Skip to content

Commit

Permalink
Add issuer on Vault k8s config for Kubernetes 1.21+ (#2)
Browse files Browse the repository at this point in the history
  • Loading branch information
asaintsever authored Nov 11, 2021
1 parent 8e9ef3e commit a33ebf9
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 2 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Changelog for Open Vault Agent Injector

## Release v1.0.1 - 2021-11-11

**Added**

- [OVAI #2](https://github.com/asaintsever/open-vault-agent-injector/pull/2) - Add issuer on [vault k8s config](https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer) for Kubernetes 1.21+

## Release v1.0.0 - 2021-09-21

**Changed**
Expand Down
2 changes: 1 addition & 1 deletion VERSION_RELEASE
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.0.0
1.0.1
17 changes: 16 additions & 1 deletion test/vault/init-test-vault-server.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,22 @@ export VAULT_SA_NAME=$(kubectl get sa vault -o jsonpath="{.secrets[*]['name']}")
export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)
export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)

${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/config kubernetes_host=\"https://kubernetes:443\" kubernetes_ca_cert=\"$SA_CA_CRT\" token_reviewer_jwt=\"$SA_JWT_TOKEN\""
K8S_VER_MAJOR=$(kubectl version --short -o json | jq -r '.serverVersion.major')
K8S_VER_MINOR=$(kubectl version --short -o json | jq -r '.serverVersion.minor')

if [ $K8S_VER_MAJOR -ge 1 ] && [ $K8S_VER_MINOR -gt 20 ];then
echo "Kubernetes 1.21+: get service account issuer"
# See ref: https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer
kubectl proxy &
echo "Wait ..."
sleep 10
export SA_ISSUER=$(curl -s http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)
echo "Get issuer for cluster: $SA_ISSUER"

${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/config kubernetes_host=\"https://kubernetes:443\" kubernetes_ca_cert=\"$SA_CA_CRT\" token_reviewer_jwt=\"$SA_JWT_TOKEN\" issuer=\"$SA_ISSUER\""
else
${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/config kubernetes_host=\"https://kubernetes:443\" kubernetes_ca_cert=\"$SA_CA_CRT\" token_reviewer_jwt=\"$SA_JWT_TOKEN\""
fi

# Create roles for Vault K8S Auth Method
${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/role/test bound_service_account_names=default,job-sa bound_service_account_namespaces=default policies=test_pol ttl=5m"
Expand Down

0 comments on commit a33ebf9

Please sign in to comment.