search

hashicorp / vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
https://www.vaultproject.io/docs/auth/kubernetes.html
Mozilla Public License 2.0
207 stars 61 forks source link

Default jwt token and ca cert when running in k8s ? #82

Closed eonpatapon closed 3 years ago

eonpatapon commented 4 years ago

I'm running vault in kubernetes using the official helm chart, therefore ca.crt and k8s token are available in the vault pod in /var/run/secrets/kubernetes.io/serviceaccount/.

The helm chart also set up the vault serviceaccount with cluster role system:auth-delegator for token validation. So the pod token can be used a the jwt_reviewer_token.

Would it be acceptable for the plugin to check if ca.crt and token exists in /var/run/secrets/kubernetes.io/serviceaccount/ and use them when enabling the plugin without specifying any ca cert or token.

This would greatly simplify my provisioning of vault when running in k8s.

I'm willing to work on a patch if it sounds good to you

reegnz commented 4 years ago

I think this one was resolved with #83

tvoran commented 3 years ago

@reegnz Yep, I think you're right! Support for this was included in 1.5, along with an option to control the behavior in 1.5.4: https://www.vaultproject.io/api-docs/auth/kubernetes#caveats