Is the token_reviewer_jwt mandatory to authenticate client requests?

[goplusgo]

In our Vault docker init script file, we only inject the kubernetes_ca_cert for the k8s config:

vault write auth/kubernetes/config kubernetes_host=$KUBERNETES_HOST kubernetes_ca_cert=@/vault/data/cert/k8cert.crt 

And it's able to authenticate the client with k8s. Is the token_reviewer_jwt still mandatory (which is present in almost all the official samples or demos)?

[rumenvasilev]

It is not mandatory as stated in the official docs: https://www.vaultproject.io/api/auth/kubernetes/index.html#token_reviewer_jwt

...If not set the JWT used for login will be used to access the API.

[tomhjp]

Yep, if not set, it will either use the pod's own service account if Vault is in the k8s cluster, or it will use the client's token.

Full details here.

If not set, the local service account token is used if running in a Kubernetes pod, otherwise the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.