bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: set kubernetes issuer

Browse Source
This commit is contained in:
Brad Stein 2026-02-01 12:18:57 -03:00
parent dcabfb2ebb
commit fd8396730c
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
services/vault/k8s-auth-config-cronjob.yaml
View File

@ -41,10 +41,14 @@ spec:
key: root_token key: root_token
- name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
value: /var/run/secrets/vault-token-reviewer/token value: /var/run/secrets/vault-token-reviewer/token
- name: VAULT_K8S_ROLE_TTL - name: VAULT_K8S_ROLE_TTL
value: 1h value: 1h
- name: VAULT_K8S_BOUND_AUDIENCES - name: VAULT_K8S_BOUND_AUDIENCES
value: https://kubernetes.default.svc.cluster.local,k3s value: https://kubernetes.default.svc.cluster.local,k3s
- name: VAULT_K8S_ISSUER
value: https://kubernetes.default.svc.cluster.local
- name: VAULT_K8S_DISABLE_ISS_VALIDATION
value: "false"
volumeMounts: volumeMounts:
- name: k8s-auth-config-script - name: k8s-auth-config-script
mountPath: /scripts mountPath: /scripts

19
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -53,6 +53,8 @@ ensure_token
k8s_host="https://${KUBERNETES_SERVICE_HOST}:443" k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)" k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
k8s_issuer="${VAULT_K8S_ISSUER:-}"
disable_iss_validation="${VAULT_K8S_DISABLE_ISS_VALIDATION:-true}"
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}" role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"
token_reviewer_jwt="${VAULT_K8S_TOKEN_REVIEWER_JWT:-}" token_reviewer_jwt="${VAULT_K8S_TOKEN_REVIEWER_JWT:-}"
@ -83,10 +85,19 @@ path \"auth/kubernetes/login\" {
} }
log "configuring kubernetes auth" log "configuring kubernetes auth"
vault_cmd write auth/kubernetes/config \ if [ -n "${k8s_issuer}" ]; then
token_reviewer_jwt="${token_reviewer_jwt}" \ vault_cmd write auth/kubernetes/config \
kubernetes_host="${k8s_host}" \ token_reviewer_jwt="${token_reviewer_jwt}" \
kubernetes_ca_cert="${k8s_ca}" kubernetes_host="${k8s_host}" \
kubernetes_ca_cert="${k8s_ca}" \
issuer="${k8s_issuer}" \
disable_iss_validation="${disable_iss_validation}"
else
vault_cmd write auth/kubernetes/config \
token_reviewer_jwt="${token_reviewer_jwt}" \
kubernetes_host="${k8s_host}" \
kubernetes_ca_cert="${k8s_ca}"
fi
ensure_default_policy_login ensure_default_policy_login