vault: use static token reviewer

2026-01-15 02:14:08 -03:00 · 2026-01-15 02:14:08 -03:00 · 74a2b3e28d
commit 74a2b3e28d
parent 84ccf35c44
4 changed files with 27 additions and 1 deletions
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@ -31,14 +31,22 @@ spec:
                  value: http://vault.vault.svc.cluster.local:8200
                - name: VAULT_K8S_ROLE
                  value: vault-admin
+                - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
+                  value: /var/run/secrets/vault-token-reviewer/token
                - name: VAULT_K8S_ROLE_TTL
                  value: 1h
              volumeMounts:
                - name: k8s-auth-config-script
                  mountPath: /scripts
                  readOnly: true
+                - name: token-reviewer
+                  mountPath: /var/run/secrets/vault-token-reviewer
+                  readOnly: true
          volumes:
            - name: k8s-auth-config-script
              configMap:
                name: vault-k8s-auth-config-script
                defaultMode: 0555
+            - name: token-reviewer
+              secret:
+                secretName: vault-admin-token-reviewer
--- a/services/vault/kustomization.yaml
+++ b/services/vault/kustomization.yaml
@ -6,6 +6,7 @@ resources:
  - namespace.yaml
  - serviceaccount.yaml
  - serviceaccount-admin.yaml
+  - token-reviewer-secret.yaml
  - rbac.yaml
  - configmap.yaml
  - statefulset.yaml
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -38,6 +38,14 @@ k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
 k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
 k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
 role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"
+token_reviewer_jwt="${VAULT_K8S_TOKEN_REVIEWER_JWT:-}"
+
+if [ -z "${token_reviewer_jwt}" ] && [ -n "${VAULT_K8S_TOKEN_REVIEWER_JWT_FILE:-}" ] && [ -r "${VAULT_K8S_TOKEN_REVIEWER_JWT_FILE}" ]; then
+  token_reviewer_jwt="$(cat "${VAULT_K8S_TOKEN_REVIEWER_JWT_FILE}")"
+fi
+if [ -z "${token_reviewer_jwt}" ]; then
+  token_reviewer_jwt="${k8s_token}"
+fi

 if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
  log "enabling kubernetes auth"
@ -46,7 +54,7 @@ fi

 log "configuring kubernetes auth"
 vault write auth/kubernetes/config \
-  token_reviewer_jwt="${k8s_token}" \
+  token_reviewer_jwt="${token_reviewer_jwt}" \
  kubernetes_host="${k8s_host}" \
  kubernetes_ca_cert="${k8s_ca}"

--- a/services/vault/token-reviewer-secret.yaml
+++ b/services/vault/token-reviewer-secret.yaml
@ -0,0 +1,9 @@
+# services/vault/token-reviewer-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-admin-token-reviewer
+  namespace: vault
+  annotations:
+    kubernetes.io/service-account.name: vault-admin
+type: kubernetes.io/service-account-token