bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: add admin role for config jobs

Browse Source
This commit is contained in:
Brad Stein 2026-01-15 02:06:28 -03:00
parent 85c3d9c2f7
commit 86c9951cc4
5 changed files with 54 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
services/vault/k8s-auth-config-cronjob.yaml
View File

@ -14,7 +14,7 @@ spec:
backoffLimit: 1
template:
spec:
serviceAccountName: vault
serviceAccountName: vault-admin
restartPolicy: Never
nodeSelector:
kubernetes.io/arch: arm64
@ -30,7 +30,7 @@ spec:
- name: VAULT_ADDR
value: http://vault.vault.svc.cluster.local:8200
- name: VAULT_K8S_ROLE
value: vault
value: vault-admin
- name: VAULT_K8S_ROLE_TTL
value: 1h
volumeMounts:

1
services/vault/kustomization.yaml
View File

@ -5,6 +5,7 @@ namespace: vault
resources:
- namespace.yaml
- serviceaccount.yaml
- serviceaccount-admin.yaml
- rbac.yaml
- configmap.yaml
- statefulset.yaml

6
services/vault/oidc-config-cronjob.yaml
View File

@ -16,7 +16,7 @@ spec:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "vault"
vault.hashicorp.com/role: "vault-admin"
vault.hashicorp.com/agent-inject-secret-vault-oidc-env.sh: "kv/data/atlas/vault/vault-oidc-config"
vault.hashicorp.com/agent-inject-template-vault-oidc-env.sh: |
{{ with secret "kv/data/atlas/vault/vault-oidc-config" }}
@ -40,7 +40,7 @@ spec:
export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}"
{{ end }}
spec:
serviceAccountName: vault
serviceAccountName: vault-admin
restartPolicy: Never
nodeSelector:
kubernetes.io/arch: arm64
@ -58,7 +58,7 @@ spec:
- name: VAULT_ADDR
value: http://vault.vault.svc.cluster.local:8200
- name: VAULT_K8S_ROLE
value: vault
value: vault-admin
- name: VAULT_ENV_FILE
value: /vault/secrets/vault-oidc-env.sh
volumeMounts:

42
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -50,6 +50,13 @@ vault write auth/kubernetes/config \
kubernetes_host="${k8s_host}" \
kubernetes_ca_cert="${k8s_ca}"
write_raw_policy() {
name="$1"
body="$2"
log "writing policy ${name}"
printf '%s\n' "${body}" | vault policy write "${name}" -
}
write_policy_and_role() {
role="$1"
namespace="$2"
@ -90,6 +97,41 @@ path \"kv/metadata/atlas/${path}\" {
ttl="${role_ttl}"
}
vault_admin_policy='
path "sys/auth" {
capabilities = ["read"]
}
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "sudo", "read"]
}
path "auth/kubernetes/*" {
capabilities = ["create", "update", "read"]
}
path "auth/oidc/*" {
capabilities = ["create", "update", "read"]
}
path "sys/policies/acl" {
capabilities = ["list"]
}
path "sys/policies/acl/*" {
capabilities = ["create", "update", "read"]
}
path "kv/data/atlas/vault/*" {
capabilities = ["read"]
}
path "kv/metadata/atlas/vault/*" {
capabilities = ["list"]
}
'
write_raw_policy "vault-admin" "${vault_admin_policy}"
log "writing role vault-admin"
vault write "auth/kubernetes/role/vault-admin" \
bound_service_account_names="vault-admin" \
bound_service_account_namespaces="vault" \
policies="vault-admin" \
ttl="${role_ttl}"
write_policy_and_role "outline" "outline" "outline-vault" \
"outline/* shared/postmark-relay" ""
write_policy_and_role "planka" "planka" "planka-vault" \

6
services/vault/serviceaccount-admin.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/vault/serviceaccount-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-admin
namespace: vault