blathers-crl[bot]
commented
3 years ago Hello, I am Blathers. I am here to help you get the issue triaged.
It looks like you have not filled out the issue in the format of any of our templates. To best assist you, we advise you to use one of these templates.
I have CC'd a few people who may be able to assist you:
- @joshimhoff (found keywords: kubernetes)
- @knz (author of cockroachdb/cockroach#65607)
- @jordanlewis (commented on cockroachdb/cockroach#65607)
If we have not gotten back to your issue within a few business days, you can try the following:
- Join our community slack channel and ask on #cockroachdb.
- Try find someone from here if you know they worked closely on the area and CC them.
:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.
knz
raffaelespazzoli
github-actions[bot]
Support for authentication via kubernetes bound service account tokens, docs. A workload running on kubernetes would be able to authenticated using an Oauth token provisioned by kubernetes and trusted by cockroachDB. This feature depends on https://github.com/cockroachdb/cockroach/issues/65607
Describe the solution you'd like There is some provisions in cockroach db to establish trust with an OIDC provider and accept authentication with an OAuth token. There is a mutating web hook that simplifies setting up the pod configuration to use the bound service account token to be used to authenticate. This is a good example of how such mutating wbe hook could work: https://github.com/aws/amazon-eks-pod-identity-webhook
Describe alternatives you've considered For limited duration credentials representing a workload and not a person, alternative can be TLS certificates or Vault support for rotating credentials.
Jira issue: CRDB-7815