auth/kubernetes: support for dynamically reloading short-lived tokens #13595
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
tsaarni
commented
Jan 7, 2022
| @@ -96,7 +96,7 @@ require ( | |||
| github.com/hashicorp/vault-plugin-auth-gcp v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-jwt v0.11.4 | |||
| github.com/hashicorp/vault-plugin-auth-kerberos v0.5.0 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20220107030939-d289258274b7 | |||
There was a problem hiding this comment.
@tvoran Would it be possible to tag a new release of vault-plugin-auth-kubernetes so that we can rever to proper version number?
There was a problem hiding this comment.
We'll be tagging a new release of vault-plugin-auth-kubernetes later in Vault's release cycle, so this pseudo version is good for now.
|
@tomhjp, @tvoran I've sent this PR to uplift hashicorp/vault-plugin-auth-kubernetes#122 into Vault. I added proposal for documentation changes, though I feel they are maybe bit unnecessarily complicated for in-cluster deployment. User should not need to be aware about short-lived tokens anymore as reloading is transparent - though I guess the information is necessary since user can be running older version of Vault. (for running Vault outside-cluster, I'm not sure if copying service account tokens from cluster has ever been that good idea - I think client cert support might have been better) |
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
tvoran
reviewed
Jan 7, 2022
| @@ -96,7 +96,7 @@ require ( | |||
| github.com/hashicorp/vault-plugin-auth-gcp v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-jwt v0.11.4 | |||
| github.com/hashicorp/vault-plugin-auth-kerberos v0.5.0 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20220107030939-d289258274b7 | |||
There was a problem hiding this comment.
We'll be tagging a new release of vault-plugin-auth-kubernetes later in Vault's release cycle, so this pseudo version is good for now.
changelog/13595.txt
Outdated
| @@ -0,0 +1,2 @@ | |||
| ```release-note:improvement | |||
| auth/kubernetes: Added support for short-lived tokens for Kubernetes 1.21+ compatibility | |||
There was a problem hiding this comment.
How about adding "dynamically reloading" somewhere in here? Previously, short-lived tokens worked, just not well :)
Suggested change
| auth/kubernetes: Added support for short-lived tokens for Kubernetes 1.21+ compatibility | |
| auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility | |
| ``` |
tsaarni
changed the title
tomhjp
reviewed
Jan 11, 2022
| @@ -155,6 +154,7 @@ table summarizes the options, each of which is explained in more detail below. | |||
|
|
|||
| | Option | All tokens are short-lived | Can revoke tokens early | Other considerations | | |||
| | ------------------------------------ | -------------------------- | ----------------------- | -------------------- | | |||
| | Use local token as reviewer JWT | Yes | Yes | Requires Vault VERSION_TODO | | |||
There was a problem hiding this comment.
Suggested change
| | Use local token as reviewer JWT | Yes | Yes | Requires Vault VERSION_TODO | | |
| | Use local token as reviewer JWT | Yes | Yes | Requires Vault (1.10+) to be deployed on the Kubernetes cluster | |
| kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT | ||
| ``` | ||
|
|
||
| !> **Note:** Requires Vault VERSION_TODO. In earlier versions the service account |
There was a problem hiding this comment.
Suggested change
| !> **Note:** Requires Vault VERSION_TODO. In earlier versions the service account | |
| !> **Note:** Requires Vault 1.10+. In earlier versions the service account |
| @@ -168,6 +168,23 @@ short-lived tokens. If you would like to disable this, set | |||
|
|
|||
| [k8s-extended-tokens]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options | |||
|
|
|||
| #### Use local service account token as the reviewer JWT | |||
|
|
|||
| When running Vault in a Kubernetes pod the recommended option is to use local | |||
There was a problem hiding this comment.
Suggested change
| When running Vault in a Kubernetes pod the recommended option is to use local | |
| When running Vault in a Kubernetes pod the recommended option is to use the pod's local |
Comment on lines
175
to
176
| short-lived tokens. Local token and CA certificate are used by configuring the | ||
| auth method without setting `token_reviewer_jwt` and `kubernetes_ca_cert`. |
There was a problem hiding this comment.
Suggested change
| short-lived tokens. Local token and CA certificate are used by configuring the | |
| auth method without setting `token_reviewer_jwt` and `kubernetes_ca_cert`. | |
| short-lived tokens. To use the local token and CA certificate, omit | |
| `token_reviewer_jwt` and `kubernetes_ca_cert` when configuring the auth method. | |
| Vault will attempt to load them from `token` and `ca.crt` respectively inside | |
| the default mount folder `/var/run/secrets/kubernetes.io/serviceaccount/`. |
The first half of the suggestion is just re-wording. With the second half, I was trying to demystify how it works, but perhaps it's too detailed. Take or leave the suggestions as you like :)
There was a problem hiding this comment.
This is good clarification, thanks! Taken it as such :)
tvoran
approved these changes
Jan 15, 2022
tvoran
pushed a commit
that referenced
this pull request
Jan 19, 2022
…#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <tero.saarni@est.tech> * Added changelog entry Signed-off-by: Tero Saarni <tero.saarni@est.tech> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version
tvoran
pushed a commit
that referenced
this pull request
Jan 19, 2022
…#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <tero.saarni@est.tech> * Added changelog entry Signed-off-by: Tero Saarni <tero.saarni@est.tech> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version
tvoran
added a commit
that referenced
this pull request
Jan 22, 2022
…lived tokens into release/1.9.x (#13698) * auth/kubernetes: support for dynamically reloading short-lived tokens (#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <tero.saarni@est.tech> * Added changelog entry Signed-off-by: Tero Saarni <tero.saarni@est.tech> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version * update available version to 1.9.3+ and changelog renamed changelog file to the backport pr number. * update go.mod to k8s-auth@v0.11.4 Co-authored-by: Tero Saarni <tero.saarni@est.tech> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
joatmon08
pushed a commit
that referenced
this pull request
Jan 25, 2022
…#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <tero.saarni@est.tech> * Added changelog entry Signed-off-by: Tero Saarni <tero.saarni@est.tech> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version
qk4l
pushed a commit
to qk4l/vault
that referenced
this pull request
Feb 4, 2022
…hashicorp#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <tero.saarni@est.tech> * Added changelog entry Signed-off-by: Tero Saarni <tero.saarni@est.tech> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change is continuation to hashicorp/vault-plugin-auth-kubernetes#122 where support was added for dynamically reloading Kubernetes short-lived tokens for better Kubernetes 1.21+ compatibility. This change takes the feature into use in Vault.
Fixes #12855
Signed-off-by: Tero Saarni tero.saarni@est.tech