First pass at JWT auto-deletion flag #11969
Conversation
|
|
|
Are there potential (re-)authentication issues that could arise if we don't delete a stale JWT? |
| @@ -17,3 +17,7 @@ JWT to perform a reauthentication. | |||
| - `path` `(string: required)` - The path to the JWT file | |||
|
|
|||
| - `role` `(string: required)` - The role to authenticate against on Vault | |||
|
|
|||
| - `remove_jwt_after_reading` `(bool: optional, defaults to true)` - | |||
There was a problem hiding this comment.
Can we flip this around and have it be keep_after_reading or something along those lines? This way the default value is also the zero value (false).
There was a problem hiding this comment.
I thought about that but I thought it more prudent to retain the current default behavior and opt-out if needed. I'd assume that in most cases, the default behavior is more appropriate. This change is mostly to allow for using Kubernetes bound service account tokens with JWT auth. In this use case, Kubernetes automatically rotates the JWT based on a configurable TTL.
There was a problem hiding this comment.
keep_after_reading with it being defaulted false should still retain the current behavior though. Note that we're flipping the naming and also the default so keeping the file would still be an opt-in. We'd only not delete the file if this gets set to true explicitly.
There was a problem hiding this comment.
Ah ok, I see what you mean. I was following the same model that the AppRole auto-auth was using but I can change this around if it makes more sense.
There was a problem hiding this comment.
I think keep_jwt_after_reading works, but I am not convinced that it needs to be this verbose. I think any of : skip_jwt_cleanup, no_jwt_cleanup, preseve_jwt could probably work well.
There was a problem hiding this comment.
I actually like remove_jwt_after_reading for its consistency with AppRole's option: https://www.vaultproject.io/docs/agent/autoauth/methods/approle#remove_secret_id_file_after_reading
IMO the bar to break from this pattern needs to be higher than making it terser. If it wasn't for the prior art, I would 100% agree with both the flip + naming comments above, but they're minor nits and they're secondary to preventing confusion for consumers.
I wouldn't think so. JWTs should have an expiration set so if re-auth is attempted with an expired JWT auth should fail. In this scenario, the underlying system that is responsible for delivering an updated JWT (e.g. Kubernetes) should have provided a newer JWT. But I may be missing some of the finer points here. |
|
It looks like |
|
As an alternative of using the absence as the edge trigger; we could use |
That's a very interesting idea. I don't really see |
|
Just to avoid confusion. Note that the document you're linking to is the wrong side of the coin. That document is about kubernetes utilising an external openid connect provider to allow externals to authenticate to K8s. We're talking about https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery instead. Which is the opposite of that. Allow serviceaccounts to connect to external services like vault by registering the Kubernetes apiserver as an OpenID connect provider in vault |
|
@benashz here is the full example using the https://github.com/arianvp/vault-k8s-jwt-auth-demo |
|
@arianvp @tdsacilowski since this PR was not merged, did you find a workaround ? |
There was a problem hiding this comment.
Taking another look as there has been some renewed interest in this. @tdsacilowski I'm happy to take this on if you'd prefer not to pick this up again.
| @@ -17,3 +17,7 @@ JWT to perform a reauthentication. | |||
| - `path` `(string: required)` - The path to the JWT file | |||
|
|
|||
| - `role` `(string: required)` - The role to authenticate against on Vault | |||
|
|
|||
| - `remove_jwt_after_reading` `(bool: optional, defaults to true)` - | |||
There was a problem hiding this comment.
I actually like remove_jwt_after_reading for its consistency with AppRole's option: https://www.vaultproject.io/docs/agent/autoauth/methods/approle#remove_secret_id_file_after_reading
IMO the bar to break from this pattern needs to be higher than making it terser. If it wasn't for the prior art, I would 100% agree with both the flip + naming comments above, but they're minor nits and they're secondary to preventing confusion for consumers.
* Unit test to test default behaviour, and config parsing for delete_jwt_after_reading option * Slow down read period of token when we're not deleting it to 1 minute. This is fast enough for the shortest TTL possible in Kubernetes (10m), which seems like a sensible default. We may need to make this period configurable in the future though. * Remove usage of the deprecated ioutil library
Fixes #11968
Still need to write tests.