Merge pull request #74 from intelops/cluster-auth-login

add cluster auth login path
intelops · Jan 27, 2024 · da32e97 · da32e97
2 parents 1193387 + 591d3fd
commit da32e97
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/internal/api/types.go b/internal/api/types.go
@@ -1,6 +1,7 @@
 package api
 
 const (
-	vaultPolicyReadPath  = `path "secret/data/%s" {capabilities = ["read"]}`
-	vaultPolicyWritePath = `path "secret/data/%s" {capabilities = ["create","read","update","delete","list"]}`
+	vaultPolicyReadPath        = `path "secret/data/%s" {capabilities = ["read"]}`
+	vaultPolicyWritePath       = `path "secret/data/%s" {capabilities = ["create","read","update","delete","list"]}`
+	vaultPolicyClusterAuthPath = `path "auth/k8s-%s/login" {capabilities = ["create","read","update"]}`
 )
diff --git a/internal/api/vault_k8s_role_api.go b/internal/api/vault_k8s_role_api.go
@@ -51,6 +51,8 @@ func (v *VaultCredServ) CreateK8SAuthRole(ctx context.Context, request *vaultcre
 		}
 		policyData = policyData + "\n" + credPathPolicy
 	}
+	clusterAuthLoginPath := fmt.Sprintf(vaultPolicyClusterAuthPath, request.ClusterName)
+	policyData = policyData + "\n" + clusterAuthLoginPath
 
 	policyName := "policy-" + request.ClusterName + "-" + request.RoleName
 	err = vc.CreateOrUpdatePolicy(policyName, policyData)