13 changed files with 153 additions and 144 deletions
--- a/infra/clusters/management/bootstrap/stage2-harden/main.tf
+++ b/infra/clusters/management/bootstrap/stage2-harden/main.tf
@ -177,14 +177,6 @@ path "auth/token/renew-self" {
  capabilities = ["update"]
 }
 path "auth/token/lookup-accessor" {
    capabilities = ["update"]
 }
 path "auth/token/renew-accessor" {
    capabilities = ["update"]
 }
 # Add other necessary permissions as needed
 EOT
 }
@ -192,7 +184,6 @@ EOT
 resource "vault_token" "management" {
  policies = [vault_policy.management.name]
  renewable = true
-  ttl       = "24h"
+  ttl       = "1h"
-  renew_min_lease = "12h"
+  period    = "15m"
  renew_increment = "24h"
 }
--- a/infra/clusters/platform/bootstrap/minio.tf
+++ b/infra/clusters/platform/bootstrap/minio.tf
@ -0,0 +1,47 @@
 terraform {
  required_providers {
    minio = {
      source = "aminueza/minio"
      version = "~> 2.5.0"
    }
  }
 }
 provider "minio" {
  minio_server = "localhost:9123"
  minio_region = "eu-central-1"
  minio_user = data.vault_kv_secret_v2.minio_creds.data["access_key"]
  minio_password = data.vault_kv_secret_v2.minio_creds.data["secret_key"]
 }
 resource "minio_s3_bucket" "platform" {
  depends_on = [data.vault_kv_secret_v2.minio_creds]
  bucket = "platform"
  acl = "private"
 }
 resource "minio_iam_user" "platform" {
  depends_on = [data.vault_kv_secret_v2.minio_creds]
  name = "platform"
 }
 resource "minio_iam_policy" "platform" {
  depends_on = [minio_s3_bucket.platform]
  name = "platform-policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = ["s3:GetObject", "s3:PutObject"]
        Resource = ["arn:aws:s3:::platform/*"]
      }
    ]
  })
 }
 resource "minio_iam_user_policy_attachment" "policy_attachment" {
  depends_on = [minio_iam_user.platform, minio_iam_policy.platform]
  user_name   = minio_iam_user.platform.name
  policy_name = minio_iam_policy.platform.name
 }
--- a/infra/clusters/platform/bootstrap/output.tf
+++ b/infra/clusters/platform/bootstrap/output.tf
@ -0,0 +1,17 @@
 output "vault_token" {
  value = vault_token.platform.client_token
  sensitive = true
 }
 output "minio_user" {
  value = minio_iam_user.platform.id
 }
 output "minio_user_status" {
  value = minio_iam_user.platform.status
 }
 output "minio_user_secret" {
  value     = minio_iam_user.platform.secret
  sensitive = true
 }
--- a/infra/clusters/platform/bootstrap/variables.tf
+++ b/infra/clusters/platform/bootstrap/variables.tf
@ -0,0 +1,4 @@
 variable "vault_root_token" {
  description = "Vault (root) token to create secrets"
  type        = string
 }
--- a/infra/clusters/platform/bootstrap/vault.tf
+++ b/infra/clusters/platform/bootstrap/vault.tf
@ -0,0 +1,34 @@
 provider "vault" {
  address = "http://127.0.0.1:8200"
  token = var.vault_root_token
 }
 data "vault_kv_secret_v2" "minio_creds" {
  mount = "management"
  name  = "minio"
 }
 resource "vault_mount" "platform" {
  path        = "platform"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret engine mount for management"
 }
 resource "vault_policy" "platform" {
  name = "platform"
  policy = <<EOT
 path "platform/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
 }
 # Add other necessary permissions
 EOT
 }
 resource "vault_token" "platform" {
  policies  = [vault_policy.platform.name]
  renewable = true
  ttl       = "720h"  # 30 days
  period    = "720h"  # Will be renewed every 30 days
 }
--- a/infra/clusters/platform/generate-tf-config.sh
+++ b/infra/clusters/platform/generate-tf-config.sh
@ -1,27 +0,0 @@
 #!/bin/bash
 MINIO_ACCESS_KEY=$(VAULT_TOKEN="$VAULT_TOKEN" VAULT_ADDR="$VAULT_ADDR" vault kv get -mount="platform" -field="access_key" "minio")
 MINIO_SECRET_KEY=$(VAULT_TOKEN="$VAULT_TOKEN" VAULT_ADDR="$VAULT_ADDR" vault kv get -mount="platform" -field="secret_key" "minio")
 cat << EOF > backend.tfvars
 endpoints       = { s3 = "${MINIO_ADDR}" }
 access_key      = "${MINIO_ACCESS_KEY}"
 secret_key      = "${MINIO_SECRET_KEY}"
 bucket          = "platform"
 key             = "terraform.tfstate"
 region          = "eu-central-1"
 EOF
 cat << EOF > terraform.tfvars
 endpoints       = { s3 = "${MINIO_ADDR}" }
 access_key      = "${MINIO_ACCESS_KEY}"
 secret_key      = "${MINIO_SECRET_KEY}"
 bucket          = "platform"
 key             = "terraform.tfstate"
 region          = "eu-central-1"
 minio_server    = "${MINIO_SERVER}"
 vault_token     = "${VAULT_TOKEN}"
 vault_addr      = "${VAULT_ADDR}"
 node_ip         = "${NODE_IP}"
 node_username   = "root"
 EOF
--- a/infra/clusters/platform/hcloud_infra.tf
