path = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
path = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
capabilities = ["create", "update"]
}
}
resource "vault_policy" "vso_client_cache" {
name = "edit-vso-client-cache"
policy = data.vault_policy_document.vso_client_cache.hcl
name = "edit-vso-client-cache"
policy = data.vault_policy_document.vso_client_cache.hcl
}
resource "vault_kubernetes_auth_backend_role" "vso" {
@@ -75,8 +75,8 @@ resource "vault_kubernetes_auth_backend_role" "vso" {
}
module "app_policies" {
source = "./modules/app_policy"
for_each = var.applications
name = each.value
source = "./modules/app_policy"
for_each = var.applications
name = each.value
gitea_app_id = var.gitea_app_id
}