🧊 This project has been migrated to bcit-tlu/vault.
The code remains available for historic purposes.
This project uses Terraform to deploy Vault resources; backend state is stored remotely in Azure blob storage.
- Terraform >= 1.0
- Vault CLI
- Azure CLI for state storgage
- Alternatively, install
nixanddirenvto load the required executables
- if using Kubernetes auth, Kubernetes CLI and cluster required
Note
Comment out the modules in main.tf until a local state is established.
When a backend is configured, state can be migrated with:
terraform init -migrate-state-
Login to Vault
vault login {initialRootToken} -
Initialize Terraform
terraform init
-
Apply the KV secrets engine
terraform apply -target=module.secrets.vault_mount.kv_mount -auto-approve- Load the required secrets
oidc_credentials_path-> seeks Entra ID appclient_idandclient_secret- kubernetes_auth
ca_pemandtoken_reviewer_jwt
This module sets up groups and entities based on the configuration in the root identities.yaml file.
This module configures Kubernetes access to Vault. See terraform.tfvars.example for information about configuration.
-
Load the required secrets into the KV engine at (
${k8s_auth_path_prefix}/clusters/${cluster0X})Required secrets:
- cluster CA certificate (
ca_pem) - service account token (
token_reviewer_jwt)
Secret structure:
{ "ca_pem": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "token_reviewer_jwt": "xxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyy.zzzzzzzzzzzzzzz" } - cluster CA certificate (
-
Uncomment the module in
main.tf -
terraform planandterraform applythe config
See modules/oidc-auth/NOTES.md for details.
-
Load the required secrets into the KV engine at (
oidc_credentials_path)- client_id
- client_secret
Secret structure:
{ "client_id": "{yourAzureAppClientID}", "client_secret": "{yourAzureAppClientSecret}" } -
Uncomment the module in
main.tf -
terraform planandterraform applythe config
Developed in 🇨🇦 Canada by the Learning and Teaching Centre at BCIT.