-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] How do you actually renew the token? #4
Comments
Hi Fernando,
Currently I don't have token refresh implented.
I'll have a Look at the AppRole, parallel I evaluate the Kubernetes Auth Backend.
I'll find some research, then I'll update the issue.
Best regards,
Björn
Am 20.08.2018 16:32 schrieb Fernando <notifications@github.com>:
Hi, this is more a question than an issue itself. I'm trying to figure out how you renew the token, it's not clear to me.
On the other hand I'd like to know if you would be open to login using AppRole auth method instead of a token-based login.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#4>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACFNld1CJXXsllGElMVRQ44exWN3frBmks5uSsh7gaJpZM4WEHmR>.
|
Thanks @DaspawnW ! AppRole/Kubernetes backend will still need a background thread that checks expiration time and if it's expired it will renew the token. But I think it's really worthy and it will be a killer feature for vault-crd ;) |
this is the first step to allow different authentication methods as described in #4
Hi @fcgravalos, I've added support for Kubernetes Service Accounts. I'll have also a look for AppRole authentication but I think more important is Service Account authentication. If you would like to use it please have a look at the documentation for it: |
Hi @DaspawnW Thanks a lot for taking the time to implement this, for us it was important to have a way for the token to be self-renewed. Unfortunately, the rush of our projects and the amount of clusters we manage made us lean towards implementing our solution in language we feel more comfortable with, Go. vault-crd has been an inspiration for us and with that idea in mind, we developed secrets-manager . In the README file we expressed why we decided to build it and we make a reference to vault-crd. I think it will be nice if we can give feedback to each other about both tools! |
We're running into the same issue. Due to organizational concerns, we cannot implement K8s service account authentication in Vault. This leaves us with:
@fcgravalos we are very interested in secretes-manager, but for our workflows we like the CRD approach better. |
Hi @stevendborrelli, I'm now on vacation for the next 3 weeks, after this I'll perform some additional tests for release 1.3, currently there is a docker image and a description in merge request #16 |
Hi @stevendborrelli, if its still required please reopen. BR, |
Hi, this is more a question than an issue itself.
I'm trying to figure out how would you renew the token, it's not clear to me. What happens if the token expires and then pod gets deleted. Do I need to re-create the deployment with a new token?
On the other hand I'd like to know if you would be open to login using AppRole auth method instead of a token-based login.
Thanks!!
The text was updated successfully, but these errors were encountered: