40 lines
1.4 KiB
YAML
40 lines
1.4 KiB
YAML
# Vault Kubernetes authentication configuration (E10-03).
|
|
# Binds the veylant-proxy ServiceAccount to the Vault role defined in vault-policy.hcl.
|
|
# Prerequisites: Vault Kubernetes auth method enabled.
|
|
# vault auth enable kubernetes
|
|
# vault write auth/kubernetes/config kubernetes_host="https://$K8S_HOST:443"
|
|
# Apply: kubectl apply -f deploy/k8s/vault/vault-auth.yaml -n veylant
|
|
---
|
|
# VaultAuth resource (requires the Vault Secrets Operator or Agent Injector).
|
|
# Using Vault Agent Injector annotations (defined in serviceaccount.yaml).
|
|
# This ConfigMap holds the Vault connection parameters for reference.
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: vault-config
|
|
namespace: veylant
|
|
data:
|
|
# Vault server address — override with VAULT_ADDR env var or Helm values.
|
|
VAULT_ADDR: "https://vault.vault.svc.cluster.local:8200"
|
|
# Vault namespace (Enterprise only; leave empty for open-source Vault).
|
|
VAULT_NAMESPACE: ""
|
|
# Kubernetes auth mount path.
|
|
VAULT_AUTH_PATH: "auth/kubernetes"
|
|
# Vault role bound to the veylant-proxy ServiceAccount.
|
|
VAULT_ROLE: "veylant-proxy"
|
|
|
|
---
|
|
# ClusterRoleBinding allowing Vault to verify ServiceAccount tokens.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: vault-token-reviewer
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: vault
|
|
namespace: vault
|