Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Agent auto auth to read symlinked JWT files #11502

Merged
merged 4 commits into from May 6, 2021

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Apr 30, 2021

This came up when helping someone to set up JWT auto auth with Vault Agent in Kubernetes. They had lots of Kubernetes clusters and so didn't want to have to set up a Kubernetes auth mount for each cluster, and instead wanted to use projected Service Account tokens with the JWT auth method. Kubernetes mounts projected tokens using symlinks from an immutable volume mount to help it rotate JWTs when they expire. In this case, the fact the JWT was a symlink stopped JWT auto auth from working, but I see no reason we can't support symlinks in this case.

Currently, the tests are a little fragile in relying on log output. I opted not to change the signature of ingressToken to return an error because the actual production code would never pay attention to or change its behaviour based on the return value, but I'm very open to feedback on that.

Lastly, I have opted to allow ioutil.ReadFile to handle any errors from cases such as a symlink pointing to a directory for simplicity, as when experimenting I found the error message was clear enough without additional handling, e.g. read sym-dir: is a directory. It's possible I've missed a separate motivation for the IsRegular() check though.

@tomhjp tomhjp requested review from tvoran and calvn April 30, 2021 13:51
@vercel vercel bot temporarily deployed to Preview – vault April 30, 2021 13:53 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 30, 2021 13:53 Inactive
command/agent/auth/jwt/jwt_test.go Outdated Show resolved Hide resolved
command/agent/auth/jwt/jwt.go Outdated Show resolved Hide resolved
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
@vercel vercel bot temporarily deployed to Preview – vault May 4, 2021 10:53 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook May 4, 2021 10:53 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook May 4, 2021 11:02 Inactive
@vercel vercel bot temporarily deployed to Preview – vault May 4, 2021 11:02 Inactive
@tomhjp tomhjp merged commit d60b698 into master May 6, 2021
@tomhjp tomhjp deleted the allow-agent-auto-auth-symlink-jwt branch May 6, 2021 13:12
AndreyZamyslov pushed a commit to yandex-cloud/vault that referenced this pull request Jun 10, 2021
tvoran added a commit that referenced this pull request Jun 25, 2021
tvoran added a commit that referenced this pull request Jun 25, 2021
jartek pushed a commit to jartek/vault that referenced this pull request Sep 11, 2021
jartek pushed a commit to jartek/vault that referenced this pull request Sep 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants