mongodb/vault/policies/mongodb-mongod.hcl

[[- $c := merge .mongo . ]]

# Read secrets from the KV store
path "[[ $c.vault.root ]]kv/data/service/[[ .instance ]]" {
  capabilities = ["read"]
}

# Issue cert for mongod
path "[[ $c.vault.pki.path ]]/issue/mongod" {
  capabilities = ["update"]
}

[[- if conv.ToBool $c.prometheus.enabled ]]
# Issue client cert for the exporter
path "[[ $c.vault.pki.path ]]/issue/mongo-monitor" {
  capabilities = ["update"]
}
[[- end ]]