+++ b/infra/clusters/platform/hcloud_infra.tf
@ -0,0 +1,39 @@
 # HCloud instance for creating a single node workload cluster
 resource "hcloud_server" "quickstart_node" {
  name        = "${var.prefix}-worker"
  image       = "ubuntu-20.04"
  server_type = var.instance_type
  location    = var.hcloud_location
  ssh_keys = [hcloud_ssh_key.quickstart_ssh_key.id]
  network {
    network_id = hcloud_network.private.id
  }
  user_data = templatefile(
    "userdata_node.template",
    {
      username         = local.node_username
      register_command = module.rancher_common.custom_cluster_command
    }
  )
  provisioner "remote-exec" {
    inline = [
      "echo 'Waiting for cloud-init to complete...'",
      "cloud-init status --wait > /dev/null",
      "echo 'Completed cloud-init!'",
    ]
    connection {
      type        = "ssh"
      host        = self.ipv4_address
      user        = local.node_username
      private_key = tls_private_key.global_key.private_key_pem
    }
  }
  depends_on = [
    hcloud_network_subnet.private
  ]
 }
--- a/infra/clusters/platform/helm.tf
+++ b/infra/clusters/platform/helm.tf
@ -1,15 +0,0 @@
 provider "kubernetes" {
  host                   = yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.server
  client_certificate     = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-certificate-data)
  client_key             = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-key-data)
  cluster_ca_certificate = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.certificate-authority-data)
 }
 provider "helm" {
  kubernetes {
    host                   = yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.server
    client_certificate     = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-certificate-data)
    client_key             = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).users[0].user.client-key-data)
    cluster_ca_certificate = base64decode(yamldecode(data.minio_s3_object.k8s_yaml.content).clusters[0].cluster.certificate-authority-data)
  }
 }
--- a/infra/clusters/platform/minio.tf
+++ b/infra/clusters/platform/minio.tf
@ -1,31 +0,0 @@
 terraform {
  required_providers {
    minio = {
      source  = "aminueza/minio"
      version = "~> 2.5.0"
    }
  }
 }
 provider "minio" {
  minio_server   = var.minio_server
  minio_region   = var.region
  minio_user     = var.access_key
  minio_password = var.secret_key
  minio_ssl      = true
 }
 data "minio_s3_object" "k8s_yaml" {
  bucket_name = var.bucket
  object_name = "kube_config_server.yaml"
 }
 data "minio_s3_object" "id_rsa" {
  bucket_name = var.bucket
  object_name = "id_rsa"
 }
 data "minio_s3_object" "id_rsa_pub" {
  bucket_name = var.bucket
  object_name = "id_rsa.pub"
 }
--- a/infra/clusters/platform/rancher_cluster.tf
+++ b/infra/clusters/platform/rancher_cluster.tf
@ -0,0 +1,8 @@
 # Create custom managed cluster for quickstart
 resource "rancher2_cluster_v2" "quickstart_workload" {
  provider = rancher2.admin
  name               = var.workload_cluster_name
  kubernetes_version = var.workload_kubernetes_version
 }
--- a/infra/clusters/platform/variables.tf
+++ b/infra/clusters/platform/variables.tf
@ -1,47 +0,0 @@
 variable "endpoints" {
  type = map(string)
 }
 variable "access_key" {
  type = string
  sensitive = true
 }
 variable "secret_key" {
  type = string
  sensitive = true
 }
 variable "bucket" {
  type = string
 }
 variable "key" {
  type = string
 }
 variable "region" {
  type = string
 }
 variable "minio_server" {
  type = string
 }
 variable "vault_addr" {
  type = string
 }
 variable "vault_token" {
  type = string
  sensitive = true
 }
 variable "node_ip" {
  type = string
 }
 variable "node_username" {
  type = string
  default = "root"
 }
--- a/infra/clusters/platform/vault.tf
+++ b/infra/clusters/platform/vault.tf
@ -1,4 +0,0 @@
 provider "vault" {
  address = var.vault_addr
  token   = var.vault_token
 }
--- a/infra/modules/cluster/main.tf
+++ b/infra/modules/cluster/main.tf
@ -105,12 +105,6 @@ path "auth/token/lookup-self" {
 path "auth/token/renew-self" {
    capabilities = ["update"]
 }
 path "auth/token/lookup-accessor" {
    capabilities = ["update"]
 }
 path "auth/token/renew-accessor" {
    capabilities = ["update"]
 }
 # Add other necessary permissions
 EOT
 }
@ -118,7 +112,6 @@ EOT
 resource "vault_token" "cluster" {
  policies = [vault_policy.cluster.name]
  renewable = true
-  ttl       = "24h"
+  ttl       = "1h"
-  renew_min_lease = "12h"
+  period    = "15m"
  renew_increment = "24h"
 }