Enable Vault to review kube tokens when using external Vault

We want Vault to perform token reviews with Kubernetes even if we are using an external Vault. We need to create the ServiceAccount, Secret and ClusterRoleBinding with the system:auth-delegator role to enable delegated authentication and authorization checks [1]. These SA and RBAC objects are created when we deploy the Vault server. In order to enable the creation of these objects when using an external Vault, we remove the condition on external mode. We also improve the visibility of the options we move the serviceAccount options from the server into the global section. User might want to provide a sensible name (in global.serviceAccount.name) to the service account such as: vault-auth. refs hashicorp#376 [1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
jfroche · Sep 29, 2020 · f26d636 · f26d636
1 parent c16905e
commit f26d636
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 34 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -301,24 +301,24 @@ Sets extra ui service annotations
 Create the name of the service account to use
 */}}
 {{- define "vault.serviceAccount.name" -}}
-{{- if .Values.server.serviceAccount.create -}}
-    {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }}
+{{- if .Values.global.serviceAccount.create -}}
+    {{ default (include "vault.fullname" .) .Values.global.serviceAccount.name }}
 {{- else -}}
-    {{ default "default" .Values.server.serviceAccount.name }}
+    {{ default "default" .Values.global.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 
 {{/*
 Sets extra service account annotations
 */}}
 {{- define "vault.serviceAccount.annotations" -}}
-  {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }}
+  {{- if and (ne .mode "dev") .Values.global.serviceAccount.annotations }}
   annotations:
-    {{- $tp := typeOf .Values.server.serviceAccount.annotations }}
+    {{- $tp := typeOf .Values.global.serviceAccount.annotations }}
     {{- if eq $tp "string" }}
-      {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }}
+      {{- tpl .Values.global.serviceAccount.annotations . | nindent 4 }}
     {{- else }}
-      {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }}
+      {{- toYaml .Values.global.serviceAccount.annotations | nindent 4 }}
     {{- end }}
   {{- end }}
 {{- end -}}

diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml
@@ -1,5 +1,4 @@
 {{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -19,4 +18,3 @@ subjects:
   name: {{ template "vault.serviceAccount.name" . }}
   namespace: {{ .Release.Namespace }}
 {{ end }}
-{{ end }}
diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml
@@ -1,7 +1,6 @@
 {{ template "vault.mode" . }}
-{{- if ne .mode "external" }}
 {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
-{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
+{{- if (eq (.Values.global.serviceAccount.create | toString) "true" ) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -15,4 +14,3 @@ metadata:
   {{ template "vault.serviceAccount.annotations" . }}
 {{ end }}
 {{ end }}
-{{ end }}
diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats
@@ -8,15 +8,15 @@ load _helpers
   local actual=$( (helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.dev.enabled=true' \
-      --set 'server.serviceAccount.create=false' \
+      --set 'global.serviceAccount.create=false' \
       . || echo "---") | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.dev.enabled=true' \
-      --set 'server.serviceAccount.name=user-defined-ksa' \
+      --set 'global.serviceAccount.name=user-defined-ksa' \
       . | tee /dev/stderr |
       yq -r '.metadata.name' | tee /dev/stderr)
   [ "${actual}" = "user-defined-ksa" ]
@@ -35,23 +35,23 @@ load _helpers
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.dev.enabled=true' \
-      --set 'server.serviceAccount.annotations=foo: bar' \
+      --set 'global.serviceAccount.annotations=foo: bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.ha.enabled=true' \
-      --set 'server.serviceAccount.annotations=foo: bar' \
+      --set 'global.serviceAccount.annotations=foo: bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]
 
   local actual=$(helm template \
       --show-only templates/server-serviceaccount.yaml  \
       --set 'server.ha.enabled=true' \
-      --set 'server.serviceAccount.annotations.foo=bar' \
+      --set 'global.serviceAccount.annotations.foo=bar' \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
   [ "${actual}" = "bar" ]

diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats
@@ -1407,16 +1407,16 @@ load _helpers
 
  local actual=$(helm template \
       --show-only templates/server-statefulset.yaml  \
-      --set 'server.serviceAccount.create=false' \
-      --set 'server.serviceAccount.name=user-defined-ksa' \
+      --set 'global.serviceAccount.create=false' \
+      --set 'global.serviceAccount.name=user-defined-ksa' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
   [ "${actual}" = "user-defined-ksa" ]
 
  local actual=$(helm template \
       --show-only templates/server-statefulset.yaml  \
-      --set 'server.serviceAccount.create=true' \
-      --set 'server.serviceAccount.name=user-defined-ksa' \
+      --set 'global.serviceAccount.create=true' \
+      --set 'global.serviceAccount.name=user-defined-ksa' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
   [ "${actual}" = "user-defined-ksa" ]
@@ -1427,14 +1427,14 @@ load _helpers
 
  local actual=$(helm template \
       --show-only templates/server-statefulset.yaml  \
-      --set 'server.serviceAccount.create=false' \
+      --set 'global.serviceAccount.create=false' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
   [ "${actual}" = "default" ]
 
  local actual=$(helm template \
       --show-only templates/server-statefulset.yaml  \
-      --set 'server.serviceAccount.create=true' \
+      --set 'global.serviceAccount.create=true' \
       . | tee /dev/stderr |
       yq -r '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
   [ "${actual}" = "RELEASE-NAME-vault" ]

diff --git a/values.yaml b/values.yaml
@@ -22,6 +22,19 @@ global:
       apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
       seccomp.security.alpha.kubernetes.io/defaultProfileName:  runtime/default
       apparmor.security.beta.kubernetes.io/defaultProfileName:  runtime/default
+  # Definition of the serviceAccount used to run Vault.
+  # These options are also used when using an external Vault server to validate
+  # Kubernetes tokens.
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""
+    # Extra annotations for the serviceAccount definition. This can either be
+    # YAML or a YAML-formatted multi-line templated string map of the
+    # annotations to apply to the serviceAccount.
+    annotations: {}
 
 injector:
   # True if you want to enable vault agent injection.
@@ -526,17 +539,6 @@ server:
     # replicas. If you'd like a custom value, you can specify an override here.
       maxUnavailable: null
 
-  # Definition of the serviceAccount used to run Vault.
-  serviceAccount:
-    # Specifies whether a service account should be created
-    create: true
-    # The name of the service account to use.
-    # If not set and create is true, a name is generated using the fullname template
-    name: ""
-    # Extra annotations for the serviceAccount definition. This can either be
-    # YAML or a YAML-formatted multi-line templated string map of the
-    # annotations to apply to the serviceAccount.
-    annotations: {}
 
   # Settings for the statefulSet used to run Vault.
   statefulSet: