The Policy CRD allows a user to create a Vault Policy, here is an example:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: Policy
metadata:
name: database-creds-reader
spec:
authentication:
path: kubernetes
role: policy-admin
policy: |
# Configure read secrets
path "/{{identity.entity.aliases.auth_kubernetes_804f1655.metadata.service_account_namespace}}/database/creds/+" {
capabilities = ["read"]
}
type: acl Notice that in this policy we have parametrized the path based on the namespace of the connecting service account.
This creates a policy at this path /sys/policies/acl/<name>
The PasswordPolicy CRD allows a user to create a Vault Password Policy, here is an example:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: PasswordPolicy
metadata:
name: simple-password-policy
spec:
authentication:
path: kubernetes
role: policy-admin
passwordPolicy: |
length = 20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
}