util: add vaultAuthNamespace option for Vault KMS

The new `vaultAuthNamespace` configuration parameter can be set to the Vault Namespace where the authentication is setup in the service. Some Hashicorp Vault deployments use sub-namespaces for their users/tenants, with a 'root' namespace where the authentication is configured. This requires passing of different Vault namespaces for different operations. Example: - the Kubernetes Auth mechanism is configured for in the Vault Namespace called 'devops' - a user/tenant has a sub-namespace called 'devops/website' where the encryption passphrases can be placed in the key-value store The configuration for this, then looks like: vaultAuthNamespace: devops vaultNamespace: devops/homepage Note that Vault Namespaces are a feature of the Hashicorp Vault Enterprise product, and not part of the Open Source version. This prevents adding e2e tests that validate the Vault Namespace configuration. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 10:33:35 +00:00 · 2021-07-30 09:53:27 +02:00
parent 83167e2ac5
commit f2d5c2e0df
4 changed files with 43 additions and 4 deletions
--- a/examples/kms/vault/kms-config.yaml
+++ b/examples/kms/vault/kms-config.yaml
@ -52,6 +52,30 @@ data:
              }
          }
      },
+      "vault-tenant-sa-ns-test": {
+          "encryptionKMSType": "vaulttenantsa",
+          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
+          "vaultBackend": "kv-v2",
+          "vaultBackendPath": "shared-secrets",
+          "vaultAuthNamespace": "devops",
+          "vaultNamespace": "devops/homepage",
+          "vaultTLSServerName": "vault.default.svc.cluster.local",
+          "vaultCAVerify": "false",
+          "tenantConfigName": "ceph-csi-kms-config",
+          "tenantSAName": "ceph-csi-vault-sa",
+          "tenants": {
+              "webservers": {
+                  "vaultAddress": "https://vault.example.com",
+                  "vaultAuthNamespace": "webservers",
+                  "vaultNamespace": "webservers/homepage",
+                  "vaultCAVerify": "true"
+              },
+              "homepage-db": {
+                  "vaultNamespace": "devops/homepage/database",
+                  "tenantSAName": "storage-encryption-sa"
+              }
+          }
+      },
      "secrets-metadata-test": {
          "encryptionKMSType": "metadata"
      },