Support Revoking Vault Token on Shutdown #67
Conversation
As documented by the default token helper: https://www.vaultproject.io/docs/commands/token-helper/
There was a problem hiding this comment.
This is a cool feature, thanks for doing this @lawliet89! Code looks good but I think this is a good candidate to also make an environment variable so all injections have the revoke lifecycle added. Thoughts?
|
@jasonodonnell I have added a flag to allow users to opt in to having the revoke annotation set automatically on all pods. |
|
I've tested this on my Kubernetes cluster and the lifecycle hooks are indeed added. The Vault tokens are also revoked when I look at the audit logs from Vault server. EDIT: I added some code to add additional flags to the revoke command to add the Vault address and CA related fields. |
There was a problem hiding this comment.
Some conflicts need to be resolved, but this looks good now! I will merge once resolved. Thanks @lawliet89 !
…revoke-on-shutdown
|
@jasonodonnell I've fixed the conflicts. |
…revoke-on-shutdown
|
@jasonodonnell I've fixed conflicts again. Could this be merged in sooner than later for fewer conflicts? |
* Write Vault Token to the usual location As documented by the default token helper: https://www.vaultproject.io/docs/commands/token-helper/ * Add annotation * Add Lifecycle to container * Fix gofmt * Add option to automatically revoke tokens for all pods * Add flags to revoke command * Make flags only inside if clause
Fixes #65
Built on top of #66