Comments (6)
saikatharryc
commented on August 25, 2024
1
I would say it's more of a feature request,
and this is one of the most useful as well since not many people would use the same role for the whole cluster.
but this might provide them an option to override the default role used. (in this case vault-secrets-operator)
is it possible that when the operator on-demand pulling the secrets, we can pass a different role?
and by default for the operator to run we can have vault-secrets-operator as usual, to which we can give very minimal permission.
TL;DR everything would be the same,
just that, role passing through the VaultSecret will be overridden while pulling that particular secret.
E.g:
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: {{ .Chart.Name }}-secrets
namespace: {{ .Release.Namespace }}
spec:
role: NewRole
path: "{{ .Release.Namespace }}/{{ .Chart.Name }}"
type: Opaque
In this case, NewRole will be used while pulling the secret from "{{ .Release.Namespace }}/{{ .Chart.Name }}" path.
from vault-secrets-operator.
ricoberger
commented on August 25, 2024
1
Hi @saikatharryc, I looked a bit deeper into this and If we found a good way to implement this, we can do it. Before we start implementing this I would clarify the process, so that we are on the same track.
We enable the Kubernetes auth method and tell Vault how to communicate with the Kubernetes cluster:
vault auth enable kubernetes
vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="$K8S_HOST" kubernetes_ca_cert="$SA_CA_CRT"No we are creating different roles with different policies:
# Create default role and policy, which is only needed to not introduce a breaking change or we have to bump the major version:
vault write auth/kubernetes/role/vault-secrets-operator bound_service_account_names="vault-secrets-operator" bound_service_account_namespaces="$VAULT_SECRETS_OPERATOR_NAMESPACE" policies=vault-secrets-operator ttl=24h
# Create fine granular roles:
# myrole1 can access everything under the 'foobar' path
vault write auth/kubernetes/role/myrole1 bound_service_account_names="vault-secrets-operator" bound_service_account_namespaces="$VAULT_SECRETS_OPERATOR_NAMESPACE" policies=mypolicy1 ttl=24h
# myrole2 can access everything under the 'helloworld' path
vault write auth/kubernetes/role/myrole2 bound_service_account_names="vault-secrets-operator" bound_service_account_namespaces="$VAULT_SECRETS_OPERATOR_NAMESPACE" policies=mypolicy2 ttl=24h
# myrole3 can access everything under the 'abcxyz' path
vault write auth/kubernetes/role/myrole2 bound_service_account_names="vault-secrets-operator" bound_service_account_namespaces="$VAULT_SECRETS_OPERATOR_NAMESPACE" policies=mypolicy2 ttl=24hNow we can use the operator and we are creating the following secret:
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: test
namespace: default
spec:
role: myrole1
path: foobar/test
type: OpaqueThe operator reconciles the new secret and sees that he should use a different role for this secret. So before pulling the secret we have to authenticate against Vault under the path where the auth method was enabled (VAULT_KUBERNETES_PATH), the mounted ServiceAccount token from /var/run/secrets/kubernetes.io/serviceaccount/token and the role myrole1:
vault write auth/kubernetes/login role= myrole1 jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)Here we could reuse the implementation from the vault.go file, but maybe we can skip the renewing of the token to make the implementation easier and to only allow very short lived tokens:
vault-secrets-operator/vault/vault.go
Line 142 in 1d5dba9
With the returned Vault token we get the secret as usual.
Is this the way you had in mind?
from vault-secrets-operator.
ricoberger
commented on August 25, 2024
Hi @saikatharryc,
I'm not sure if this is possible, because we have to provide the policy during the setup of the operator. When we create the role with the following command:
vault write auth/kubernetes/role/vault-secrets-operator \
bound_service_account_names="vault-secrets-operator" \
bound_service_account_namespaces="$VAULT_SECRETS_OPERATOR_NAMESPACE" \
policies=vault-secrets-operator \
ttl=24hfrom vault-secrets-operator.
saikatharryc
commented on August 25, 2024
Yes, @ricoberger this is the exact point I had in mind!
Implementation of this would be extremely useful.
from vault-secrets-operator.
ricoberger
commented on August 25, 2024
Hi @saikatharryc, it is now possible to set the Vault Role via the vaultRole property in the VaultSecret.
The new 1.11.0 release contains this feature.
from vault-secrets-operator.
saikatharryc
commented on August 25, 2024
Thanks a lot! I will test this out.
from vault-secrets-operator.
Related Issues (20)
- Adding support for more `SecretEngine`s? HOT 1
- Add multi-cluster k8s support? HOT 1
- Install via GitOps way (FluxCD)? HOT 2
- Vault operator init command error with new vault image 1.12.1 HOT 1
- kubernetes auth not working HOT 8
- Recovering from an invalid key in Vault by vault-secrets-operator in VaultSecret object HOT 3
- Future of the project HOT 2
- Image/Release version mismatch HOT 2
- Error in time start pod 'unsupported protocol scheme' HOT 1
- no azure identity found for request clientID HOT 4
- Throw the error that could not update status when delete VaultSecret via foreground cascading deletion HOT 1
- Add support for RabbitMQ secret engine HOT 1
- Security question - bind vaultRole to k8s namespace HOT 1
- Exclude given VaultSecrets HOT 9
- How to force update the generated Secret when the value is changed in Vault? HOT 2
- Metrics not cleaned up after secret removal HOT 1
- error: leader election lost HOT 4
- TLS failed to verify certificate HOT 4
- AWS IAM Authentication - Experiencing issues because VSO is not renewing IAM Role Token inside Kuberenetes Pod (IRSA) HOT 1
- Check secret resource is changed before updating it
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-secrets-operator.