Enable Vault to review kube tokens when using external Vault #392
Conversation
jfroche
force-pushed
the
feat/external-vault-sa-auth-delegator
branch
from
f26d636 to
8b5d3d8
Compare
|
I'm facing the same problem here, temporary workaround is to do helm template and patch with kustomize. Upvoting. |
|
Hi @jfroche, thanks for the contribution! I'll take a closer look at this PR today but please remove the CHANGELOG changes, we do not make those changes in PRs and will update the CHANGELOG in master after PRs are merged. |
jfroche
force-pushed
the
feat/external-vault-sa-auth-delegator
branch
from
8b5d3d8 to
caeaebc
Compare
values.yaml
Outdated
| serviceAccount: | ||
| # Specifies whether a service account should be created | ||
| create: true | ||
| # The name of the service account to use. | ||
| # If not set and create is true, a name is generated using the fullname template | ||
| name: "" | ||
| # Extra annotations for the serviceAccount definition. This can either be | ||
| # YAML or a YAML-formatted multi-line templated string map of the | ||
| # annotations to apply to the serviceAccount. | ||
| annotations: {} |
There was a problem hiding this comment.
This should not be moved away from server. This will make the change backwards compatible and it's specific to the server, not a global config.
|
@jfroche This looks good to me but we need to move SA back to server. This will break existing users and while I appreciate increasing the visibility of this setting, it's specific to the |
We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs hashicorp#376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
jfroche
force-pushed
the
feat/external-vault-sa-auth-delegator
branch
from
caeaebc to
4778894
Compare
|
@jasonodonnell Ok, fixed it |
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.
We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].
These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.
User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.
refs #376
[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes