Allow for jwks keyring replication to facilitate easier management of federated clusters and workload identity vault integration #20123
Labels
stage/accepted
Confirmed, and intend to work on. No timeline committment though.
theme/vault
theme/workload-identity
type/enhancement
Comments
lgfa29
added
theme/vault
stage/accepted
|
Thanks for the suggestion @benvanstaveren! I have placed this into our backlog for further triaging and roadmapping. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Proposal
As it stands at the moment, to use the new Workload Identity integration with federated clusters, one cannot just use the example given in the documentation due to the jwks endpoint on a Nomad cluster being for a single cluster only. The only way so far seems to be: export the jwks keys for each cluster and import them into the vault jwks auth config. This, of course, is not ideal since it's a manual operation and coming from something that "just works" that's a regression.
Ideally the keyring is replicated from the primary cluster (authoritative_region) to all federated members, this seems to be blocking on an open issue but as @tgross mentioned in a comment on #20097 once #14852 is resolved, it could be a possibility.
Personally I'm in favor of this proposal, anything else seems (to me, at least) to require either external tooling, or changes to Vault. The former being, again, a regression in ease-of-management, the latter perhaps not being such a hot idea because it's not that great for separation of concerns.
Use-cases
Makes the migration to workload identity based vault authentication a heck of a lot easier because "things just work" (which is the current situation), and there is no regression and potential additional points of failure brought on by human inattention 😅
The text was updated successfully, but these errors were encountered: