mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-22 13:00:19 +00:00
82557e3f34
It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
98 lines
3.0 KiB
YAML
98 lines
3.0 KiB
YAML
---
|
|
#
|
|
# "vault-tenant-sa-script" is an example of the commands that are required to
|
|
# create a secret key-value store for a tenant. The ServiceAccount
|
|
# "ceph-csi-vault-sa" in the Namespace of the tenant is given access to the
|
|
# created key-value store.
|
|
#
|
|
# The steps in "add-tenant-sa.sh" would normally be executed by the
|
|
# administrator of the Hashicorp Vault service. The tenant is not expected to
|
|
# have sufficient permissions for running commands like this in a production
|
|
# environment.
|
|
#
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: vault-tenant-sa-script
|
|
namespace: default
|
|
data:
|
|
add-tenant-sa.sh: |
|
|
# login into vault to add a configuration for the tenant
|
|
vault login ${VAULT_DEV_ROOT_TOKEN_ID}
|
|
|
|
# create a secret store for the tenant
|
|
vault secrets enable -version=2 -path="tenant" kv
|
|
|
|
# create a policy for the tenant
|
|
vault policy write "${TENANT_NAMESPACE}" - << EOS
|
|
path "tenant/*" {
|
|
capabilities = ["create", "update", "delete", "read", "list"]
|
|
}
|
|
|
|
path "sys/mounts" {
|
|
capabilities = ["read"]
|
|
}
|
|
EOS
|
|
|
|
# allow access with the tenant ServiceAccount
|
|
vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \
|
|
bound_service_account_names="${TENANT_SA_NAME}" \
|
|
bound_service_account_namespaces="${TENANT_NAMESPACE}" \
|
|
policies="${TENANT_NAMESPACE}"
|
|
---
|
|
#
|
|
# The "add-tenant-sa.sh" script from the above ConfigMap needs to get executed
|
|
# against the Hashicorp Vault service. Usually the administrator of the KMS
|
|
# would configure that, but for this example and testing a Job is included
|
|
# here.
|
|
#
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: vault-tenant-sa
|
|
namespace: default
|
|
spec:
|
|
parallelism: 1
|
|
completions: 1
|
|
template:
|
|
metadata:
|
|
name: vault-tenant-sa
|
|
spec:
|
|
serviceAccountName: rbd-csi-vault-token-review
|
|
volumes:
|
|
- name: vault-tenant-sa-script
|
|
configMap:
|
|
name: vault-tenant-sa-script
|
|
containers:
|
|
- name: vault-tenant-sa-job
|
|
image: docker.io/library/vault:latest
|
|
imagePullPolicy: "IfNotPresent"
|
|
securityContext:
|
|
runAsUser: 100
|
|
volumeMounts:
|
|
- mountPath: /scripts
|
|
name: vault-tenant-sa-script
|
|
env:
|
|
- name: HOME
|
|
value: /tmp
|
|
- name: CLUSTER_IDENTIFIER
|
|
value: kubernetes
|
|
- name: SERVICE_ACCOUNT_TOKEN_PATH
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount
|
|
- name: K8S_HOST
|
|
value: https://kubernetes.default.svc.cluster.local
|
|
- name: PLUGIN_ROLE
|
|
value: ceph-csi-tenant
|
|
- name: TENANT_SA_NAME
|
|
value: ceph-csi-vault-sa
|
|
- name: TENANT_NAMESPACE
|
|
value: tenant
|
|
- name: VAULT_ADDR
|
|
value: http://vault.default.svc.cluster.local:8200/
|
|
- name: VAULT_DEV_ROOT_TOKEN_ID
|
|
value: sample_root_token_id
|
|
command:
|
|
- /bin/sh
|
|
- /scripts/add-tenant-sa.sh
|
|
restartPolicy: Never
|