vault: set kubernetes issuer

2026-02-01 12:18:57 -03:00 · 2026-02-01 12:18:57 -03:00 · fd8396730c
commit fd8396730c
parent dcabfb2ebb
2 changed files with 23 additions and 8 deletions
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@ -41,10 +41,14 @@ spec:
                      key: root_token
                - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
                  value: /var/run/secrets/vault-token-reviewer/token
-                - name: VAULT_K8S_ROLE_TTL
-                  value: 1h
-                - name: VAULT_K8S_BOUND_AUDIENCES
-                  value: https://kubernetes.default.svc.cluster.local,k3s
+            - name: VAULT_K8S_ROLE_TTL
+              value: 1h
+            - name: VAULT_K8S_BOUND_AUDIENCES
+              value: https://kubernetes.default.svc.cluster.local,k3s
+            - name: VAULT_K8S_ISSUER
+              value: https://kubernetes.default.svc.cluster.local
+            - name: VAULT_K8S_DISABLE_ISS_VALIDATION
+              value: "false"
              volumeMounts:
                - name: k8s-auth-config-script
                  mountPath: /scripts
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -53,6 +53,8 @@ ensure_token
 k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
 k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
 k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+k8s_issuer="${VAULT_K8S_ISSUER:-}"
+disable_iss_validation="${VAULT_K8S_DISABLE_ISS_VALIDATION:-true}"
 role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"
 token_reviewer_jwt="${VAULT_K8S_TOKEN_REVIEWER_JWT:-}"

@ -83,10 +85,19 @@ path \"auth/kubernetes/login\" {
 }

 log "configuring kubernetes auth"
-vault_cmd write auth/kubernetes/config \
-  token_reviewer_jwt="${token_reviewer_jwt}" \
-  kubernetes_host="${k8s_host}" \
-  kubernetes_ca_cert="${k8s_ca}"
+if [ -n "${k8s_issuer}" ]; then
+  vault_cmd write auth/kubernetes/config \
+    token_reviewer_jwt="${token_reviewer_jwt}" \
+    kubernetes_host="${k8s_host}" \
+    kubernetes_ca_cert="${k8s_ca}" \
+    issuer="${k8s_issuer}" \
+    disable_iss_validation="${disable_iss_validation}"
+else
+  vault_cmd write auth/kubernetes/config \
+    token_reviewer_jwt="${token_reviewer_jwt}" \
+    kubernetes_host="${k8s_host}" \
+    kubernetes_ca_cert="${k8s_ca}"
+fi

 ensure_default_policy_login