Page MenuHomeDevCentral

D3402.id8767.diff
No OneTemporary

D3402.id8767.diff

diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -57,7 +57,21 @@
- viperserv
# -------------------------------------------------------------
-# Vault policies for Salt
+# Vault policies for Salt itself
+#
+# The policy attached to the login method (e.g. approle)
+# used by the Salt primary server to login to Vault.
+#
+# Source is the name of a policy managed by the vault_policies
+#  section. Target is the name of the policy attached.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+vault_salt_primary_policy:
+ source: salt-primary
+ target: salt
+
+# -------------------------------------------------------------
+# Vault full policies to include by role
#
# Declare the extra policies each nodes need.
#
diff --git a/roles/vault/policies/files/salt-primary.hcl b/roles/vault/policies/files/salt-primary.hcl
--- a/roles/vault/policies/files/salt-primary.hcl
+++ b/roles/vault/policies/files/salt-primary.hcl
@@ -40,11 +40,11 @@
# :: Manage and renew own token
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-path "auth/token/create/salt-node-*" {
- capabilities = ["update"]
+path "auth/token/create/salt-node" {
+ capabilities = ["create", "update"]
}
-path "auth/token/roles/salt-node-*" {
+path "auth/token/roles/salt-node" {
capabilities = ["read"]
}
diff --git a/roles/vault/policies/init.sls b/roles/vault/policies/init.sls
--- a/roles/vault/policies/init.sls
+++ b/roles/vault/policies/init.sls
@@ -36,6 +36,18 @@
{% endfor %}
+{% set salt_policy = pillar["vault_salt_primary_policy"] %}
+{% if salt_policy["target"] != salt_policy["source"] %}
+{% set policy_path = policies_path + "/" + salt_policy["source"] + ".hcl" %}
+
+vault_policy_copy_for_salt:
+ credentials.vault_policy_present:
+ - name: {{ salt_policy["target"] }}
+ - policy_file: {{ policy_path }}
+# - onchanges:
+# - file: {{ policy_path }}
+{% endif %}
+
# -------------------------------------------------------------
# Policies per nodes intended to be used through Salt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

File Metadata

Mime Type
text/plain
Expires
Mon, Dec 23, 05:02 (2 h, 45 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2311705
Default Alt Text
D3402.id8767.diff (2 KB)

Event Timeline