Merge pull request #81 from stakater/SA-3720-1

Updated vault's k8s auth support for mto
stakater · Dec 8, 2023 · b841e30 · b841e30
2 parents 3abe756 + 56351bf
commit b841e30
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 34 deletions.
diff --git a/content/how-to-guides/integration-config.md b/content/how-to-guides/integration-config.md
@@ -87,14 +87,11 @@ spec:
         namespace: openshift-auth
   vault:
     enabled: true
-    endpoint:
-      url: https://vault.apps.prod.abcdefghi.kubeapp.cloud/
-      secretReference:
-        name: vault-root-token
-        namespace: vault
+    accessorPath: oidc/
+    address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
+    roleName: mto
     sso:
       clientName: vault
-      accessorID: <ACCESSOR_ID_TOKEN>
 ```
 
 Following are the different components that can be used to configure multi-tenancy in a cluster via Multi Tenant Operator.
@@ -348,21 +345,56 @@ If `vault` is configured on a cluster, then Vault configuration can be enabled.
 ```yaml
 Vault:
   enabled: true
-  endpoint:
-    secretReference:
-      name: vault-root-token
-      namespace: vault
-    url: >-
-      https://vault.apps.prod.abcdefghi.kubeapp.cloud/
+    accessorPath: oidc/
+    address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
+    roleName: mto
   sso:
-    accessorID: <ACCESSOR_ID_TOKEN>
     clientName: vault
 ```
 
-If enabled, then admins have to provide secret, URL and SSO accessorID of Vault.
+If enabled, then admins have to provide following details:
 
-- `secretReference.name:` Will contain the name of the secret.
-- `secretReference.namespace:` Will contain the namespace of the secret.
-- `url:` Will contain the URL of Vault.
-- `sso.accessorID:` Will contain the SSO accessorID.
-- `sso.clientName:` Will contain the client name.
+- `accessorPath:` Accessor Path within Vault to fetch SSO accessorID
+- `address:` Valid Vault address reachable within cluster.
+- `roleName:` Vault's Kubernetes authentication role
+- `sso.clientName:` SSO client name.
+
+For more details around enabling Kubernetes auth in Vault, visit [here](https://developer.hashicorp.com/vault/docs/auth/kubernetes)
+
+The role created within Vault for Kubernetes authentication should have the following permissions:
+
+```yaml
+path "secret/*" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+path "sys/mounts" {
+  capabilities = ["read", "list"]
+}
+path "sys/mounts/*" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+path "managed-addons/*" {
+  capabilities = ["read", "list"]
+}
+path "auth/kubernetes/role/*" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+path "sys/auth" {
+  capabilities = ["read", "list"]
+}
+path "sys/policies/*" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+path "identity/group" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+path "identity/group-alias" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+path "identity/group/name/*" {
+  capabilities = ["read", "list"]
+}
+path "identity/group/id/*" {
+  capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+```
diff --git a/content/reference-guides/integrationconfig.md b/content/reference-guides/integrationconfig.md
@@ -89,14 +89,10 @@ metadata:
 spec:
   vault:
     enabled: true
-    endpoint:
-      secretReference:
-        name: vault-root-token
-        namespace: vault
-      url: >-
-        https://vault.apps.prod.abcdefghi.kubeapp.cloud/
+    accessorPath: oidc/
+    address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
+    roleName: mto
     sso:
-      accessorID: auth_oidc_aa6aa9aa
       clientName: vault
 ```
 

diff --git a/content/tutorials/vault/enabling-multi-tenancy-vault.md b/content/tutorials/vault/enabling-multi-tenancy-vault.md
@@ -22,7 +22,7 @@ This requires a running `RHSSO(RedHat Single Sign On)` instance integrated with
 
 MTO integration with Vault and RHSSO provides a way for users to log in to Vault where they only have access to relevant tenant paths.
 
-Once both integrations are set up with [IntegrationConfig CR](../../how-to-guides/integration-config.md), MTO links tenant users to specific client roles named after their tenant under Vault client in RHSSO.
+Once both integrations are set up with [IntegrationConfig CR](../../how-to-guides/integration-config.md#rhsso-red-hat-single-sign-on), MTO links tenant users to specific client roles named after their tenant under Vault client in RHSSO.
 
 After that, MTO creates specific policies in Vault for its tenant users.
 

diff --git a/content/usecases/integrationconfig.md b/content/usecases/integrationconfig.md
@@ -89,14 +89,10 @@ metadata:
 spec:
   vault:
     enabled: true
-    endpoint:
-      secretReference:
-        name: vault-root-token
-        namespace: vault
-      url: >-
-        https://vault.apps.prod.abcdefghi.kubeapp.cloud/
+    accessorPath: oidc/
+    address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
+    roleName: mto
     sso:
-      accessorID: auth_oidc_aa6aa9aa
       clientName: vault
 ```