--- # # "vault-tenant-sa-script" is an example of the commands that are required to # create a secret key-value store for a tenant. The ServiceAccount # "ceph-csi-vault-sa" in the Namespace of the tenant is given access to the # created key-value store. # # The steps in "add-tenant-sa.sh" would normally be executed by the # administrator of the Hashicorp Vault service. The tenant is not expected to # have sufficient permissions for running commands like this in a production # environment. # apiVersion: v1 kind: ConfigMap metadata: name: vault-tenant-sa-script namespace: default data: add-tenant-sa.sh: | # login into vault to add a configuration for the tenant vault login ${VAULT_DEV_ROOT_TOKEN_ID} # create a secret store for the tenant vault secrets enable -path="tenant" kv # create a policy for the tenant vault policy write "${TENANT_NAMESPACE}" - << EOS path "tenant/*" { capabilities = ["create", "update", "delete", "read", "list"] } path "sys/mounts" { capabilities = ["read"] } EOS # allow access with the tenant ServiceAccount vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \ bound_service_account_names="${TENANT_SA_NAME}" \ bound_service_account_namespaces="${TENANT_NAMESPACE}" \ policies="${TENANT_NAMESPACE}" --- # # The "add-tenant-sa.sh" script from the above ConfigMap needs to get executed # against the Hashicorp Vault service. Usually the administrator of the KMS # would configure that, but for this example and testing a Job is included # here. # apiVersion: batch/v1 kind: Job metadata: name: vault-tenant-sa namespace: default spec: parallelism: 1 completions: 1 template: metadata: name: vault-tenant-sa spec: serviceAccountName: rbd-csi-vault-token-review volumes: - name: vault-tenant-sa-script configMap: name: vault-tenant-sa-script containers: - name: vault-tenant-sa-job image: docker.io/library/vault:latest imagePullPolicy: "IfNotPresent" securityContext: runAsUser: 100 volumeMounts: - mountPath: /scripts name: vault-tenant-sa-script env: - name: HOME value: /tmp - name: CLUSTER_IDENTIFIER value: kubernetes - name: SERVICE_ACCOUNT_TOKEN_PATH value: /var/run/secrets/kubernetes.io/serviceaccount - name: K8S_HOST value: https://kubernetes.default.svc.cluster.local - name: PLUGIN_ROLE value: ceph-csi-tenant - name: TENANT_SA_NAME value: ceph-csi-vault-sa - name: TENANT_NAMESPACE value: tenant - name: VAULT_ADDR value: http://vault.default.svc.cluster.local:8200/ - name: VAULT_DEV_ROOT_TOKEN_ID value: sample_root_token_id command: - /bin/sh - /scripts/add-tenant-sa.sh restartPolicy: Never