Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated vault's k8s auth support for mto #81

Merged
merged 3 commits into from
Dec 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 51 additions & 19 deletions content/how-to-guides/integration-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,14 +87,11 @@ spec:
namespace: openshift-auth
vault:
enabled: true
endpoint:
url: https://vault.apps.prod.abcdefghi.kubeapp.cloud/
secretReference:
name: vault-root-token
namespace: vault
accessorPath: oidc/
address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
roleName: mto
sso:
clientName: vault
accessorID: <ACCESSOR_ID_TOKEN>
```

Following are the different components that can be used to configure multi-tenancy in a cluster via Multi Tenant Operator.
Expand Down Expand Up @@ -348,21 +345,56 @@ If `vault` is configured on a cluster, then Vault configuration can be enabled.
```yaml
Vault:
enabled: true
endpoint:
secretReference:
name: vault-root-token
namespace: vault
url: >-
https://vault.apps.prod.abcdefghi.kubeapp.cloud/
accessorPath: oidc/
address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
roleName: mto
sso:
accessorID: <ACCESSOR_ID_TOKEN>
clientName: vault
```

If enabled, then admins have to provide secret, URL and SSO accessorID of Vault.
If enabled, then admins have to provide following details:

- `secretReference.name:` Will contain the name of the secret.
- `secretReference.namespace:` Will contain the namespace of the secret.
- `url:` Will contain the URL of Vault.
- `sso.accessorID:` Will contain the SSO accessorID.
- `sso.clientName:` Will contain the client name.
- `accessorPath:` Accessor Path within Vault to fetch SSO accessorID
- `address:` Valid Vault address reachable within cluster.
- `roleName:` Vault's Kubernetes authentication role
- `sso.clientName:` SSO client name.

For more details around enabling Kubernetes auth in Vault, visit [here](https://developer.hashicorp.com/vault/docs/auth/kubernetes)

The role created within Vault for Kubernetes authentication should have the following permissions:

```yaml
path "secret/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "sys/mounts" {
capabilities = ["read", "list"]
}
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "managed-addons/*" {
capabilities = ["read", "list"]
}
path "auth/kubernetes/role/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "sys/auth" {
capabilities = ["read", "list"]
}
path "sys/policies/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "identity/group" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "identity/group-alias" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "identity/group/name/*" {
capabilities = ["read", "list"]
}
path "identity/group/id/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
```
10 changes: 3 additions & 7 deletions content/reference-guides/integrationconfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,14 +89,10 @@ metadata:
spec:
vault:
enabled: true
endpoint:
secretReference:
name: vault-root-token
namespace: vault
url: >-
https://vault.apps.prod.abcdefghi.kubeapp.cloud/
accessorPath: oidc/
address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
roleName: mto
sso:
accessorID: auth_oidc_aa6aa9aa
clientName: vault
```

Expand Down
2 changes: 1 addition & 1 deletion content/tutorials/vault/enabling-multi-tenancy-vault.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ This requires a running `RHSSO(RedHat Single Sign On)` instance integrated with

MTO integration with Vault and RHSSO provides a way for users to log in to Vault where they only have access to relevant tenant paths.

Once both integrations are set up with [IntegrationConfig CR](../../how-to-guides/integration-config.md), MTO links tenant users to specific client roles named after their tenant under Vault client in RHSSO.
Once both integrations are set up with [IntegrationConfig CR](../../how-to-guides/integration-config.md#rhsso-red-hat-single-sign-on), MTO links tenant users to specific client roles named after their tenant under Vault client in RHSSO.

After that, MTO creates specific policies in Vault for its tenant users.

Expand Down
10 changes: 3 additions & 7 deletions content/usecases/integrationconfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,14 +89,10 @@ metadata:
spec:
vault:
enabled: true
endpoint:
secretReference:
name: vault-root-token
namespace: vault
url: >-
https://vault.apps.prod.abcdefghi.kubeapp.cloud/
accessorPath: oidc/
address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/'
roleName: mto
sso:
accessorID: auth_oidc_aa6aa9aa
clientName: vault
```

Expand Down
Loading