Gabriel Radureau
2953ec3202
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 21s
Helm Charts / Library charts tool (push) Has been skipped
Helm Charts / Application charts pgcat (push) Has been skipped
Helm Charts / Detect changed charts (pull_request) Successful in 14s
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Adds an optional kv_read_paths list to the app_policy module (default []) so an app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared backup-creds path owned by another app. Plumbed through the root applications schema + module call (dynamic rule, read+list). Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds via its own VaultStaticSecret instead of borrowing the Longhorn secret cross-namespace or duplicating credentials. No-op for every other app (default []). Only the `erp` runtime policy gains one read+list rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
88 lines
3.0 KiB
HCL
88 lines
3.0 KiB
HCL
resource "vault_auth_backend" "kubernetes" {
|
|
type = "kubernetes"
|
|
}
|
|
resource "vault_kubernetes_auth_backend_config" "config" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
kubernetes_host = "https://kubernetes.default.svc:443"
|
|
}
|
|
|
|
resource "vault_mount" "kvv2" {
|
|
path = "kvv2"
|
|
type = "kv"
|
|
options = { version = "2" }
|
|
description = "KV Version 2 secret engine mount"
|
|
}
|
|
|
|
|
|
resource "vault_mount" "postgres" {
|
|
path = "postgres"
|
|
type = "database"
|
|
}
|
|
|
|
resource "vault_database_secret_backend_connection" "postgres" {
|
|
backend = vault_mount.postgres.path
|
|
name = "postgres"
|
|
allowed_roles = ["*"]
|
|
root_rotation_statements = [
|
|
"ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
|
|
]
|
|
|
|
postgresql {
|
|
connection_url = "postgresql://{{username}}:{{password}}@pgbouncer.tools:5432/postgres?sslmode=disable"
|
|
username = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
|
|
password = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
|
|
}
|
|
}
|
|
|
|
|
|
resource "vault_mount" "transit" {
|
|
path = "transit"
|
|
type = "transit"
|
|
description = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
|
|
# default_lease_ttl_seconds = 3600
|
|
# max_lease_ttl_seconds = 86400
|
|
}
|
|
resource "vault_transit_secret_backend_key" "vso_client_cache" {
|
|
backend = vault_mount.transit.path
|
|
name = "vso-client-cache"
|
|
}
|
|
|
|
data "vault_policy_document" "vso_client_cache" {
|
|
rule {
|
|
path = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
|
|
capabilities = ["create", "update"]
|
|
}
|
|
rule {
|
|
path = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
|
|
capabilities = ["create", "update"]
|
|
}
|
|
}
|
|
resource "vault_policy" "vso_client_cache" {
|
|
name = "edit-vso-client-cache"
|
|
policy = data.vault_policy_document.vso_client_cache.hcl
|
|
}
|
|
|
|
resource "vault_kubernetes_auth_backend_role" "vso" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "vault-secret-operator"
|
|
bound_service_account_names = ["hashicorp-vault-vault-secrets-operator-controller-manager"]
|
|
bound_service_account_namespaces = ["tools"]
|
|
token_ttl = 0
|
|
token_period = 120
|
|
token_policies = ["default", vault_policy.vso_client_cache.name]
|
|
audience = "vault"
|
|
alias_name_source = "serviceaccount_name"
|
|
}
|
|
|
|
module "app_policies" {
|
|
source = "./modules/app_policy"
|
|
for_each = { for app in var.applications : app.name => app }
|
|
name = each.value.name
|
|
envs = each.value.envs
|
|
ops_policies = each.value.ops_policies
|
|
kv_read_paths = each.value.kv_read_paths
|
|
service_account_names = each.value.service_account_names
|
|
service_account_namespaces = each.value.service_account_namespaces
|
|
gitea_app_id = var.gitea_app_id
|
|
}
|