vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard
verified publisher icon hashicorp

Add new VaultAuthGlobal type

Open benashz opened this issue 1 year ago • 1 comments

The resource provide a resource holding Vault auth configuration that can be shared across VaultAuth resources. A VaultAuth instance only needs to provide the authentication method and a valid vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal with the referring VaultAuth. This allows for a VaultAuth instance to inherit some global authentication configuration.

The VaultAuthGlobal resource can be configured with one or more Vault auth method specific configuration.

Given the following VaultAuthGlobal:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuthGlobal
metadata:
  name: default
  namespace: tenant-ns
spec:
  defaultAuthMethod: kubernetes
  kubernetes:
    audiences:
    - vault
    namespace: vault-tenant-ns
    mount: demo-auth-mount
    role: auth-role
    serviceAccount: default
    tokenExpirationSeconds: 600

The referring VaultAuth would look like:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: default
  namespace: tenant-ns
spec:
  vaultAuthGlobalRef: default

If you wanted to override the kubernetes.role the VaultAuth would look like:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: default
  namespace: tenant-ns
spec:
  vaultAuthGlobalRef: default
  kubernetes:
    role: other-auth-role

The referring VaultAuth's configuration always overrides its VaultAuthGlobal's configuration.

benashz avatar May 09 '24 20:05 benashz

Relates to #341

benashz avatar May 13 '24 19:05 benashz