consul-template icon indicating copy to clipboard operation
consul-template copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

fix: renew token of vault k8s auth method

Open Kryvchun opened this issue 1 year ago • 2 comments

Description Run vault token renewer when k8s auth method is used.

References The part of the fix to: https://github.com/hashicorp/envconsul/issues/309

Relates to:

  • https://github.com/hashicorp/consul-template/pull/1580
  • https://github.com/hashicorp/envconsul/pull/281
  • https://github.com/hashicorp/envconsul/pull/332 (envconsul part of this fix)

Local testing

  1. Configured vault in microk8s: 
    vault auth enable kubernetes

vault write auth/kubernetes/config \
      token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
      kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
      kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

vault write auth/kubernetes/role/vault \
     bound_service_account_names=vault \
     bound_service_account_namespaces=vault \
     ttl=10m
  2. Created secret secret/passwords and configured default policy to read secret/*.
  3. Port-forward vault: 
    kubectl port-forward svc/vault 8200:8200 -n vault
  4. Configured envconsul: 
    log_level = "trace"

vault {
  address = "http://localhost:8200"
  renew_token = true

  k8s_auth_role_name = "vault"
  k8s_service_account_token = "<JWT_FROM_SERVICE_ACCOUNT>"
  k8s_service_mount_path = "kubernetes"
}

secret {
  no_prefix = true
  path      = "secret/passwords"
}
  5. Run envconsul and checked logs: 
    2023-05-18T08:25:22.357+0300 [DEBUG] envconsul: (watcher) adding vault.token
2023-05-18T08:25:22.357+0300 [TRACE] envconsul: (watcher) vault.token starting
2023-05-18T08:25:22.357+0300 [TRACE] envconsul: (view) vault.token starting fetch
2023-05-18T08:25:22.358+0300 [TRACE] envconsul: vault.token: starting renewer
2023-05-18T08:25:22.361+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:32:30.667+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:39:38.937+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:46:47.233+0300 [TRACE] envconsul: vault.token: successfully renewed
2023-05-18T08:53:55.529+0300 [TRACE] envconsul: vault.token: successfully renewed

    Considering token TTL = 10m, everything works as expected.

Kryvchun avatar May 18 '23 05:05 Kryvchun

Would love to see this merged as well!

komapa avatar Jul 14 '23 04:07 komapa

Any update on getting this in?

jnardone avatar Jan 04 '24 16:01 jnardone