add: vault pki basics

2025-12-10 10:18:32 +01:00 · 2023-03-28 09:18:24 +02:00
parent 63f70d07c7
commit 8ae16a65df
9 changed files with 687 additions and 0 deletions
--- a/roles/vault-pki/templates/vault.hcl
+++ b/roles/vault-pki/templates/vault.hcl
@@ -0,0 +1,106 @@
+ui = true
+
+storage "file" {
+  path = "/opt/vault/data"
+}
+
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_disable = 1
+}
+
+api_addr = "http://127.0.0.1:8200"
+
+# Terraform OIDC config for reference
+#path "/secret/*" {
+#    capabilities = ["read", "list"]
+#}
+#
+#resource "vault_identity_oidc_key" "keycloak_provider_key" {
+#  name      = "keycloak"
+#  algorithm = "RS256"
+#}
+#
+#resource "vault_jwt_auth_backend" "keycloak" {
+#  path               = "oidc"
+#  type               = "oidc"
+#  default_role       = "{{ keycloak_clients['pki']['groups'] }}"
+#
+#  oidc_discovery_url="https://{{ keycloak_address }}/realms/master"
+#  oidc_client_id="{{ keycloak_clients['pki']['client_id'] }}"
+#  oidc_client_secret="{{ keycloak_clients['pki']['client_secret'] }}"
+#
+#  tune {
+#    audit_non_hmac_request_keys  = []
+#    audit_non_hmac_response_keys = []
+#    default_lease_ttl            = "1h"
+#    listing_visibility           = "unauth"
+#    max_lease_ttl                = "1h"
+#    passthrough_request_headers  = []
+#    token_type                   = "default-service"
+#  }
+#}
+#
+#resource "vault_jwt_auth_backend_role" "pki" {
+#  backend        = vault_jwt_auth_backend.keycloak.path
+#  role_name      = "pki"
+#  role_type      = "oidc"
+#  token_ttl      = 3600
+#  token_max_ttl  = 3600
+#
+#  bound_audiences="{{ pki_domain }}"
+#  user_claim      = "sub"
+#  claim_mappings = {
+#    preferred_username = "username"
+#    email              = "email"
+#  }
+#
+#  allowed_redirect_uris = [
+#    "https://{{ pki_domain }}/oidc/oidc/callback",
+#    "https://{{ pki_domain }}/ui/vault/auth/oidc/oidc/callback"
+#  ]
+#  groups_claim = format("/resource_access/%s/roles", 
+#                     keycloak_openid_client.openid_client.client_id)
+#}
+#
+#data "vault_policy_document" "reader_policy" {
+#  rule {
+#    path         = "/secret/*"
+#    capabilities = ["list", "read"]
+#  }
+#}
+#
+#resource "vault_policy" "reader_policy" {
+#  name   = "reader"
+#  policy = data.vault_policy_document.reader_policy.hcl
+#}
+#data "vault_policy_document" "manager_policy" {
+#  rule {
+#    path         = "/secret/*"
+#    capabilities = ["create", "update", "delete"]
+#  }
+#}
+#
+#resource "vault_policy" "manager_policy" {
+#  name   = "management"
+#  policy = data.vault_policy_document.manager_policy.hcl
+#}
+#
+#resource "vault_identity_oidc_role" "management_role" {
+#  name = "management"
+#  key  = vault_identity_oidc_key.keycloak_provider_key.name
+#}
+#
+#resource "vault_identity_group" "management_group" {
+#  name     = vault_identity_oidc_role.management_role.name
+#  type     = "external"
+#  policies = [
+#    vault_policy.manager_policy.name
+#  ]
+#}
+#
+#resource "vault_identity_group_alias" "management_group_alias" {
+#  name           = "pki"
+#  mount_accessor = vault_jwt_auth_backend.keycloak.accessor
+#  canonical_id   = vault_identity_group.management_group.id
+#}