vault: set k8s auth audiences

services/vault/k8s-auth-config-cronjob.yaml

@@ -43,6 +43,8 @@ spec:
                   value: /var/run/secrets/vault-token-reviewer/token
                 - name: VAULT_K8S_ROLE_TTL
                   value: 1h
+                - name: VAULT_K8S_BOUND_AUDIENCES
+                  value: https://kubernetes.default.svc.cluster.local,k3s
               volumeMounts:
                 - name: k8s-auth-config-script
                   mountPath: /scripts

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -103,6 +103,7 @@ write_policy_and_role() {
   service_accounts="$3"
   read_paths="$4"
   write_paths="$5"
+  audiences="${VAULT_K8S_BOUND_AUDIENCES:-}"
 
   policy_body=""
   for path in ${read_paths}; do
@@ -130,6 +131,15 @@ path \"kv/metadata/atlas/${path}\" {
   printf '%s\n' "${policy_body}" | vault_cmd policy write "${role}" -
 
   log "writing role ${role}"
+  if [ -n "${audiences}" ]; then
+    vault_cmd write "auth/kubernetes/role/${role}" \
+      bound_service_account_audiences="${audiences}" \
+      bound_service_account_names="${service_accounts}" \
+      bound_service_account_namespaces="${namespace}" \
+      policies="${role}" \
+      ttl="${role_ttl}"
+    return
+  fi
   vault_cmd write "auth/kubernetes/role/${role}" \
     bound_service_account_names="${service_accounts}" \
     bound_service_account_namespaces="${namespace}" \