Closed eonpatapon closed 3 years ago
I think this one was resolved with #83
@reegnz Yep, I think you're right! Support for this was included in 1.5, along with an option to control the behavior in 1.5.4: https://www.vaultproject.io/api-docs/auth/kubernetes#caveats
I'm running vault in kubernetes using the official helm chart, therefore ca.crt and k8s token are available in the vault pod in
/var/run/secrets/kubernetes.io/serviceaccount/
.The helm chart also set up the vault serviceaccount with cluster role
system:auth-delegator
for token validation. So the pod token can be used a thejwt_reviewer_token
.Would it be acceptable for the plugin to check if
ca.crt
andtoken
exists in/var/run/secrets/kubernetes.io/serviceaccount/
and use them when enabling the plugin without specifying any ca cert or token.This would greatly simplify my provisioning of vault when running in k8s.
I'm willing to work on a patch if it sounds good to you