Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use token from CSI TokenRequests #163

Merged
merged 8 commits into from
Mar 20, 2023
Merged

Use token from CSI TokenRequests #163

merged 8 commits into from
Mar 20, 2023

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Jun 14, 2022
edited
Loading

The Secrets Store CSI driver supports sending a token as part of the mount request as of 1.1.0 (relevant issue with rollout timeline), which is based on this feature from this KEP.

TL;DR is you use --set tokenRequests[0].audience="vault" when installing the CSI driver, and then it will populate a "csi.storage.k8s.io/serviceAccount.tokens" field in the mount parameters which contains a token generated for the audience "vault". That way, vault-csi-provider doesn't have to generate its own token for the requesting pod, and we can remove those Kubernetes permissions once we're ready to deprecate that way of doing things. However, I don't think we should deprecate immediately, as it still relies on Kubernetes 1.21+ and a pretty recent CSI driver version.

A really nice feature is that it will cache the token per-pod, so each pod will get the same JWT on each mount request until it expires. This will make it much easier to add Vault Agent as a sidecar in a way that caching will work (i.e. issue #90).

@tomhjp tomhjp requested review from swenson and tvoran June 14, 2022 23:27
swenson
swenson approved these changes Jun 14, 2022
View reviewed changes
Copy link
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

internal/config/config.go Show resolved Hide resolved
swenson
swenson reviewed Jun 17, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
tomhjp and others added 3 commits June 17, 2022 18:03
@tomhjp
PR suggestion: Update changelog wording
96fcece 
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
@tomhjp
Breaking change slated for 2.0.0 instead
7c6047d
@tomhjp
Wording
6d62f53
This was referenced Jun 21, 2022
Merged
Closed
Closed
@itspngu
Copy link

itspngu commented Jan 5, 2023

Hey, wondering when/if this will make it to a release of the CSI driver. To my understanding these changes do not break any existing behaviours, they only allow using a new upstream feature. Are there any plans to get this merged?

@tomhjp
Copy link
Contributor Author

tomhjp commented Mar 20, 2023

Sorry for the long delay on this PR. I've backed out the changelog notice that token generation will be deprecated, as I think that may still be useful longer term in some scenarios, but otherwise just merged in main.

@tomhjp tomhjp merged commit fdb36cd into main Mar 20, 2023
@tomhjp tomhjp deleted the use-csi-token-request branch March 20, 2023 16:42
tomhjp added a commit that referenced this pull request Mar 20, 2023
@tomhjp
Fix changelog for #163 to be unreleased
e4e492d
@tomhjp tomhjp mentioned this pull request Mar 20, 2023
Merged
tomhjp added a commit that referenced this pull request Mar 21, 2023
@tomhjp
Fix changelog for #163 to be unreleased (#197)
ae45bb9
@tomhjp tomhjp mentioned this pull request Apr 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swenson swenson swenson approved these changes

@tvoran tvoran tvoran approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tomhjp @itspngu @swenson @tvoran