From 74a2b3e28dc5e823e7673beb71dd3900eabf1e79 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 15 Jan 2026 02:14:08 -0300 Subject: [PATCH] vault: use static token reviewer --- services/vault/k8s-auth-config-cronjob.yaml | 8 ++++++++ services/vault/kustomization.yaml | 1 + services/vault/scripts/vault_k8s_auth_configure.sh | 10 +++++++++- services/vault/token-reviewer-secret.yaml | 9 +++++++++ 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 services/vault/token-reviewer-secret.yaml diff --git a/services/vault/k8s-auth-config-cronjob.yaml b/services/vault/k8s-auth-config-cronjob.yaml index e71570f..a49fe7d 100644 --- a/services/vault/k8s-auth-config-cronjob.yaml +++ b/services/vault/k8s-auth-config-cronjob.yaml @@ -31,14 +31,22 @@ spec: value: http://vault.vault.svc.cluster.local:8200 - name: VAULT_K8S_ROLE value: vault-admin + - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE + value: /var/run/secrets/vault-token-reviewer/token - name: VAULT_K8S_ROLE_TTL value: 1h volumeMounts: - name: k8s-auth-config-script mountPath: /scripts readOnly: true + - name: token-reviewer + mountPath: /var/run/secrets/vault-token-reviewer + readOnly: true volumes: - name: k8s-auth-config-script configMap: name: vault-k8s-auth-config-script defaultMode: 0555 + - name: token-reviewer + secret: + secretName: vault-admin-token-reviewer diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index e9f15c1..060077b 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -6,6 +6,7 @@ resources: - namespace.yaml - serviceaccount.yaml - serviceaccount-admin.yaml + - token-reviewer-secret.yaml - rbac.yaml - configmap.yaml - statefulset.yaml diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 2bc9166..ce9533c 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -38,6 +38,14 @@ k8s_host="https://${KUBERNETES_SERVICE_HOST}:443" k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)" k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" role_ttl="${VAULT_K8S_ROLE_TTL:-1h}" +token_reviewer_jwt="${VAULT_K8S_TOKEN_REVIEWER_JWT:-}" + +if [ -z "${token_reviewer_jwt}" ] && [ -n "${VAULT_K8S_TOKEN_REVIEWER_JWT_FILE:-}" ] && [ -r "${VAULT_K8S_TOKEN_REVIEWER_JWT_FILE}" ]; then + token_reviewer_jwt="$(cat "${VAULT_K8S_TOKEN_REVIEWER_JWT_FILE}")" +fi +if [ -z "${token_reviewer_jwt}" ]; then + token_reviewer_jwt="${k8s_token}" +fi if ! vault auth list -format=json | grep -q '"kubernetes/"'; then log "enabling kubernetes auth" @@ -46,7 +54,7 @@ fi log "configuring kubernetes auth" vault write auth/kubernetes/config \ - token_reviewer_jwt="${k8s_token}" \ + token_reviewer_jwt="${token_reviewer_jwt}" \ kubernetes_host="${k8s_host}" \ kubernetes_ca_cert="${k8s_ca}" diff --git a/services/vault/token-reviewer-secret.yaml b/services/vault/token-reviewer-secret.yaml new file mode 100644 index 0000000..db6bd34 --- /dev/null +++ b/services/vault/token-reviewer-secret.yaml @@ -0,0 +1,9 @@ +# services/vault/token-reviewer-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: vault-admin-token-reviewer + namespace: vault + annotations: + kubernetes.io/service-account.name: vault-admin +type: kubernetes.io/service-account-token