Skip to content

Commit

Permalink
Enable Vault to review kube tokens when using external Vault
Browse files Browse the repository at this point in the history
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.

User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs #376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
  • Loading branch information
jfroche committed Oct 16, 2020
1 parent 994797c commit 4778894
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 17 deletions.
2 changes: 0 additions & 2 deletions templates/server-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
Expand All @@ -19,4 +18,3 @@ subjects:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}
2 changes: 0 additions & 2 deletions templates/server-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
apiVersion: v1
Expand All @@ -15,4 +14,3 @@ metadata:
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}
{{ end }}
{{ end }}
4 changes: 2 additions & 2 deletions test/unit/server-clusterrolebinding.bats
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,12 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" {
@test "server/ClusterRoleBinding: also deploy with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-clusterrolebinding.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}
24 changes: 13 additions & 11 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ injector:
# sidecar-injector: enabled
namespaceSelector: {}

# Configures failurePolicy of the webhook. By default webhook failures are ignored.
# Configures failurePolicy of the webhook. By default webhook failures are ignored.
# To block pod creation while webhook is unavailable, set the policy to `Fail` below.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
#
Expand Down Expand Up @@ -229,7 +229,7 @@ server:
enabled: true
# If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok=true

# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
# Number of seconds after the container has started before probe initiates
Expand Down Expand Up @@ -429,9 +429,9 @@ server:
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL.

# Note: Configuration files are stored in ConfigMaps so sensitive data
# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
Expand Down Expand Up @@ -479,10 +479,10 @@ server:
enabled: false
# Set the Node Raft ID to the name of the pod
setNodeId: false
# Note: Configuration files are stored in ConfigMaps so sensitive data

# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
Expand All @@ -498,14 +498,14 @@ server:
}
service_registration "kubernetes" {}
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a Consul for its HA storage backend.
# This should be HCL.
# Note: Configuration files are stored in ConfigMaps so sensitive data

# Note: Configuration files are stored in ConfigMaps so sensitive data
# such as passwords should be either mounted through extraSecretEnvironmentVars
# or through a Kube secret. For more information see:
# or through a Kube secret. For more information see:
# https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
config: |
ui = true
Expand Down Expand Up @@ -542,6 +542,8 @@ server:
maxUnavailable: null

# Definition of the serviceAccount used to run Vault.
# These options are also used when using an external Vault server to validate
# Kubernetes tokens.
serviceAccount:
# Specifies whether a service account should be created
create: true
Expand Down

0 comments on commit 4778894

Please sign in to comment.