parent
bcb2bd28d7
commit
75fdd3a624
@ -0,0 +1,3 @@ |
||||
local appDef = import './app-definitions.libsonnet'; |
||||
|
||||
appDef.localApplication(name="vault-crossplane-integration", nonHelmApp=true) |
@ -0,0 +1,110 @@ |
||||
apiVersion: apiextensions.crossplane.io/v1 |
||||
kind: CompositeResourceDefinition |
||||
metadata: |
||||
name: xbaseapplicationinfrastructures.scubbo.org |
||||
spec: |
||||
group: scubbo.org |
||||
names: |
||||
kind: xBaseApplicationInfrastructure |
||||
plural: xbaseapplicationinfrastructures |
||||
claimNames: |
||||
kind: BaseAppInfra |
||||
plural: baseappinfras |
||||
versions: |
||||
- name: v1alpha1 |
||||
served: true |
||||
referenceable: true |
||||
schema: |
||||
openAPIV3Schema: |
||||
type: object |
||||
properties: |
||||
spec: |
||||
type: object |
||||
properties: |
||||
appName: |
||||
type: string |
||||
--- |
||||
# Sources for the Vault resources are here: |
||||
# https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator#configure-vault |
||||
apiVersion: apiextensions.crossplane.io/v1 |
||||
kind: Composition |
||||
metadata: |
||||
name: base-application-infrastructure |
||||
spec: |
||||
compositeTypeRef: |
||||
apiVersion: scubbo.org/v1alpha1 |
||||
kind: xBaseApplicationInfrastructure |
||||
resources: |
||||
- name: vault-role |
||||
base: |
||||
apiVersion: kubernetes.vault.upbound.io/v1alpha1 |
||||
kind: AuthBackendRole |
||||
spec: |
||||
providerConfigRef: |
||||
name: vault-provider-config |
||||
forProvider: |
||||
audience: vault |
||||
boundServiceAccountNames: |
||||
- default |
||||
boundServiceAccountNamespaces: [] |
||||
# boundServiceAccountNamespaces, roleName, and tokenPolicies provided by patch |
||||
tokenTtl: 86400 |
||||
patches: |
||||
- type: FromCompositeFieldPath |
||||
fromFieldPath: metadata.namespace |
||||
toFieldPath: spec.forProvider.boundServiceAccountNamespaces |
||||
transforms: |
||||
- type: string |
||||
string: |
||||
type: Format |
||||
# fmt: "[\"%s\"]" |
||||
fmt: "[\"hard-coded namespace\"]" |
||||
- type: convert |
||||
convert: |
||||
toType: array |
||||
format: json |
||||
- type: FromCompositeFieldPath |
||||
fromFieldPath: spec.appName |
||||
toFieldPath: spec.forProvider.roleName |
||||
transforms: |
||||
- type: string |
||||
string: |
||||
type: Format |
||||
fmt: "vault-secrets-operator-%s-role" |
||||
- type: FromCompositeFieldPath |
||||
fromFieldPath: spec.appName |
||||
toFieldPath: spec.forProvider.tokenPolicies |
||||
transforms: |
||||
- type: string |
||||
string: |
||||
type: Format |
||||
fmt: "[\"vault-secrets-operator-%s-policy\"]" |
||||
- type: convert |
||||
convert: |
||||
toType: array |
||||
format: json |
||||
- name: vault-policy |
||||
base: |
||||
apiVersion: vault.vault.upbound.io/v1alpha1 |
||||
kind: Policy |
||||
spec: |
||||
providerConfigRef: |
||||
name: vault-provider-config |
||||
forProvider: {} |
||||
patches: |
||||
- type: FromCompositeFieldPath |
||||
fromFieldPath: spec.appName |
||||
toFieldPath: spec.forProvider.name |
||||
transforms: |
||||
- type: string |
||||
string: |
||||
type: Format |
||||
fmt: "vault-secrets-operator-%s-policy" |
||||
- type: FromCompositeFieldPath |
||||
fromFieldPath: spec.appName |
||||
toFieldPath: spec.forProvider.policy |
||||
transforms: |
||||
- type: string |
||||
string: |
||||
type: Format |
||||
fmt: "path \"app-%s-kv/*\" {capabilities=[\"read\"]}" |
Loading…
Reference in new issue