Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for using serviceaccount annotations #1

Merged
merged 3 commits into from
Feb 2, 2022
Merged

Add support for using serviceaccount annotations #1

merged 3 commits into from
Feb 2, 2022

Conversation

dovys
Copy link

@dovys dovys commented Feb 1, 2022

Addresses hashicorp#85

We took Mark's proposed design and added support for defining annotations on service accounts that can later on be used in policy templating.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example-account
  namespace: default
  annotations:
    vault.hashicorp.com/auth-metadata/service-role: example-value

Should allow us to use in policies as so

{{identity.entity.aliases.${vault_auth_backend.kubernetes.accessor}.metadata.service_role}}

Who the change affects or is for (stakeholders)?
The change is behind a config flag called enable_custom_metadata_from_annotations so it should not affect any of the existing integrations.
In order to enable the flag users will have to update the clusterrole and allow Vault to read service accounts. If this change is accepted we'll open PRs to update various docs, terraform providers, etc.
This will also introduce another roundtrip to the Kubernetes API, however we are using a pooled tcp client so hopefully not too many new open connections.

Why is the change needed?
At Monzo we want to use fully qualified service names for certificates issued under Vault's PKI, ie service.profile which we can attach as annotations to service accounts. At the same time we want the policies to be very strict so service.profile is not allowed to obtain certificates for service.id.

Design of Change

We've largely adhered to the current code style present in the repo.
All changes are behind a config flag enable_custom_metadata_from_annotations so existing integrations shouldn't be affected.

Related Issues/Pull Requests

TBD

Contributor Checklist

TBD
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
Example
[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[x] Backwards compatible

Add support for using serviceaccount annotations
9dcc9d6 
Addresses hashicorp#85

We took Mark's proposed design and added support for defining annotations on service accounts that can later on be used in policy templating.

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: example-account
  namespace: default
  annotations:
    vault.hashicorp.com/auth-metadata/service-role: example-value
```

Should allow us to use in policies as so
```
{{identity.entity.aliases.${vault_auth_backend.kubernetes.accessor}.metadata.service_role}}
```

The change is behind a config flag called `enable_custom_metadata_from_annotations` so it should not affect any of the existing integrations.
In order to enable the flag users will have to update the clusterrole and allow Vault to read service accounts. If this change is accepted we'll open PRs to update various docs, terraform providers, etc.
This will al so introduce another roundtrip to the Kubernetes API, however we are using a pooled tcp client so hopefully not too many new open connections.
@dovys dovys requested a review from chongyangshi February 1, 2022 12:23
chongyangshi pushed a commit to monzo/terraform-provider-vault that referenced this pull request Feb 1, 2022
Support for custom metadata field in Kubernetes auth backend config
31bdbf2 
This change accompanies monzo/vault-plugin-auth-kubernetes#1, which
adds a new config flag to the Kubernetes auth plugin ,
which if enabled will cause the auth plugin to read service account annotations in
Kubernetes prefixed with vault.hashicorp.com/auth-metadata/ as auth metadata in Vault.
chongyangshi pushed a commit to chongyangshi/terraform-provider-vault that referenced this pull request Feb 1, 2022
Support for custom metadata field in Kubernetes auth backend config
ffdccdb 
This change accompanies monzo/vault-plugin-auth-kubernetes#1, which
adds a new config flag to the Kubernetes auth plugin ,
which if enabled will cause the auth plugin to read service account annotations in
Kubernetes prefixed with vault.hashicorp.com/auth-metadata/ as auth metadata in Vault.
This was referenced Feb 1, 2022
Closed
Closed
chongyangshi
chongyangshi reviewed Feb 2, 2022
View reviewed changes
Copy link

@chongyangshi chongyangshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, once we patch up that comment we should be able to raise a PR to hashicorp/vault-plugin-auth-kubernetes from this branch

path_login.go Outdated Show resolved Hide resolved
chongyangshi
chongyangshi previously approved these changes Feb 2, 2022
View reviewed changes
@dovys @chongyangshi
Update path_login.go
b27f16e 
Co-authored-by: Chongyang Shi <8771937+chongyangshi@users.noreply.github.com>
@dovys dovys merged commit 2904413 into main Feb 2, 2022
@chongyangshi chongyangshi mentioned this pull request Feb 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chongyangshi chongyangshi chongyangshi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dovys @chongyangshi