hashicorp-cla
commented
7 months ago
All committers have signed the CLA.
Closed clf-cklf closed 6 months ago
hashicorp-cla
commented
7 months ago
All committers have signed the CLA.
wraithm
commented
7 months ago What do you think about this @lgfa29 ?
clf-cklf
commented
7 months ago Thanks @lgfa29 ! I'm on vacation this week but will be able to respond and implement your suggestions this coming Monday. Your comments all look good, no concerns from me at this point.
wraithm
commented
7 months ago Thanks @lgfa29! Do you know who's taken over maintainership of this project?
clf-cklf
commented
6 months ago Thank you for the updates @clf-cklf.
I no longer work at HashiCorp, so I can't get this PR merged, but I'm leaving my approval here to signal to the rest of the team that these changes look good 😄
Thanks @lgfa29 ! Best wishes for your next role!
This adds a
dataprovider for the JWKS public keys used for verifying workload identity JWTs. These are exposed at the/.well-known/jwks.jsonHTTP API endpoint.One use for this would be to provide these keys to Vault via https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend#jwt_validation_pubkeys. This would be useful, because Vault cannot access the HTTPS API with mTLS enabled unless one turns off client verification: https://developer.hashicorp.com/nomad/docs/integrations/vault/acl#mutual-tls-in-nomad
The keys are returned as both a list of objects with human-readable field names, and as a list of PEM-encoded X.509 public keys; the latter is, I believe, the preferred way to pass PKI information in Terraform, and is the format that the Terraform Vault provider expects.