forked from nehrman/medium-kubernetes-pkiaas
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvault.tf
152 lines (119 loc) · 4.39 KB
/
vault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
## Configuring K8s AUth Method on Vault
resource "kubernetes_service_account" "vault-sa" {
metadata {
name = "vault-sa"
namespace = "${var.default_namespace}"
}
automount_service_account_token = true
}
resource "kubernetes_cluster_role_binding" "vault-sa" {
metadata {
name = "role-tokenreview-binding"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "system:auth-delegator"
}
subject {
kind = "ServiceAccount"
name = "${kubernetes_service_account.vault-sa.metadata.0.name}"
namespace = "${var.default_namespace}"
}
}
resource "vault_auth_backend" "minikube" {
type = "kubernetes"
path = "${var.vault_k8s_bck_path}"
}
resource "local_file" "minikube_auth" {
content = "${data.template_file.minikube_auth.rendered}"
filename = "${path.module}/files/minikube_auth.sh"
}
resource "null_resource" "minikube_auth_backend" {
depends_on = ["local_file.minikube_auth", "vault_auth_backend.minikube", "kubernetes_service_account.vault-sa"]
provisioner "local-exec" "K8s_auth_backend" {
command = "${path.module}/files/minikube_auth.sh"
}
}
resource "kubernetes_service_account" "cert-manager-sa" {
metadata {
name = "cert-manager-sa"
namespace = "${var.fruits_namespace}"
}
automount_service_account_token = true
}
resource "vault_kubernetes_auth_backend_role" "cert-manager" {
backend = "${vault_auth_backend.minikube.path}"
role_name = "fruits-catalog"
bound_service_account_names = ["${kubernetes_service_account.cert-manager-sa.metadata.0.name}"]
bound_service_account_namespaces = ["${var.fruits_namespace}"]
policies = ["${vault_policy.fruits-catalog-certs.name}"]
ttl = 86400
}
## Configuring PKI resources on Vault
resource "vault_pki_secret_backend" "pki" {
path = "pki"
max_lease_ttl_seconds = "315360000"
}
resource "vault_pki_secret_backend_root_cert" "pki" {
depends_on = ["vault_pki_secret_backend.pki"]
backend = "${vault_pki_secret_backend.pki.path}"
type = "exported"
format = "pem_bundle"
private_key_format = "der"
key_type = "rsa"
key_bits = 2048
common_name = "testlab.local"
ttl = "315360000"
}
resource "vault_pki_secret_backend" "pki_int" {
path = "pki_int"
max_lease_ttl_seconds = "157680000"
}
resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int" {
depends_on = ["vault_pki_secret_backend.pki_int"]
backend = "${vault_pki_secret_backend.pki_int.path}"
type = "exported"
common_name = "testlab.local"
}
resource "vault_pki_secret_backend_root_sign_intermediate" "pki" {
depends_on = ["vault_pki_secret_backend_intermediate_cert_request.pki_int"]
backend = "${vault_pki_secret_backend.pki.path}"
csr = "${vault_pki_secret_backend_intermediate_cert_request.pki_int.csr}"
common_name = "testlab.local"
ttl = "157680000"
format = "pem_bundle"
}
resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int" {
backend = "${vault_pki_secret_backend.pki_int.path}"
certificate = "${vault_pki_secret_backend_root_sign_intermediate.pki.certificate}"
}
resource "vault_pki_secret_backend_role" "fruits-catalog" {
backend = "${vault_pki_secret_backend.pki_int.path}"
name = "fruits-catalog"
ttl = 86400
allow_any_name = "true"
allow_subdomains = "true"
generate_lease = "true"
}
resource "vault_pki_secret_backend_config_urls" "config_urls_root" {
backend = "${vault_pki_secret_backend.pki.path}"
issuing_certificates = ["http://${var.vault_addr}/v1/pki/ca"]
crl_distribution_points = ["http://${var.vault_addr}/v1/pki/crl"]
}
resource "vault_pki_secret_backend_config_urls" "config_urls_int" {
backend = "${vault_pki_secret_backend.pki_int.path}"
issuing_certificates = ["http://${var.vault_addr}/v1/pki_int/ca"]
crl_distribution_points = ["http://${var.vault_addr}/v1/pki_int/crl"]
}
resource "vault_policy" "fruits-catalog-certs" {
name = "fruits-catalog-certs"
policy = <<EOT
path "pki_int/sign/fruits-catalog" {
capabilities = ["read", "update", "list", "delete"]
}
path "pki_int/issue/fruits-catalog" {
capabilities = ["read", "update", "list", "delete"]
}
EOT
}