auth/kubernetes: support for dynamically reloading short-lived tokens #13595
Conversation
* Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <[email protected]>
| @@ -96,7 +96,7 @@ require ( | |||
| github.com/hashicorp/vault-plugin-auth-gcp v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-jwt v0.11.4 | |||
| github.com/hashicorp/vault-plugin-auth-kerberos v0.5.0 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20220107030939-d289258274b7 | |||
There was a problem hiding this comment.
@tvoran Would it be possible to tag a new release of vault-plugin-auth-kubernetes so that we can rever to proper version number?
There was a problem hiding this comment.
We'll be tagging a new release of vault-plugin-auth-kubernetes later in Vault's release cycle, so this pseudo version is good for now.
|
@tomhjp, @tvoran I've sent this PR to uplift hashicorp/vault-plugin-auth-kubernetes#122 into Vault. I added proposal for documentation changes, though I feel they are maybe bit unnecessarily complicated for in-cluster deployment. User should not need to be aware about short-lived tokens anymore as reloading is transparent - though I guess the information is necessary since user can be running older version of Vault. (for running Vault outside-cluster, I'm not sure if copying service account tokens from cluster has ever been that good idea - I think client cert support might have been better) |
Signed-off-by: Tero Saarni <[email protected]>
| @@ -96,7 +96,7 @@ require ( | |||
| github.com/hashicorp/vault-plugin-auth-gcp v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-jwt v0.11.4 | |||
| github.com/hashicorp/vault-plugin-auth-kerberos v0.5.0 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.11.3 | |||
| github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20220107030939-d289258274b7 | |||
There was a problem hiding this comment.
We'll be tagging a new release of vault-plugin-auth-kubernetes later in Vault's release cycle, so this pseudo version is good for now.
changelog/13595.txt
Outdated
| @@ -0,0 +1,2 @@ | |||
| ```release-note:improvement | |||
| auth/kubernetes: Added support for short-lived tokens for Kubernetes 1.21+ compatibility | |||
There was a problem hiding this comment.
How about adding "dynamically reloading" somewhere in here? Previously, short-lived tokens worked, just not well :)
| auth/kubernetes: Added support for short-lived tokens for Kubernetes 1.21+ compatibility | |
| auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility | |
| ``` |
tsaarni
changed the title
| @@ -155,6 +154,7 @@ table summarizes the options, each of which is explained in more detail below. | |||
|
|
|||
| | Option | All tokens are short-lived | Can revoke tokens early | Other considerations | | |||
| | ------------------------------------ | -------------------------- | ----------------------- | -------------------- | | |||
| | Use local token as reviewer JWT | Yes | Yes | Requires Vault VERSION_TODO | | |||
There was a problem hiding this comment.
| | Use local token as reviewer JWT | Yes | Yes | Requires Vault VERSION_TODO | | |
| | Use local token as reviewer JWT | Yes | Yes | Requires Vault (1.10+) to be deployed on the Kubernetes cluster | |
| kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT | ||
| ``` | ||
|
|
||
| !> **Note:** Requires Vault VERSION_TODO. In earlier versions the service account |
There was a problem hiding this comment.
| !> **Note:** Requires Vault VERSION_TODO. In earlier versions the service account | |
| !> **Note:** Requires Vault 1.10+. In earlier versions the service account |
| @@ -168,6 +168,23 @@ short-lived tokens. If you would like to disable this, set | |||
|
|
|||
| [k8s-extended-tokens]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options | |||
|
|
|||
| #### Use local service account token as the reviewer JWT | |||
|
|
|||
| When running Vault in a Kubernetes pod the recommended option is to use local | |||
There was a problem hiding this comment.
| When running Vault in a Kubernetes pod the recommended option is to use local | |
| When running Vault in a Kubernetes pod the recommended option is to use the pod's local |
| short-lived tokens. Local token and CA certificate are used by configuring the | ||
| auth method without setting `token_reviewer_jwt` and `kubernetes_ca_cert`. |
There was a problem hiding this comment.
| short-lived tokens. Local token and CA certificate are used by configuring the | |
| auth method without setting `token_reviewer_jwt` and `kubernetes_ca_cert`. | |
| short-lived tokens. To use the local token and CA certificate, omit | |
| `token_reviewer_jwt` and `kubernetes_ca_cert` when configuring the auth method. | |
| Vault will attempt to load them from `token` and `ca.crt` respectively inside | |
| the default mount folder `/var/run/secrets/kubernetes.io/serviceaccount/`. |
The first half of the suggestion is just re-wording. With the second half, I was trying to demystify how it works, but perhaps it's too detailed. Take or leave the suggestions as you like :)
There was a problem hiding this comment.
This is good clarification, thanks! Taken it as such :)
…#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <[email protected]> * Added changelog entry Signed-off-by: Tero Saarni <[email protected]> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version
…lived tokens into release/1.9.x (#13698) * auth/kubernetes: support for dynamically reloading short-lived tokens (#13595) * auth/kubernetes: support for short-lived tokens * Uplift new version of Kubernetes auth plugin that does not store the service account token persistently to Vault storage. * Update the documentation to recommend local token again when running Vault inside cluster. Signed-off-by: Tero Saarni <[email protected]> * Added changelog entry Signed-off-by: Tero Saarni <[email protected]> * clarification to changelog entry, executed go mod tidy * clarifications and added targeted release version * update available version to 1.9.3+ and changelog renamed changelog file to the backport pr number. * update go.mod to [email protected] Co-authored-by: Tero Saarni <[email protected]> Co-authored-by: Theron Voran <[email protected]>
This change is continuation to hashicorp/vault-plugin-auth-kubernetes#122 where support was added for dynamically reloading Kubernetes short-lived tokens for better Kubernetes 1.21+ compatibility. This change takes the feature into use in Vault.
Fixes #12855
Signed-off-by: Tero Saarni [email protected]