Add projected service account support #288
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixed tests and added more tests
benashz
reviewed
Aug 27, 2021
benashz
reviewed
Aug 27, 2021
benashz
reviewed
Aug 27, 2021
benashz
reviewed
Aug 27, 2021
benashz
reviewed
Aug 27, 2021
benashz
reviewed
Aug 27, 2021
Co-authored-by: Ben Ash <[email protected]>
reegnz
reviewed
Aug 31, 2021
Check for nil ServiceAccountTokenVolume and move error reporting into the get token functions.
…vault-k8s into add-projected-sa-support-fork
RemcoBuddelmeijer
pushed a commit
to RemcoBuddelmeijer/vault-k8s
that referenced
this pull request
Feb 22, 2022
Co-authored-by: Luke Addison <[email protected]> Co-authored-by: Ben Ash <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continues #79. Fixes #78.
Adds more unit tests for
serviceaccount(), and reads the tokenPath from the volumeMount for projected tokens.Description
This PR adds the ability to specify a projected service token for vault-agent to use with auto-auth against the vault kubernetes auth method.
It adds a new annotation,
vault.hashicorp.com/agent-service-account-token-volume-name, which is the name of the projected volume holding the token. If the volume is mounted to another container in the deployment, the token volume will be mounted to the same location in the vault-agent containers. Otherwise it will be mounted at the default location of/var/run/secrets/vault.hashicorp.com/serviceaccount/.Example
Take the example nginx Pod from here, and add these annotations:
Configure vault to accept the token with a role something like this:
vault write auth/kubernetes/role/app \ bound_service_account_names=build-robot \ bound_service_account_namespaces=default \ audience=vault \ policies=internal-app \ ttl=24hOnce the Pod is deployed, vault-agent will be configured to use the token
/var/run/secrets/tokens/vault-tokenfor auto-auth. That token is periodically refreshed by kubernetes, and vault-agent will read the new token and use it whenever its refreshed.One nice thing about this setup is that since the vault role is configured to only allow tokens that have an audience of
vault, only the projected token will work, since the normal service token will have an audience of something likehttps://kubernetes.default.svc.cluster.local.And in this example, to mount the projected token only on the vault-agent containers, remove the
volumeMountsblock from the nginx container. Then vault-agent will be configured to use the token at/var/run/secrets/vault.hashicorp.com/serviceaccount/vault-tokenfor auto-auth.