satyamsareen

## app.py
from flask import Flask
import json
import os
import hvac
client = hvac.Client()

# File path to the mounted service account token
TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"

app = Flask(__name__)

## Dockerfile
FROM python:3.12-alpine

RUN pip install --upgrade pip
RUN pip install flask
RUN pip install hvac

COPY app.py src/

WORKDIR src/

## deployment.tf
resource "kubernetes_deployment_v1" "app_a" {
  metadata {
    name = "app-a"
    namespace = kubernetes_namespace.app_a.metadata[0].name
    labels = {
      app = "app-a"
    }
  }

  spec {

## ingress.tf
resource "kubernetes_ingress_v1" "app_a" {
  metadata {
    name = "app-a"
    namespace = kubernetes_namespace.app_a.metadata[0].name
    labels = {
        app = "app-a"
    }
    annotations = {
       "alb.ingress.kubernetes.io/scheme" = "internet-facing"
       "alb.ingress.kubernetes.io/target-type" = "ip"

## service.tf
resource "kubernetes_service" "app_a" {
  metadata {
    name = "app-a"
    namespace = kubernetes_namespace.app_a.metadata[0].name
  }
  spec {
    selector = {
      app = "app-a"
    }
    port {

## service-account.tf
resource "kubernetes_service_account" "app_a" {
  metadata {
    name = "app-a-sa"
    namespace = kubernetes_namespace.app_a.metadata[0].name
  }
}

resource "kubernetes_service_account" "app_b" {
  metadata {
    name = "app-b-sa"

## namespace.tf
resource "kubernetes_namespace" "app_a" {
  metadata {
    name = "app-a"
  }
}

resource "kubernetes_namespace" "app_b" {
  metadata {
    name = "app-b"
  }

## data.tf
data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

## providers.tf
terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.35.0"
    }
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.34.0"
    }

## jwt.tf
resource "vault_jwt_auth_backend" "app_a" {
    description         = "JWT auth backend For App-A Pods"
    path                = "jwt/${data.aws_region.current.name}/app-a"
    oidc_discovery_url  = var.oidc_discovery_url
    bound_issuer        = var.oidc_discovery_url
    jwt_supported_algs  = ["RS256"]
}

resource "vault_jwt_auth_backend_role" "app_a" {
  backend         = vault_jwt_auth_backend.app_a.path
	from flask import Flask
	import json
	import os
	import hvac
	client = hvac.Client()

	# File path to the mounted service account token
	TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"

	app = Flask(__name__)
	FROM python:3.12-alpine

	RUN pip install --upgrade pip
	RUN pip install flask
	RUN pip install hvac

	COPY app.py src/

	WORKDIR src/
	resource "kubernetes_deployment_v1" "app_a" {
	metadata {
	name = "app-a"
	namespace = kubernetes_namespace.app_a.metadata[0].name
	labels = {
	app = "app-a"
	}
	}

	spec {
	resource "kubernetes_ingress_v1" "app_a" {
	metadata {
	name = "app-a"
	namespace = kubernetes_namespace.app_a.metadata[0].name
	labels = {
	app = "app-a"
	}
	annotations = {
	"alb.ingress.kubernetes.io/scheme" = "internet-facing"
	"alb.ingress.kubernetes.io/target-type" = "ip"
	resource "kubernetes_service" "app_a" {
	metadata {
	name = "app-a"
	namespace = kubernetes_namespace.app_a.metadata[0].name
	}
	spec {
	selector = {
	app = "app-a"
	}
	port {
	resource "kubernetes_service_account" "app_a" {
	metadata {
	name = "app-a-sa"
	namespace = kubernetes_namespace.app_a.metadata[0].name
	}
	}

	resource "kubernetes_service_account" "app_b" {
	metadata {
	name = "app-b-sa"
	resource "kubernetes_namespace" "app_a" {
	metadata {
	name = "app-a"
	}
	}

	resource "kubernetes_namespace" "app_b" {
	metadata {
	name = "app-b"
	}
	data "aws_region" "current" {}

	data "aws_caller_identity" "current" {}
	terraform {
	required_providers {
	kubernetes = {
	source = "hashicorp/kubernetes"
	version = "~> 2.35.0"
	}
	aws = {
	source = "hashicorp/aws"
	version = "~> 5.34.0"
	}
	resource "vault_jwt_auth_backend" "app_a" {
	description = "JWT auth backend For App-A Pods"
	path = "jwt/${data.aws_region.current.name}/app-a"
	oidc_discovery_url = var.oidc_discovery_url
	bound_issuer = var.oidc_discovery_url
	jwt_supported_algs = ["RS256"]
	}

	resource "vault_jwt_auth_backend_role" "app_a" {
	backend = vault_jwt_auth_backend.app_a.path