vault-kubernetes icon indicating copy to clipboard operation
vault-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon postfinance

RFE: please add auth method for approle

Open Andrei-Stepanov opened this issue 3 years ago • 4 comments

Hello,

At this moment vault-kubernetes synchronization works only with a vault-deployment that supports auth method kubernetes https://www.vaultproject.io/docs/auth/kubernetes

https://github.com/postfinance/vaultk8s/blob/master/k8s.go#L129

It is very common to have Vault running as a distinct service without support of auth method kubernetes.

The most popular way to auth to Vault instance is approle auth method: https://www.vaultproject.io/docs/auth/approle

Adding such authorization seems straightforward. 1 put with 2 params: role_id & secret_id : https://www.vaultproject.io/docs/auth/approle#via-the-api

Could you please add this auth method? This would allow auth to Vault that is installed at different location.

Thank you.

Andrei-Stepanov avatar Jan 04 '22 16:01 Andrei-Stepanov

Hi Andrei

The project is intended to sync Kubernetes secrets with Vault. So you have a running Kubernetes cluster otherwise you wouldn't use this project.

The auth method kubernetes is just a matter of configuration. Our Vault is running outside of Kubernetes and supports different auth methods.

With Kubernetes, we can use the token of a Kubernetes Service Account which authenticity can be approved with the Kubernetes API server. With role_id/secret_id you would add another secret.

HashiCorp added the Kubernetes auth to their Go API for Vault: github.com/hashicorp/vault/api/auth/kubernetes

There is a new version of our vaultk8s package ready to be released, using this package: https://github.com/postfinance/vaultk8s/blob/auth/k8s.go#L121

Maybe I missed a point, so please let me know.

Regards, Marc

marcsauter avatar Jan 06 '22 11:01 marcsauter

Our Vault is running outside of Kubernetes and supports different auth methods.

Hello @marcsauter .

Let me try to explain.

  1. Vault is running outside of Kubernetes.
  2. We need auth-method to Vault: approle.
  3. vault-kubernetes supports only auth method kubernetes

What we need: auth to vault with auth method : approle.

How do we sync secrets from Vault that doesn't have auth method kubernetes to K8S secrets?

Thank you.

Andrei-Stepanov avatar Jan 06 '22 12:01 Andrei-Stepanov

Hi Andrei

I will check how to support other authentications than kubernetes.

Again, our Vault is also running outside of Kubernetes, the only thing necessary is a connection from Vault to the Kubernetes API server and the configuration: https://www.vaultproject.io/docs/auth/kubernetes#configuration

I'll keep you informed.

Regards, Marc

marcsauter avatar Jan 07 '22 09:01 marcsauter

Hello @Andrei-Stepanov

Please try v0.2.6

Best regards

marcsauter avatar Mar 14 '22 22:03 marcsauter