ceph-csi/examples/kms/vault/tenant-sa-admin.yaml
Niels de Vos 82557e3f34 util: allow configuring VAULT_BACKEND for Vault connection
It seems that the version of the key/value engine can not always be
detected for Hashicorp Vault. In certain cases, it is required to
configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a
successful connection to the service can be made.

The `kv-v2` is the current default for development deployments of
Hashicorp Vault (what we use for automated testing). Production
deployments default to version 1 for now.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-22 13:02:47 +00:00

98 lines
3.0 KiB
YAML

---
#
# "vault-tenant-sa-script" is an example of the commands that are required to
# create a secret key-value store for a tenant. The ServiceAccount
# "ceph-csi-vault-sa" in the Namespace of the tenant is given access to the
# created key-value store.
#
# The steps in "add-tenant-sa.sh" would normally be executed by the
# administrator of the Hashicorp Vault service. The tenant is not expected to
# have sufficient permissions for running commands like this in a production
# environment.
#
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-tenant-sa-script
namespace: default
data:
add-tenant-sa.sh: |
# login into vault to add a configuration for the tenant
vault login ${VAULT_DEV_ROOT_TOKEN_ID}
# create a secret store for the tenant
vault secrets enable -version=2 -path="tenant" kv
# create a policy for the tenant
vault policy write "${TENANT_NAMESPACE}" - << EOS
path "tenant/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
path "sys/mounts" {
capabilities = ["read"]
}
EOS
# allow access with the tenant ServiceAccount
vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \
bound_service_account_names="${TENANT_SA_NAME}" \
bound_service_account_namespaces="${TENANT_NAMESPACE}" \
policies="${TENANT_NAMESPACE}"
---
#
# The "add-tenant-sa.sh" script from the above ConfigMap needs to get executed
# against the Hashicorp Vault service. Usually the administrator of the KMS
# would configure that, but for this example and testing a Job is included
# here.
#
apiVersion: batch/v1
kind: Job
metadata:
name: vault-tenant-sa
namespace: default
spec:
parallelism: 1
completions: 1
template:
metadata:
name: vault-tenant-sa
spec:
serviceAccountName: rbd-csi-vault-token-review
volumes:
- name: vault-tenant-sa-script
configMap:
name: vault-tenant-sa-script
containers:
- name: vault-tenant-sa-job
image: docker.io/library/vault:latest
imagePullPolicy: "IfNotPresent"
securityContext:
runAsUser: 100
volumeMounts:
- mountPath: /scripts
name: vault-tenant-sa-script
env:
- name: HOME
value: /tmp
- name: CLUSTER_IDENTIFIER
value: kubernetes
- name: SERVICE_ACCOUNT_TOKEN_PATH
value: /var/run/secrets/kubernetes.io/serviceaccount
- name: K8S_HOST
value: https://kubernetes.default.svc.cluster.local
- name: PLUGIN_ROLE
value: ceph-csi-tenant
- name: TENANT_SA_NAME
value: ceph-csi-vault-sa
- name: TENANT_NAMESPACE
value: tenant
- name: VAULT_ADDR
value: http://vault.default.svc.cluster.local:8200/
- name: VAULT_DEV_ROOT_TOKEN_ID
value: sample_root_token_id
command:
- /bin/sh
- /scripts/add-tenant-sa.sh
restartPolicy: Never