https://github.com/stuttgart-things/vault-base-setup

terraform module for base-setup configuration of hashicorp vault.
https://github.com/stuttgart-things/vault-base-setup

csi-secrets-store k8s-auth terraform vault vso

Last synced: 15 days ago
JSON representation

terraform module for base-setup configuration of hashicorp vault.

• Host: GitHub
• URL: https://github.com/stuttgart-things/vault-base-setup
• Owner: stuttgart-things
• License: apache-2.0
• Created: 2023-11-29T14:43:11.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-05-12T21:46:13.000Z (2 months ago)
• Last Synced: 2025-06-07T06:36:55.957Z (about 1 month ago)
• Topics: csi-secrets-store, k8s-auth, terraform, vault, vso
• Language: HCL
• Homepage:
• Size: 81.1 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# stuttgart-things/vault-base-setup

terraform module for base-setup configuration of hashicorp vault.

## EXAMPLE USAGE

BASE VAULT CONFIG (APPROLE)

### MODULE CALL

```bash

cat < vault-base.hcl

module "vault-secrets-setup" {

  source                   = "../"

  kubeconfig_path          = "/home/sthings/.kube/kind-helm-dev"

  context                  = "kind-helm-dev"

  vault_addr               = "https://vault.172.18.0.2.nip.io"

  cluster_name             = "kind-helm-dev"

  createDefaultAdminPolicy = true

  csi_enabled              = false

  vso_enabled              = false

  enableApproleAuth        = true

  skip_tls_verify          = true

  approle_roles = [

    {

      name           = "s3"

      token_policies = ["read-write-all-s3-kvv2"]

    },

  ]

  secret_engines = [

    {

      path        = "apps"

      name        = "s3"

      description = "minio app secrets"

      data_json   = < test-approle.yaml

---

- hosts: localhost

  become: true

  vars:

    vault_approle_id: "INSERT-HERE"

    vault_approle_secret: "INSERT-HERE" # pragma: allowlist secret

    vault_url: https://vault.172.18.0.2.nip.io

    username: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/s3:accessKey validate_certs=false auth_method=approle role_id={{ vault_approle_id }} secret_id={{ vault_approle_secret }} url={{ vault_url }}') }}"

  tasks:

    - name: Debug

      debug:

        var: username

EOF

ansible-playbook test-approle.yaml -vv

```

DEPLOY K8S AUTH ON CLUSTER

```hcl

module "vault-base-setup" {

  source = "github.com/stuttgart-things/vault-base-setup"

  vault_addr = "https://vault.dev11.4sthings.tiab.ssc.sva.de"

  cluster_name = "labul-app1"

  kubeconfig_path = "/home/sthings/.kube/labul-app1"

  csi_enabled = true

  namespace_csi = "vault"

  vso_enabled = true

  namespace_vso = "vault"

  k8s_auths = [

    {

	name = "dev"

	namespace = "default"

	token_policies = ["read-all-s3-kvv2", "read-write-all-s3-kvv2"]

	token_ttl = 3600

    },

  ]

}

```

```yaml

---

apiVersion: secrets.hashicorp.com/v1beta1

kind: VaultStaticSecret

metadata:

  name: vault-static-apps1

  namespace: default

spec:

  vaultAuthRef: dev

  mount: apps

  type: kv-v2

  path: demo

  refreshAfter: 10s

  destination:

    create: true

    name: vso-app

```

```bash

# ONLY APPLY IF VSO IS ENABLED

kubectl apply -f https://raw.githubusercontent.com/hashicorp/vault-secrets-operator/main/chart/crds/secrets.hashicorp.com_vaultconnections.yaml

kubectl apply -f https://raw.githubusercontent.com/hashicorp/vault-secrets-operator/main/chart/crds/secrets.hashicorp.com_vaultauths.yaml

export VAULT_TOKEN=

terraform init --upgrade

terraform apply

```

CALL MODULE W/ VALUES

```hcl

module "vault-base-setup" {

  source = "github.com/stuttgart-things/vault-base-setup"

  createDefaultAdminPolicy = true

  secret_engines = [

    {

      path         = "cloud"

      name         = "vsphere"

      description  = "vsphere secrets",

      data_json    = <

EXECUTE TERRAFORM

```bash

export VAULT_ADDR=${VAULT_ADDR}

export VAULT_TOKEN=${VAULT_TOKEN}

terraform init

terraform validate

terraform plan

terraform apply

```

## Author Information

```bash

Xiaomin Lai, stuttgart-things 10/2023

Patrick Hermann, stuttgart-things 12/2023

```

## License

Licensed under the Apache License, Version 2.0 (the "License").

You may obtain a copy of the License at [apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0).

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an _"AS IS"_ basis, without WARRANTIES or conditions of any kind, either express or implied.

See the License for the specific language governing permissions and limitations under the License.