andrey-dubnik
commented
5 months ago If this is feasible issue can be accompanied with a PR
Open andrey-dubnik opened 5 months ago
andrey-dubnik
commented
5 months ago If this is feasible issue can be accompanied with a PR
Hi,
In our scenario we have a public Vault endpoint and a mix of k8s clusters some with the public k8s API and some with the private only. If we are to use the service account auth it would work for the public clusters but won't work for the private ones cause token lookup can't be done from the Vault server towards the private endpoints.
Proposal is to make lookup option configurable based on the token's TTL e.g. lookup_after_ttl="10s". This way if we have a short lived token and TTL say <10m it is highly unlikely someone would revoke a token within that timeframe + it would give our offline clusters grace period where vault interaction could take place.
Token is still validated via CA so it can't be fake-issued just not going to be looked up in k8s if
lookup_after_ttlis not due.Does this feature makes sense?
Thanks, A