search

hashicorp / vault-k8s

First-class support for Vault and Kubernetes.
Mozilla Public License 2.0
784 stars 171 forks source link

feat: Add support to inject projected volume including audience in k8s sa #648

Closed dewjam closed 3 months ago

dewjam commented 3 months ago

This is a very rough PR that adds support for defining an "audience" when mounting the kubernetes SA.

Example Spec:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: debug
  name: debug
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: debug
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: debug
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/auth-type: jwt
        vault.hashicorp.com/vault-service-account-token-audience: "audience"
        vault.hashicorp.com/auth-config-path: /var/run/secrets/vault.hashicorp.com/serviceaccount/token
        vault.hashicorp.com/auth-path: auth/kube/kind/kind
        vault.hashicorp.com/auth-config-role: vault-agent
        vault.hashicorp.com/auth-config-remove_jwt_after_reading: 'false'
        vault.hashicorp.com/agent-inject-template-creds: |
          {{- with secret "secrets/groups/kind/creds" -}}
          {{ .Data.data.username }}:{{ .Data.data.password}}
          {{ end }}
    spec:
      serviceAccountName: vault-agent-sa
      containers:
      - image: ubuntu
        name: ubuntu
        resources: {}
        command: ["/usr/bin/sleep","3600"]
hashicorp-cla-app[bot] commented 3 months ago

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Jim DeWaard seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

hashicorp-cla-app[bot] commented 3 months ago

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Jim DeWaard seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

dewjam commented 3 months ago

Closed as this isn't ready for review.