search

hashicorp / vault-k8s

First-class support for Vault and Kubernetes.
Mozilla Public License 2.0
786 stars 169 forks source link

Injected Agent config uses `token_path` instead of `path` for `jwt` auth method #660

Open mxk opened 3 months ago

mxk commented 3 months ago

When the injector is deployed with AGENT_INJECT_VAULT_AUTH_TYPE set to jwt, or when using vault.hashicorp.com/auth-type: jwt annotation, the generated (simplified) agent config looks like this:

{
  "auto_auth": {
    "method": {
      "type": "jwt",
      "mount_path": "<path>",
      "config": {
        "role": "<role>",
        "token_path": "/var/run/secrets/vault.hashicorp.com/serviceaccount/token"
      }
    }
}

This is invalid because the jwt auth uses path rather than token_path config parameter. This appears to be set here.

In addition, it may be beneficial to set remove_jwt_after_reading to false by default because removing the token fails due to the projected volume being read-only.

We're currently using the following annotations to work around these issues:

vault.hashicorp.com/auth-config-path: /var/run/secrets/vault.hashicorp.com/serviceaccount/token
vault.hashicorp.com/auth-config-remove-jwt-after-reading: 'false'