From d189ebf7101f7a13c8b7d484a11a5b63f191a20f Mon Sep 17 00:00:00 2001 From: Tero Saarni Date: Tue, 21 Feb 2023 14:09:27 +0200 Subject: [PATCH] docs/k8s: updated helm doc for short-lived SA tokens (#15675) Signed-off-by: Tero Saarni --- .../k8s/helm/examples/kubernetes-auth.mdx | 24 ++++--------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/website/content/docs/platform/k8s/helm/examples/kubernetes-auth.mdx b/website/content/docs/platform/k8s/helm/examples/kubernetes-auth.mdx index 9f208e80aa95..762b71e1c7b7 100644 --- a/website/content/docs/platform/k8s/helm/examples/kubernetes-auth.mdx +++ b/website/content/docs/platform/k8s/helm/examples/kubernetes-auth.mdx @@ -14,33 +14,19 @@ In this example, we will walk through how to set up the [Kubernetes Auth Method] This assumes the following commands will be run inside a Vault pod running in Kubernetes. -You will optionally need the following variables: - -```bash -# JWT is a service account token that has access to the Kubernetes TokenReview API -# You can retrieve this from inside a pod at: /var/run/secrets/kubernetes.io/serviceaccount/token -JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) - -# Address of Kubernetes itself as viewed from inside a running pod -KUBERNETES_HOST=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 - -# Kubernetes internal CA -KUBERNETES_CA_CERT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt) -``` - Exec into the Vault pod: ```bash -kubectl exec -it vault-0 /bin/sh +kubectl exec -it vault-0 -- /bin/sh ``` -Then run the following command to configure the Kubernetes Auth Method: +If you didn't set `server.dev.enabled=true`, you'll need to log in to Vault first using `vault login`. +Then run the following commands to configure the Kubernetes Auth Method: ```bash +vault auth enable kubernetes vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT ``` From here you can continue to configure Vault from the [Kubernetes Auth Method](/vault/docs/auth/kubernetes) documentation.