From db6d37643454fc553d1dc3077db79bbf3ae4b84c Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Wed, 18 Nov 2020 16:53:39 +0100
Subject: [PATCH] deploy: add sys/mounts to Vault policy

Add "sys/mounts" so that VaultBackendKey does not need to be set. The
libopenstorage API detects the version for the key-value store in Vault
by reading "sys/mounts". Without permissions to read this endpoint, the
VaultBackendKey is required to be configured.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 examples/kms/vault/vault.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/kms/vault/vault.yaml b/examples/kms/vault/vault.yaml
index f58dd818a..1da9e4123 100644
--- a/examples/kms/vault/vault.yaml
+++ b/examples/kms/vault/vault.yaml
@@ -88,6 +88,10 @@ items:
         path "secret/metadata/ceph-csi/*" {
           capabilities = ["read", "delete", "list"]
         }
+
+        path "sys/mounts" {
+          capabilities = ["read"]
+        }
         EOS
 
         # create a role