devops-adeel/kubernetes.tf

## kubernetes.tf
locals {
  namespace = format(
    "{{identity.entity.aliases.%s.metadata.service_account_namespace}}",
    vault_auth_backend.default.accessor
  )
}

data "kubernetes_service_account_v1" "default" {
  metadata {
    name      = "vault-auth"
    namespace = "kube-system"
  }
}

data "kubernetes_secret" "default" {
  metadata {
    name      = data.kubernetes_service_account_v1.default.default_secret_name
    namespace = "kube-system"
  }
}

resource "vault_auth_backend" "default" {
  type = "kubernetes"
}

resource "vault_kubernetes_auth_backend_config" "default" {
  backend            = vault_auth_backend.default.path
  kubernetes_host    = var.kubernetes_host
  kubernetes_ca_cert = data.kubernetes_secret.default.data["ca.crt"]
  token_reviewer_jwt = data.kubernetes_secret.default.data.token
}

resource "vault_kubernetes_auth_backend_role" "default" {
  backend                          = vault_auth_backend.default.path
  role_name                        = var.application
  bound_service_account_names      = ["*"]
  bound_service_account_namespaces = [var.application]
  token_ttl                        = 43200
  token_policies                   = [vault_policy.default.name]
  audience                         = "vault"
}

data "vault_policy_document" "default" {
  rule {
    path         = format("secret/data/%s", local.acl_template)
    capabilities = ["read", "list"]
    description  = "Allow access only to namespace area"
  }
}

resource "vault_policy" "default" {
  name   = var.application
  policy = data.vault_policy_document.default.hcl
}
	locals {
	namespace = format(
	"{{identity.entity.aliases.%s.metadata.service_account_namespace}}",
	vault_auth_backend.default.accessor
	)
	}

	data "kubernetes_service_account_v1" "default" {
	metadata {
	name = "vault-auth"
	namespace = "kube-system"
	}
	}

	data "kubernetes_secret" "default" {
	metadata {
	name = data.kubernetes_service_account_v1.default.default_secret_name
	namespace = "kube-system"
	}
	}

	resource "vault_auth_backend" "default" {
	type = "kubernetes"
	}

	resource "vault_kubernetes_auth_backend_config" "default" {
	backend = vault_auth_backend.default.path
	kubernetes_host = var.kubernetes_host
	kubernetes_ca_cert = data.kubernetes_secret.default.data["ca.crt"]
	token_reviewer_jwt = data.kubernetes_secret.default.data.token
	}

	resource "vault_kubernetes_auth_backend_role" "default" {
	backend = vault_auth_backend.default.path
	role_name = var.application
	bound_service_account_names = ["*"]
	bound_service_account_namespaces = [var.application]
	token_ttl = 43200
	token_policies = [vault_policy.default.name]
	audience = "vault"
	}

	data "vault_policy_document" "default" {
	rule {
	path = format("secret/data/%s", local.acl_template)
	capabilities = ["read", "list"]
	description = "Allow access only to namespace area"
	}
	}

	resource "vault_policy" "default" {
	name = var.application
	policy = data.vault_policy_document.default.hcl
	}