-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service Account based authentication for Provider Vault #5
Comments
I believe this should be implemented per by using the Kubernetes as the auth method instead of JWT/OIDC as the auth method and Kubernetes as a provider, i.e. https://developer.hashicorp.com/vault/docs/auth/kubernetes |
+1 for this feature, although I think the source should be set to |
+1 for this feature. |
Is there an update on this feature request?? |
@ronit87 actually it would already work if we could find a way to inject the service account token in the secret, which I didn't manage until now:
I tested by manually copy-pasting the value of the service account token in
|
I think I found a way to make it work using
|
Hi @headyj , Thanks for sharing this solution. It is helpful at some extent. However, the challenge here is to create and use long lived ServiceAccount token that represent a higher risk to information security. Therefore, if we find some solution to use ServiceAccount in ControllerConfig/DeploymentRuntimeConfig itself and Crossplane Vault Provider manage this token with expiration time and auto-rotate on expiration then it will be good feature to have as per Kubernetes security best practices. |
i find solution for this problem. Try this:
|
+1 I think it should definitely be an automatic behaviour when using AWS IAM Roles and Based on @zebesh snippet, but with a little more detail: First, I had to install Vault Agent Injector to work with sidecar container injections: helm repo add hashicorp https://helm.releases.hashicorp.com
helm upgrade --install vault hashicorp/vault --set injector.enabled=true,server.enabled=false Then, configure the apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: vault
spec:
deploymentTemplate:
spec:
selector: {}
template:
metadata:
annotations:
vault.hashicorp.com/agent-init-first: 'true'
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-token: 'true'
vault.hashicorp.com/agent-limits-cpu: '0.05'
vault.hashicorp.com/agent-pre-populate: 'false'
vault.hashicorp.com/agent-inject-status: "update"
vault.hashicorp.com/agent-pre-populate-only: 'false'
vault.hashicorp.com/agent-requests-cpu: '0.01'
vault.hashicorp.com/agent-run-as-user: '2000'
vault.hashicorp.com/service: <VAULT_ADDR>
vault.hashicorp.com/namespace: <VAULT_NAMESPACE>
vault.hashicorp.com/auth-type: aws
vault.hashicorp.com/auth-path: auth/aws
vault.hashicorp.com/auth-config-type: iam
vault.hashicorp.com/auth-config-region: sa-east-1
vault.hashicorp.com/role: terraform
vault.hashicorp.com/agent-inject-secret-vault-token: "auth/token/lookup-self"
vault.hashicorp.com/agent-inject-template-vault-token: |
{{- with secret "auth/token/lookup-self" -}}
{
"token_name": "crossplane-vault-creds",
"token": "{{ .Data.id }}"
}
{{- end }}
serviceAccountTemplate:
metadata:
name: crossplane
annotations:
eks.amazonaws.com/role-arn: <AWS_ROLE_ARN>
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-vault
spec:
package: xpkg.upbound.io/upbound/provider-vault:v0.4.0
runtimeConfigRef:
apiVersion: pkg.crossplane.io/v1
kind: DeploymentRuntimeConfig
name: vault
---
apiVersion: vault.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
address: <VAULT_ADDR>
add_address_to_env: true
credentials:
source: Filesystem
fs:
path: /vault/secrets/vault-token Now it should work fine. It seems to suffice Kubernetes security best practices as pointed out by @ronit87, since the sidecar container continuously refreshes/rotates the token. |
@davimmt , I don't quite get all aspects of your config. I created a kind cluster with Vault and crossplane running on it. To setup vault agent to supply a vault token I got this here: apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: vault-provider
spec:
package: xpkg.upbound.io/upbound/provider-vault:v0.4.0
runtimeConfigRef:
name: vault
---
apiVersion: vault.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: vault-gitops
spec:
address: http://vault.vault:8200
add_address_to_env: true
credentials:
fs:
path: /vault/secrets/token
source: Filesystem
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: vault
spec:
deploymentTemplate:
spec:
replicas: 1
selector: {}
template:
metadata:
annotations:
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-token: "true" #defaults to /vault/secrets/token
vault.hashicorp.com/agent-run-as-group: "2000"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/auth-type: kubernetes
vault.hashicorp.com/service: "http://vault.vault:8200"
vault.hashicorp.com/role: crossplane-providers
serviceAccountTemplate:
metadata:
name: vault-provider
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: provider-vault
namespace: crossplane-system As far as I saw from the vault agent docs, it will pass the vault token to But I run into a different issue here where my managed resource can't be reconciled because the vault token cannot be parsed for some reason:
The vault token indeed starts with |
The default secret's path mount is indeed You are getting this error because crossplane expects a JSON file just as configured also in my annotations, not the token string itself. Both of these configurations are in this annotation: vault.hashicorp.com/agent-inject-template-vault-token: |
{{- with secret "auth/token/lookup-self" -}}
{
"token_name": "crossplane-vault-creds",
"token": "{{ .Data.id }}"
}
{{- end }} |
@davimmt , ok now I also got it to work. Thanks a ton for this hint. Although I wished the provider could just work with the original injected token. |
@davimmt I am also trying to do something similar. In my case I have vault installed via bank-vaults operator and I am trying to instantiate secrets using crossplane. What was the configuration that made it work for you? I am not being able to configure it based on the examples here... |
You should post your configuration files and any error logs you're encountering. That way we can better assist you. |
What problem are you facing?
I want to configure crossplane provider vault to authenticate to vault using service account based token. Since crossplane runs on k8s clusters, it makes sense to implement it.
How could Upbound help solve your problem?
Add service account authentication for provider vault. It should look something like:
Considering provider-vault service account has the appropriate permissions configured in vault.
Not Sure about how this would be implemented, it requires the kubernetes cluster configured as an OIDC/JWT provider in vault (https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/kubernetes). Provider uses service account as jwt token and refreshes when it expires( in 1hr ).
But maybe there might be a better way to go about implementing this.
The text was updated successfully, but these errors were encountered: