roleypoly/v3
1
0
Fork 0
mirror of https://github.com/roleypoly/roleypoly.git synced 2025-04-25 20:09:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
v3/terraform/platform/services/vault.tf
Katalina Okano ec505739c8 temp tf
2020-10-09 10:54:55 -04:00

207 lines
4.2 KiB
HCL
Raw Blame History

resource "kubernetes_namespace" "vault" {
metadata {
name = "vault"
}
}
locals {
vaultNs = kubernetes_namespace.vault.metadata.0.name
vaultLabels = {
"app.kubernetes.io/name" = "vault"
"app.kubernetes.io/part-of" = "vault"
}
}
resource "kubernetes_secret" "vault-svcacct" {
metadata {
generate_name = "vault-svcacct"
namespace = local.vaultNs
labels = local.vaultLabels
}
data = {
"vault-service-account.json" = base64decode(var.vault_gcs_token)
}
}
resource "kubernetes_config_map" "vault-cm" {
metadata {
generate_name = "vault-config"
namespace = local.vaultNs
labels = local.vaultLabels
}
data = {
"vault-config.json" = jsonencode({
// Enables UI
ui = true,
// Storage with GCS
storage = {
gcs = {
bucket = "roleypoly-vault",
}
},
// Auto-seal setup with GCPKMS
seal = {
gcpckms = {
credentials = "/vault/mounted-secrets/vault-service-account.json",
project = var.gcp_project
region = "global"
key_ring = "vault-keyring"
crypto_key = "vault-key"
}
},
// TCP
listener = {
tcp = {
address = "0.0.0.0:8200"
}
},
// K8s service registration
service_registration = {
kubernetes = {}
}
})
}
}
resource "kubernetes_deployment" "vault" {
metadata {
name = "vault"
namespace = local.vaultNs
labels = local.vaultLabels
}
spec {
replicas = 1
selector {
match_labels = local.vaultLabels
}
template {
metadata {
labels = local.vaultLabels
}
spec {
service_account_name = kubernetes_service_account.vault-sa.metadata.0.name
automount_service_account_token = true
container {
image = "vault:1.5.0"
name = "vault"
env {
name = "GOOGLE_APPLICATION_CREDENTIALS"
value = "/vault/mounted-secrets/vault-service-account.json"
}
env {
name = "VAULT_K8S_NAMESPACE"
value_from {
field_ref {
field_path = "metadata.namespace"
}
}
}
env {
name = "VAULT_K8S_POD_NAME"
value_from {
field_ref {
field_path = "metadata.name"
}
}
}
volume_mount {
mount_path = "/vault/mounted-secrets"
name = "vault-secrets"
read_only = true
}
volume_mount {
mount_path = "/vault/config/vault-config.json"
name = "vault-config"
sub_path = "vault-config.json"
}
security_context {
capabilities {
add = ["IPC_LOCK"]
}
}
}
node_selector = {
node_type = "static"
}
restart_policy = "Always"
volume {
name = "vault-secrets"
secret {
secret_name = kubernetes_secret.vault-svcacct.metadata.0.name
}
}
volume {
name = "vault-config"
config_map {
name = kubernetes_config_map.vault-cm.metadata.0.name
}
}
}
}
}
}
resource "kubernetes_service_account" "vault-sa" {
metadata {
namespace = local.vaultNs
name = "vault"
labels = local.vaultLabels
}
}
resource "kubernetes_role" "vault-sa-role" {
metadata {
namespace = local.vaultNs
name = "vault"
labels = local.vaultLabels
}
rule {
api_groups = [""]
resources = ["pods"]
verbs = ["get", "update"]
}
}
resource "kubernetes_role_binding" "vault-sa-rb" {
metadata {
namespace = local.vaultNs
name = "vault-rb"
labels = local.vaultLabels
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.vault-sa-role.metadata.0.name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.vault-sa.metadata.0.name
namespace = local.vaultNs
}
}
Reference in a new issue View git blame Copy permalink