vault: set k8s auth audiences

2026-02-01 11:17:02 -03:00 · 2026-02-01 11:17:02 -03:00 · 7c6a91d758
commit 7c6a91d758
parent ced41aa633
2 changed files with 12 additions and 0 deletions
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@ -43,6 +43,8 @@ spec:
                  value: /var/run/secrets/vault-token-reviewer/token
                - name: VAULT_K8S_ROLE_TTL
                  value: 1h
+                - name: VAULT_K8S_BOUND_AUDIENCES
+                  value: https://kubernetes.default.svc.cluster.local,k3s
              volumeMounts:
                - name: k8s-auth-config-script
                  mountPath: /scripts
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -103,6 +103,7 @@ write_policy_and_role() {
  service_accounts="$3"
  read_paths="$4"
  write_paths="$5"
+  audiences="${VAULT_K8S_BOUND_AUDIENCES:-}"

  policy_body=""
  for path in ${read_paths}; do
@ -130,6 +131,15 @@ path \"kv/metadata/atlas/${path}\" {
  printf '%s\n' "${policy_body}" | vault_cmd policy write "${role}" -

  log "writing role ${role}"
+  if [ -n "${audiences}" ]; then
+    vault_cmd write "auth/kubernetes/role/${role}" \
+      bound_service_account_audiences="${audiences}" \
+      bound_service_account_names="${service_accounts}" \
+      bound_service_account_namespaces="${namespace}" \
+      policies="${role}" \
+      ttl="${role_ttl}"
+    return
+  fi
  vault_cmd write "auth/kubernetes/role/${role}" \
    bound_service_account_names="${service_accounts}" \
    bound_service_account_namespaces="${namespace}" \