Skip to content

fix: renew token of vault k8s auth method#1750

Open
Kryvchun wants to merge 1 commit intohashicorp:mainfrom
Kryvchun:fix/renew-vault-token
Open

fix: renew token of vault k8s auth method#1750
Kryvchun wants to merge 1 commit intohashicorp:mainfrom
Kryvchun:fix/renew-vault-token

Conversation

@Kryvchun
Copy link
Contributor

@Kryvchun Kryvchun commented May 18, 2023
edited
Loading

Description
Run vault token renewer when k8s auth method is used.

References
The part of the fix to: hashicorp/envconsul#309

Relates to:

Local testing

  1. Configured vault in microk8s: 
    vault auth enable kubernetes

vault write auth/kubernetes/config \
      token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
      kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
      kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

vault write auth/kubernetes/role/vault \
     bound_service_account_names=vault \
     bound_service_account_namespaces=vault \
     ttl=10m
  2. Created secret secret/passwords and configured default policy to read secret/*.
  3. Port-forward vault: 
    kubectl port-forward svc/vault 8200:8200 -n vault
  4. Configured envconsul: 
    log_level = "trace"

vault {
  address = "http://localhost:8200"
  renew_token = true

  k8s_auth_role_name = "vault"
  k8s_service_account_token = "<JWT_FROM_SERVICE_ACCOUNT>"
  k8s_service_mount_path = "kubernetes"
}

secret {
  no_prefix = true
  path      = "secret/passwords"
}
  5. Run envconsul and checked logs: 
    2023-05-18T08:25:22.357+0300 [DEBUG] envconsul: (watcher) adding vault.token
2023-05-18T08:25:22.357+0300 [TRACE] envconsul: (watcher) vault.token starting
2023-05-18T08:25:22.357+0300 [TRACE] envconsul: (view) vault.token starting fetch
2023-05-18T08:25:22.358+0300 [TRACE] envconsul: vault.token: starting renewer
2023-05-18T08:25:22.361+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:32:30.667+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:39:38.937+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:46:47.233+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:53:55.529+0300 [TRACE] envconsul: vault.token: successfully renewed

    Considering token TTL = 10m, everything works as expected.

@Kryvchun Kryvchun force-pushed the fix/renew-vault-token branch 2 times, most recently from 2c743f1 to aa9b02c Compare May 18, 2023 05:50
@Kryvchun Kryvchun force-pushed the fix/renew-vault-token branch from aa9b02c to 43523b0 Compare May 18, 2023 05:54
@Kryvchun Kryvchun mentioned this pull request May 18, 2023
Draft
@Kryvchun Kryvchun marked this pull request as ready for review May 18, 2023 05:59
@Kryvchun Kryvchun requested a review from a team as a code owner May 18, 2023 05:59
@Kryvchun Kryvchun requested review from roncodingenthusiast and removed request for a team May 18, 2023 05:59
@Kryvchun Kryvchun mentioned this pull request May 24, 2023
Open
@komapa
Copy link

komapa commented Jul 14, 2023

Would love to see this merged as well!

@jnardone
Copy link

jnardone commented Jan 4, 2024

Any update on getting this in?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roncodingenthusiast roncodingenthusiast Awaiting requested review from roncodingenthusiast roncodingenthusiast was automatically assigned from hashicorp/zts-template-reviewers

1 more reviewer

@Mladen-Karadimov Mladen-Karadimov Mladen-Karadimov approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Kryvchun @komapa @jnardone @Mladen-Karadimov