Add Boundary configurations to setup kms transit authentication using Vault K8s Auth Method

[fafg]

Is your feature request related to a problem? Please describe.
KMS Transit (Vault) can't connect to a hashicorp vault instance in kubernetes using vault k8s auth method.

Describe the solution you'd like
I want to set parameters like this: (minimum)

    kms "transit" {
      // common
      purpose    = "root"
      address   = "https://vault.vault.svc.cluster.local:8200"
      disable_renewal    = "false"

      // Key configuration
      key_name           = "transit_key_name"
      mount_path         = "transit/"
      namespace          = "ns1/"

      // k8s auth configuration
      role_name = "boundary_vault_role"

      // TLS configuration
      tls_ca_path = "/etc/ssl/vault/certs/ca.crt"
      tls_skip_verify    = "false"
    }

or more customized like:

    kms "transit" {
      // common
      purpose    = "root"
      address   = "https://vault.vault.svc.cluster.local:8200"
      disable_renewal    = "false"

      // Key configuration
      key_name           = "transit_key_name"
      mount_path         = "transit/"
      namespace          = "ns1/"

      // k8s auth configuration
      role_name = "boundary_vault_role"
      // optional (default: kubernetes)
      kubernetes_mount_path = "kubernetes"
      // optional (default: /var/run/secrets/kubernetes.io/serviceaccount/token)
      service_account_token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"

      // TLS configuration
      tls_ca_path = "/etc/ssl/vault/certs/ca.crt"
      tls_skip_verify    = "false"
    }

With this in place, I can use Boundary to authenticate against Vault using Vault's k8s auth method based on k8s Service Account. So the vault setup will be responsible for giving the proper permissions to the Boundary k8s service account via policy and Vault Role.

Pull Request: hashicorp/go-kms-wrapping#177

This can be an alternative to authenticate Boundary to Vault without client TLS certificates and token. This is gonna be very helpful when you have both Vault and Boundary set up into a k8s cluster.

[fafg]

hello?

[jefferai]

Hello!

Normally the way you'd handle this is via using Vault Agent to auto-auth and provide the token to Boundary. Please take a look at https://developer.hashicorp.com/vault/docs/agent-and-proxy/autoauth/methods/kubernetes which describes auto-auth via the Kubernetes auth method. The token can be written to a file and sourced as env var VAULT_TOKEN when launching.

It's a bit convoluted but can be done today; I think it would be nice if in the future the transit wrapper could source from a file in a manner similar to how much of Boundary's configuration works, which would make this simpler.

[fafg]

It's a bit convoluted but can be done today; I think it would be nice if in the future the transit wrapper could source from a file in a manner similar to how much of Boundary's configuration works, which would make this simpler.

kubernetes auth method brings this file to the pod(default path): /var/run/secrets/kubernetes.io/serviceaccount/token

then on the boundary side auth configuration would resume to:

kms "transit" {

  // k8s auth configuration
  role_name = "boundary_vault_role"

}

then, of course, from the vault side, you would need to configure:

1. enable Kubernetes auth method
2. create a policy
3. create a Kubernetes role that points to the Kubernetes boundary namespace, boundary service account and uses the policy you have created previously

then you are good without credentials or a vault agent, which would be one more way of providing an authentication method.

the PR would be this addition. But I am ok if you guys think it is not needed.