Skip to content
This repository has been archived by the owner on Jul 1, 2024. It is now read-only.

Commit

Permalink
Add documentation for namespace for Vault Enterprise (#4041)
Browse files Browse the repository at this point in the history 
Adds documentation for the feature added to address pulumi/esc#142.
  • Loading branch information
Luke Hoban authored Mar 11, 2024
1 parent f82c361 commit c40418d
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 23 deletions.
51 changes: 32 additions & 19 deletions themes/default/content/docs/esc/providers/vault-login.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,7 @@ aliases:

The `vault-login` provider enables you to log in to HashiCorp Vault using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to fetch secrets using the `vault-secrets` provider.

{{% notes "info" %}}
The `namespaces` functionality of Vault is not currently supported. More specifically, this configuration will only work for the `root` namespace. This means that this configuration will only work with Vault OSS at this time (Vault HCP and Enterprise are not supported).
{{% /notes %}}

## Example
## Examples

```yaml
vault:
Expand All @@ -30,17 +26,31 @@ The `namespaces` functionality of Vault is not currently supported. More specifi
role: example-role
```
```yaml
vault:
login:
fn::open::vault-login:
address: https://sample-cluster-public-vault-12345678.8ca2e2af.z1.hashicorp.cloud:8200
namespace: admin/example
token:
displayName: esc-token
token:
fn::secret: redacted
policies: [kv-read]
```
## Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/vault/) documentation.
## Inputs
| Property | Type | Description |
|-----------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| `address` | string | The URL of the Vault server. Must contain a scheme and hostname, but no path. |
| `jwt` | [VaultLoginJWT](#vaultloginjwt) | [Optional] Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token. |
| `token` | [VaultLoginToken](#vaultlogintoken) | [Optional] Options for token login. Token login creates an ephemeral child token. |
| Property | Type | Description |
|-------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| `address` | string | The URL of the Vault server. Must contain a scheme and hostname, but no path. |
| `namespace` | string | [Optional] The namespace to log in to. Only available for Vault Enterprise. |
| `jwt` | [VaultLoginJWT](#vaultloginjwt) | [Optional] Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token. |
| `token` | [VaultLoginToken](#vaultlogintoken) | [Optional] Options for token login. Token login creates an ephemeral child token. |

### VaultLoginJWT

Expand All @@ -52,15 +62,18 @@ To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault,

### VaultLoginToken

| Property | Type | Description |
|---------------|--------|-----------------------------------------------------------------------------|
| `token` | string | The parent token. |
| `displayName` | string | [Optional] - The display name of the ephemeral token. Defaults to 'pulumi'. |
| `maxTtl` | string | [Optional] - The maximum TTL of the ephemeral token. |
| Property | Type | Description |
|---------------|----------|-----------------------------------------------------------------------------|
| `token` | string | The parent token. |
| `displayName` | string | [Optional] - The display name of the ephemeral token. Defaults to 'pulumi'. |
| `maxTtl` | string | [Optional] - The maximum TTL of the ephemeral token. |
| `metadata` | object | [Optional] - Arbitrary metadata to associate with the ephemeral token. |
| `policies` | string[] | [Optional] - List of policies for the token. |

## Outputs

| Property | Type | Description |
|-------------|--------|------------------------------------------------|
| `address` | string | The URL of the vault server. |
| `token` | string | The ephemeral token generated for the session. |
| Property | Type | Description |
|---------------|--------|----------------------------------------------------|
| `address` | string | The URL of the vault server. |
| `namespace` | string | [Optional] - The namespace to use for the session. |
| `token` | string | The ephemeral token generated for the session. |
9 changes: 5 additions & 4 deletions themes/default/content/docs/esc/providers/vault-secrets.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,11 @@ Make sure to replace `<your-org>` and `<your-environment>` with the values of yo

### VaultSecretsLogin

| Property | Type | Description |
|-----------|--------|-------------------------------------------------------------------------------|
| `address` | string | The URL of the vault server. Must contain a scheme and hostname, but no path. |
| `token` | string | The token to use for authentication. |
| Property | Type | Description |
|-------------|--------|-------------------------------------------------------------------------------|
| `address` | string | The URL of the vault server. Must contain a scheme and hostname, but no path. |
| `namespace` | string | [Optional] The namespace to use for the session. |
| `token` | string | The token to use for authentication. |

#### VaultSecretsRead

Expand Down

0 comments on commit c40418d

Please sign in to comment.