node-vault
node-vault copied to clipboard
Authenticating with K8s auth
I would like to authenticate with kubernetesLogin method in the way that I could specify:
- endpoint (
https://myendpoint
) - namespace (
mynamespace
) - mountpoint (
mymountpoint
) - role (
myrole
) - jwt token (
mytoken
)
So that the request would be sent to the following URL:
-
<endpoint>/v1/<namespace>/auth/<mountpoint>/login
for example:https://myendpoint/v1/mynamespace/auth/mymountpoint/login
and send the token and role in the json body of the request.
Based on the example here: https://github.com/kr1sp1n/node-vault/blob/master/example/auth_kubernetes.js I tried to authenticate in the following way:
import Vault from 'node-vault';
const token = fs.readFileSync('/var/run/secrets/kubernetes.io/serviceaccount/token', 'utf8');
var options = {
apiVersion: 'v1',
endpoint: 'https://myendpoint',
namespace: 'mynamespace',
token
};
const vault = Vault(options);
var option2 = {
mount_point: 'mymountpoint',
type: 'kubernetes',
description: 'Kubernetes auth',
};
vault.enableAuth(option2).then(() => vault.kubernetesLogin({ role: "myrole", jwt: token })).then(console.log).catch((err) => console.error(err.message));
This authentication is unsuccessful, when I debug the URL that is generated by the library, I see that it passes the following request object:
headers: {X-Vault-Token: "mytoken", X-Vault-Namespace: "mynamespace"}
json: {mount_point: "mymountpoint", type: "kubernetes", description: "Kubernetes auth"}
method: "POST"
path: "/sys/auth/mymountpoint"
uri: "https://myendpoint/v1/sys/auth/mymountpoint"
Again, I was expecting the uri in this format: https://myendpoint/v1/mynamespace/auth/mymountpoint/login
.
Could someone provide an example of how to correctly authenticate to k8s?
I've just found this. Hopefully it'll help you!
https://github.com/kr1sp1n/node-vault/blob/master/example/auth_kubernetes.js
Having the same issue. Unfortunately the example provided is not really helping much here.
@kbrueckner is this still happening?
Closing due to staleness for now. Please recreate an issue if it persists