Add in vault access through istio

charts/cray-vault/Chart.yaml

@@ -23,7 +23,7 @@
 #
 apiVersion: v2
 name: cray-vault
-version: 1.6.1
+version: 1.6.2
 description: Cray Vault for secure secret stores
 keywords:
   - cray-vault

charts/cray-vault/templates/ingress.yaml

@@ -0,0 +1,46 @@
+{{/*
+MIT License
+
+(C) Copyright 2024 Hewlett Packard Enterprise Development LP
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+*/}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: "cray-vault"
+spec:
+  hosts:
+    - "*"
+  {{- with .Values.ingress.gateways }}
+  gateways:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  http:
+    - match:
+      - uri:
+          prefix: /apis/vault
+      rewrite:
+        uri: ' '
+      route:
+      - destination:
+          host: cray-vault
+          port:
+            number: 8200

charts/cray-vault/templates/vault.yaml

@@ -144,6 +144,11 @@ spec:
         rules: path "transit/*" {
           capabilities = ["create", "read", "update", "delete", "list"]
           }
+      # Enable broad access to the sops transist engine
+      - name: allow_sops
+        rules: path "sops/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+          }
       # This policy is used by the Tenant and Partition Management System (TAPMS)
       # K8s operator to work with tenant transit engine and transit engine keys.
       # The minimum policy requirements at this time are:
@@ -271,7 +276,7 @@ spec:
           {{- end }}
           {{- end }}
           {{- range .Values.allowedAuthNamespaces }}
-          # authN role that (by policy) allows broad access to secrets and transit engine
+          # authN role that (by policy) allows broad access to secrets, transit engine, and sops transit engine
           - name: {{ .namespace | quote }}
             bound_service_account_names:
               - {{ .serviceaccount | quote }}
@@ -280,6 +285,7 @@ spec:
             policies:
               - allow_secrets
               - allow_transit
+              - allow_sops
             ttl: {{ .ttl }}
           {{- end }}
       {{- if .Values.jwt.enabled }}
@@ -316,6 +322,9 @@ spec:
       - path: transit
         type: transit
         description: Transit Engine
+      - path: sops
+        type: transit
+        description: Sops Transit Engine
       {{- if .Values.pki.customCA.enabled }}
       # This configures PKI instances within vault
       - path: pki_common

charts/cray-vault/values.yaml

@@ -34,6 +34,12 @@ kubectl:
     tag: 1.19.15
     pullPolicy: IfNotPresent
 
+# Ingress gateways to allow vault access over
+ingress:
+  gateways:
+    - "services/services-gateway"
+    - "services/customer-admin-gateway"
+
 serviceAccountName: "vault"
 
 allowedAuthNamespaces: