Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enable Vault to review kube tokens when using external Vault (#392)

Browse source 
We want Vault to perform token reviews with Kubernetes even if we are
using an external Vault.

We need to create the ServiceAccount, Secret and ClusterRoleBinding with
the system:auth-delegator role to enable delegated authentication and
authorization checks [1].

These SA and RBAC objects are created when we deploy the Vault server.
In order to enable the creation of these objects when using an external
Vault, we remove the condition on external mode.

User might want to provide a sensible name (in global.serviceAccount.name) to the service
account such as: vault-auth.

refs #376

[1] https://www.vaultproject.io/docs/auth/kubernetes#configuring-kubernetes
This commit is contained in:
Jean-François Roche 2020-10-20 15:34:48 +02:00 committed by GitHub
parent f6123b8ed2
commit c45f9b997d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
templates/server-clusterrolebinding.yaml
View file

@ -1,5 +1,4 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
@ -19,4 +18,3 @@ subjects:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ end }}

2
templates/server-serviceaccount.yaml
View file

@ -1,5 +1,4 @@
{{ template "vault.mode" . }}
{{- if ne .mode "external" }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
{{- if (eq (.Values.server.serviceAccount.create | toString) "true" ) }}
apiVersion: v1
@ -15,4 +14,3 @@ metadata:
{{ template "vault.serviceAccount.annotations" . }}
{{ end }}
{{ end }}
{{ end }}

4
test/unit/server-clusterrolebinding.bats
View file

@ -61,12 +61,12 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/ClusterRoleBinding: disable with injector.externalVaultAddr" {
@test "server/ClusterRoleBinding: also deploy with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-clusterrolebinding.yaml \
--set 'injector.externalVaultAddr=http://vault-outside' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
[ "${actual}" = "true" ]
}

2
values.yaml
View file

@ -542,6 +542,8 @@ server:
maxUnavailable: null
# Definition of the serviceAccount used to run Vault.
# These options are also used when using an external Vault server to validate
# Kubernetes tokens.
serviceAccount:
# Specifies whether a service account should be created
create: true