Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: renew token of vault k8s auth method #1750

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: renew token of vault k8s auth method #1750

wants to merge 1 commit into from

Conversation

Kryvchun
Copy link
Contributor

@Kryvchun Kryvchun commented May 18, 2023
edited

Description
Run vault token renewer when k8s auth method is used.

References
The part of the fix to: hashicorp/envconsul#309

Relates to:

Local testing

  1. Configured vault in microk8s: 
    vault auth enable kubernetes

vault write auth/kubernetes/config \
      token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
      kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
      kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

vault write auth/kubernetes/role/vault \
     bound_service_account_names=vault \
     bound_service_account_namespaces=vault \
     ttl=10m
  2. Created secret secret/passwords and configured default policy to read secret/*.
  3. Port-forward vault: 
    kubectl port-forward svc/vault 8200:8200 -n vault
  4. Configured envconsul: 
    log_level = "trace"

vault {
  address = "http://localhost:8200"
  renew_token = true

  k8s_auth_role_name = "vault"
  k8s_service_account_token = "<JWT_FROM_SERVICE_ACCOUNT>"
  k8s_service_mount_path = "kubernetes"
}

secret {
  no_prefix = true
  path      = "secret/passwords"
}
  5. Run envconsul and checked logs: 
    2023-05-18T08:25:22.357+0300 [DEBUG] envconsul: (watcher) adding vault.token
2023-05-18T08:25:22.357+0300 [TRACE] envconsul: (watcher) vault.token starting
2023-05-18T08:25:22.357+0300 [TRACE] envconsul: (view) vault.token starting fetch
2023-05-18T08:25:22.358+0300 [TRACE] envconsul: vault.token: starting renewer
2023-05-18T08:25:22.361+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:32:30.667+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:39:38.937+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:46:47.233+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:53:55.529+0300 [TRACE] envconsul: vault.token: successfully renewed

    Considering token TTL = 10m, everything works as expected.

@Kryvchun Kryvchun force-pushed the fix/renew-vault-token branch 2 times, most recently from 2c743f1 to aa9b02c Compare May 18, 2023 05:50
@Kryvchun Kryvchun mentioned this pull request May 18, 2023
Draft
@Kryvchun Kryvchun marked this pull request as ready for review May 18, 2023 05:59
@Kryvchun Kryvchun requested a review from a team as a code owner May 18, 2023 05:59
@Kryvchun Kryvchun requested review from roncodingenthusiast and removed request for a team May 18, 2023 05:59
@Kryvchun Kryvchun mentioned this pull request May 24, 2023
Open
@komapa
Copy link

komapa commented Jul 14, 2023

Would love to see this merged as well!

@jnardone
Copy link

jnardone commented Jan 4, 2024

Any update on getting this in?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mladen-Karadimov Mladen-Karadimov Mladen-Karadimov approved these changes

@roncodingenthusiast roncodingenthusiast Awaiting requested review from roncodingenthusiast roncodingenthusiast was automatically assigned from hashicorp/zts-template-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Kryvchun @komapa @jnardone @Mladen-Karadimov