lgfa29
commented
7 months ago Thanks for the suggestion @benvanstaveren!
I have placed this into our backlog for further triaging and roadmapping.
Open benvanstaveren opened 7 months ago
lgfa29
commented
7 months ago Thanks for the suggestion @benvanstaveren!
I have placed this into our backlog for further triaging and roadmapping.
Proposal
As it stands at the moment, to use the new Workload Identity integration with federated clusters, one cannot just use the example given in the documentation due to the jwks endpoint on a Nomad cluster being for a single cluster only. The only way so far seems to be: export the jwks keys for each cluster and import them into the vault jwks auth config. This, of course, is not ideal since it's a manual operation and coming from something that "just works" that's a regression.
Ideally the keyring is replicated from the primary cluster (authoritative_region) to all federated members, this seems to be blocking on an open issue but as @tgross mentioned in a comment on #20097 once #14852 is resolved, it could be a possibility.
Personally I'm in favor of this proposal, anything else seems (to me, at least) to require either external tooling, or changes to Vault. The former being, again, a regression in ease-of-management, the latter perhaps not being such a hot idea because it's not that great for separation of concerns.
Use-cases
Makes the migration to workload identity based vault authentication a heck of a lot easier because "things just work" (which is the current situation), and there is no regression and potential additional points of failure brought on by human inattention 😅