kuma
kuma copied to clipboard
Vault plugin for Kuma dataplane tokens
Summary
Since universal mode dataplane tokens are generated via HTTP API, it would be very beneficial to provide a Vault plugin to manage generating, auditing, and managing TTL and access for dataplanes joining the mesh. This would allow a tight integration of data plane authorization into an existing security control framework.
To the end user that would make generating a dataplane token something like:
vault read kuma/dataplane/generate -mesh=default -dataplane=web01
Or, bridging the proposal in #554:
vault read kuma/dataplane/generate -mesh=default -role=web
This further bridges the gap for dataplanes to run via assuming a service, as access to the Vault endpoint to generate the dataplane token would be managed by Vaults access policies, which have integrations with a number of identity and authentication systems (eg IAM).
I would be happy to put in legwork to do development for this, if the Kuma team thinks this would be valuable (it would substantially ease our integration with Nomad, where we are already using Vault to manage task access to static and dynamic secrets).
This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.
This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.
This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.
This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.
@p0pr0ck5 This is something myself and @nicholasjackson are actively working on. You can check out the current version here https://github.com/gregoryhunt/vault-plugin-kuma and a demo implementation here https://github.com/gregoryhunt/demo-kuma-vault
This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.
With https://github.com/kumahq/kuma/issues/4031 would this be still required?
Triage: yes, we may be able to implement this when we have offline signing tokens without any extra work on Vault side.
This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.
For Triage: is this still meaningful now that we support externally signed tokens?
No. Offline token issuing should solve this