From c40418d39a441e3b173e2049cdfdeb35ced74fd3 Mon Sep 17 00:00:00 2001 From: Luke Hoban Date: Mon, 11 Mar 2024 15:35:43 -0700 Subject: [PATCH] Add documentation for `namespace` for Vault Enterprise (#4041) Adds documentation for the feature added to address https://github.com/pulumi/esc/issues/142. --- .../content/docs/esc/providers/vault-login.md | 51 ++++++++++++------- .../docs/esc/providers/vault-secrets.md | 9 ++-- 2 files changed, 37 insertions(+), 23 deletions(-) diff --git a/themes/default/content/docs/esc/providers/vault-login.md b/themes/default/content/docs/esc/providers/vault-login.md index ccb467fd006..19eaeebd459 100644 --- a/themes/default/content/docs/esc/providers/vault-login.md +++ b/themes/default/content/docs/esc/providers/vault-login.md @@ -15,11 +15,7 @@ aliases: The `vault-login` provider enables you to log in to HashiCorp Vault using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to fetch secrets using the `vault-secrets` provider. -{{% notes "info" %}} -The `namespaces` functionality of Vault is not currently supported. More specifically, this configuration will only work for the `root` namespace. This means that this configuration will only work with Vault OSS at this time (Vault HCP and Enterprise are not supported). -{{% /notes %}} - -## Example +## Examples ```yaml vault: @@ -30,17 +26,31 @@ The `namespaces` functionality of Vault is not currently supported. More specifi role: example-role ``` +```yaml + vault: + login: + fn::open::vault-login: + address: https://sample-cluster-public-vault-12345678.8ca2e2af.z1.hashicorp.cloud:8200 + namespace: admin/example + token: + displayName: esc-token + token: + fn::secret: redacted + policies: [kv-read] +``` + ## Configuring OIDC To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/vault/) documentation. ## Inputs -| Property | Type | Description | -|-----------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------| -| `address` | string | The URL of the Vault server. Must contain a scheme and hostname, but no path. | -| `jwt` | [VaultLoginJWT](#vaultloginjwt) | [Optional] Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token. | -| `token` | [VaultLoginToken](#vaultlogintoken) | [Optional] Options for token login. Token login creates an ephemeral child token. | +| Property | Type | Description | +|-------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------| +| `address` | string | The URL of the Vault server. Must contain a scheme and hostname, but no path. | +| `namespace` | string | [Optional] The namespace to log in to. Only available for Vault Enterprise. | +| `jwt` | [VaultLoginJWT](#vaultloginjwt) | [Optional] Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token. | +| `token` | [VaultLoginToken](#vaultlogintoken) | [Optional] Options for token login. Token login creates an ephemeral child token. | ### VaultLoginJWT @@ -52,15 +62,18 @@ To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, ### VaultLoginToken -| Property | Type | Description | -|---------------|--------|-----------------------------------------------------------------------------| -| `token` | string | The parent token. | -| `displayName` | string | [Optional] - The display name of the ephemeral token. Defaults to 'pulumi'. | -| `maxTtl` | string | [Optional] - The maximum TTL of the ephemeral token. | +| Property | Type | Description | +|---------------|----------|-----------------------------------------------------------------------------| +| `token` | string | The parent token. | +| `displayName` | string | [Optional] - The display name of the ephemeral token. Defaults to 'pulumi'. | +| `maxTtl` | string | [Optional] - The maximum TTL of the ephemeral token. | +| `metadata` | object | [Optional] - Arbitrary metadata to associate with the ephemeral token. | +| `policies` | string[] | [Optional] - List of policies for the token. | ## Outputs -| Property | Type | Description | -|-------------|--------|------------------------------------------------| -| `address` | string | The URL of the vault server. | -| `token` | string | The ephemeral token generated for the session. | +| Property | Type | Description | +|---------------|--------|----------------------------------------------------| +| `address` | string | The URL of the vault server. | +| `namespace` | string | [Optional] - The namespace to use for the session. | +| `token` | string | The ephemeral token generated for the session. | diff --git a/themes/default/content/docs/esc/providers/vault-secrets.md b/themes/default/content/docs/esc/providers/vault-secrets.md index 97fb3e59d5e..603d0d736bb 100644 --- a/themes/default/content/docs/esc/providers/vault-secrets.md +++ b/themes/default/content/docs/esc/providers/vault-secrets.md @@ -78,10 +78,11 @@ Make sure to replace `` and `` with the values of yo ### VaultSecretsLogin -| Property | Type | Description | -|-----------|--------|-------------------------------------------------------------------------------| -| `address` | string | The URL of the vault server. Must contain a scheme and hostname, but no path. | -| `token` | string | The token to use for authentication. | +| Property | Type | Description | +|-------------|--------|-------------------------------------------------------------------------------| +| `address` | string | The URL of the vault server. Must contain a scheme and hostname, but no path. | +| `namespace` | string | [Optional] The namespace to use for the session. | +| `token` | string | The token to use for authentication. | #### VaultSecretsRead