diff --git a/content/how-to-guides/integration-config.md b/content/how-to-guides/integration-config.md index 661c80d3d..0105b3bdd 100644 --- a/content/how-to-guides/integration-config.md +++ b/content/how-to-guides/integration-config.md @@ -87,14 +87,11 @@ spec: namespace: openshift-auth vault: enabled: true - endpoint: - url: https://vault.apps.prod.abcdefghi.kubeapp.cloud/ - secretReference: - name: vault-root-token - namespace: vault + accessorPath: oidc + address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/' + roleName: mto sso: clientName: vault - accessorID: ``` Following are the different components that can be used to configure multi-tenancy in a cluster via Multi Tenant Operator. @@ -346,23 +343,54 @@ If enabled, then admins have to provide secret and URL of RHSSO. If `vault` is configured on a cluster, then Vault configuration can be enabled. ```yaml -Vault: +vault: enabled: true - endpoint: - secretReference: - name: vault-root-token - namespace: vault - url: >- - https://vault.apps.prod.abcdefghi.kubeapp.cloud/ + accessorPath: oidc + address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/' + roleName: mto sso: - accessorID: clientName: vault ``` -If enabled, then admins have to provide secret, URL and SSO accessorID of Vault. +If enabled, then admins have to provide following details: -- `secretReference.name:` Will contain the name of the secret. -- `secretReference.namespace:` Will contain the namespace of the secret. -- `url:` Will contain the URL of Vault. -- `sso.accessorID:` Will contain the SSO accessorID. -- `sso.clientName:` Will contain the client name. +- `accessorPath:` Accessor Path within Vault to fetch SSO accessorID +- `address:` Valid Vault address reachable within cluster. +- `roleName:` Vault's Kubernetes authentication role +- `sso.clientName:` SSO client name. + +For more details around enabling Kubernetes auth in Vault, visit [here](https://developer.hashicorp.com/vault/docs/auth/kubernetes) + +The role created within Vault for Kubernetes authentication should have the following permissions: + +```yaml +path "secret/*" { +capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +path "sys/mounts" { +capabilities = ["read", "list"] +} +path "sys/mounts/*" { +capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +path "managed-addons/*" { +capabilities = ["read", "list"] +} +path "auth/kubernetes/role/*" { +capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +path "sys/auth" { +capabilities = ["read", "list"] +} +path "sys/policies/*" { +capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +path "identity/group" { +capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +path "identity/group-alias" { +capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +path "identity/group/name/*" { +capabilities = ["read", "list"] +``` diff --git a/content/reference-guides/integrationconfig.md b/content/reference-guides/integrationconfig.md index fe34081e7..f78fc4f76 100644 --- a/content/reference-guides/integrationconfig.md +++ b/content/reference-guides/integrationconfig.md @@ -89,14 +89,10 @@ metadata: spec: vault: enabled: true - endpoint: - secretReference: - name: vault-root-token - namespace: vault - url: >- - https://vault.apps.prod.abcdefghi.kubeapp.cloud/ + accessorPath: oidc + address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/' + roleName: mto sso: - accessorID: auth_oidc_aa6aa9aa clientName: vault ``` diff --git a/content/usecases/integrationconfig.md b/content/usecases/integrationconfig.md index 1429e756d..e4cba7ff2 100644 --- a/content/usecases/integrationconfig.md +++ b/content/usecases/integrationconfig.md @@ -89,14 +89,10 @@ metadata: spec: vault: enabled: true - endpoint: - secretReference: - name: vault-root-token - namespace: vault - url: >- - https://vault.apps.prod.abcdefghi.kubeapp.cloud/ + accessorPath: oidc + address: 'https://vault.apps.prod.abcdefghi.kubeapp.cloud/' + roleName: mto sso: - accessorID: auth_oidc_aa6aa9aa clientName: vault ``` diff --git a/vocabulary b/vocabulary index 21df5efaa..fb50d0a35 160000 --- a/vocabulary +++ b/vocabulary @@ -1 +1 @@ -Subproject commit 21df5efaa8307d20c68b373d91f2204d2831f4e3 +Subproject commit fb50d0a3539a2ade005bd561249561f72e324cec