nodevault · aviadhahami · Feb 29, 2024 · Feb 8, 2024
diff --git a/README.md b/README.md
@@ -64,6 +64,16 @@ vault.write('secret/hello', { value: 'world', lease: '1s' })
 .then( () => vault.delete('secret/hello'))
 .catch(console.error);
 ```
+### Kubernetes Auth Example
+```javascript
+
+//if vault kubernets endpoint is /auth/example-cluster/login and role is example-role
+//read token from default token mount path
+const token = await fs.readFileSync('/var/run/secrets/kubernetes.io/serviceaccount/token', { encoding: 'utf8' });
+vault.kubernetesLogin({role: 'example-role' ,
+            jwt: token,
+            kubernetesPath: 'example-cluster'})
+```
 
 ## Docs
 Just generate [docco] docs via `npm run docs`.

diff --git a/example/auth_kubernetes.js b/example/auth_kubernetes.js
@@ -9,17 +9,18 @@
 
 const appName = process.env.APP_NAME || 'some-app';
 const appServiceAccountSecretToken = process.env.APP_SVC_ACCT_SECRET_TOKEN || 'app-k8s-token';
+const kubernetesPath = process.env.APP_SVC_ACCT_SECRET_TOKEN || 'kubernetes';
 
 vault.auths()
     .then((result) => {
        if (result.hasOwnProperty('kubernetes/')) return undefined;
        return vault.enableAuth({
            mount_point: 'kubernetes',
            type: 'kubernetes',
             description: 'Kubernetes auth',
         });
     })
-    .then(() => vault.write('auth/kubernetes/config', {
+    .then(() => vault.write('auth/${kubernetesPath}/config', {
         token_reviewer_jwt: vaultServicAccountSecretToken,
         kubernetes_host: kubernetesHostUrl,
         kubernetes_ca_cert: kubernetesCaCert,
@@ -28,12 +29,12 @@
         name: appName,
         rules: `path "secret/${appName}/*" { capabilities = ["read"] }`,
     }))
-    .then(() => vault.write(`auth/kubernetes/role/${appName}`, {
+    .then(() => vault.write(`auth/${kubernetesPath}/role/${appName}`, {
         bound_service_account_names: appName,
         bound_service_account_namespaces: 'default',
         policies: appName,
         ttl: '1h',
     }))
-    .then(() => vault.kubernetesLogin({ role: appName, jwt: appServiceAccountSecretToken }))
+    .then(() => vault.kubernetesLogin({ role: appName, jwt: appServiceAccountSecretToken, kubernetesPath: kubernetesPath  }))
     .then(console.log)
     .catch((err) => console.error(err.message));
diff --git a/src/commands.js b/src/commands.js
@@ -205,7 +205,7 @@ module.exports = {
     },
     addKubernetesRole: {
         method: 'POST',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
         schema: {
             req: {
                 name: {
@@ -240,14 +240,14 @@ module.exports = {
     },
     getKubernetesRole: {
         method: 'GET',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
         schema: {
             res: kubernetesRoleResponse,
         },
     },
     deleteKubernetesRole: {
         method: 'DELETE',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
     },
     addApproleRole: {
         method: 'POST',
@@ -611,7 +611,7 @@ module.exports = {
     },
     kubernetesLogin: {
         method: 'POST',
-        path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/login',
+        path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/login',
         tokenSource: true,
         schema: {
             req: {
@@ -742,7 +742,7 @@ module.exports = {
             },
             res: tokenResponse,
         },
-    },  
+    },
     tokenAccessors: {
         method: 'LIST',
         path: '/auth/token/accessors',

diff --git a/src/index.js b/src/index.js
@@ -75,6 +75,7 @@ module.exports = (config = {}) => {
     client.token = config.token || process.env.VAULT_TOKEN;
     client.noCustomHTTPVerbs = config.noCustomHTTPVerbs || false;
     client.namespace = config.namespace || process.env.VAULT_NAMESPACE;
+    client.kubernetesPath = config.kubernetesPath || 'kubernetes';
 
     const requestSchema = {
         type: 'object',