mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-30 10:10:21 +00:00
b866bd491c
The new `vaultAuthNamespace` configuration parameter can be set to the
Vault Namespace where the authentication is setup in the service. Some
Hashicorp Vault deployments use sub-namespaces for their users/tenants,
with a 'root' namespace where the authentication is configured. This
requires passing of different Vault namespaces for different operations.
Example:
- the Kubernetes Auth mechanism is configured for in the Vault
Namespace called 'devops'
- a user/tenant has a sub-namespace called 'devops/website' where the
encryption passphrases can be placed in the key-value store
The configuration for this, then looks like:
vaultAuthNamespace: devops
vaultNamespace: devops/homepage
Note that Vault Namespaces are a feature of the Hashicorp Vault
Enterprise product, and not part of the Open Source version. This
prevents adding e2e tests that validate the Vault Namespace
configuration.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| aws-credentials.yaml | ||
| csi-kms-connection-details.yaml | ||
| csi-vaulttokenreview-rbac.yaml | ||
| kms-config.yaml | ||
| tenant-config.yaml | ||
| tenant-sa-admin.yaml | ||
| tenant-sa.yaml | ||
| tenant-token.yaml | ||
| user-secret.yaml | ||
| vault-psp.yaml | ||
| vault.yaml | ||