-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes the vault issuer Kubernetes auth path to require the full *mount* path #2349
Changes the vault issuer Kubernetes auth path to require the full *mount* path #2349
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoshVanL The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
cb865f6
to
7ec3103
Compare
/assign @munnerz |
@@ -38,5 +38,5 @@ const ( | |||
|
|||
// Default mount path location for Kubernetes ServiceAccount authentication | |||
// (/v1/auth/kubernetes/login) | |||
DefaultVaultKubernetesAuthMountPath = "kubernetes" | |||
DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes/login" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to hardcode the login
part of this? From what I understand, the /v1/auth/kubernetes
path is the mount point of the kubernetes auth backend - I don't know if we ever need (or even want) users to override the suffix. cc @mam8270 have you got any thoughts on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Login can be a bit more nuanced now with the vault enterprise "namespaces" feature, which essentially allows vault inside vault for the different namespaces (including auth endpoints), so i think you would want at least some mechanism for overriding of the login url. I agree you would lose some safety though.
https://learn.hashicorp.com/vault/operations/namespaces#policy-with-namespaces
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the conclusion here? If the path is wrong, a user can always override the path completely which is the point of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the link @mam8270 - I'm still a bit unclear on this though, the link you reference looks like it refers to prefixes on the Vault path, not the endpoint within the Kubernetes auth backend that is used to actually authenticate (i.e. /login
).
Does this enterprise 'namespacing' feature allow this endpoint to be changed? If so, we will keep this line as is.
If not, we can make this field refer to the mount point of the auth backend instead of the particular endpoint used to authenticate (i.e. /v1/auth/kubernetes
vs /v1/auth/kubernetes/login
).
We want to allow people as much flexibility as possible, but if it isn't possible to specify a value other than login
, we can gain a bit of 'safety' and save users making configuration errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To note, mountPath
is the name of the field here.. which IMO implies /v1/auth/kubernetes
should be a valid value, and /v1/auth/kubernetes/login
isn't (as it is not hte mount path)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're going to go with /v1/auth/kubernetes
for now due to the field being named mountPath
. If we need more flexibility in future, we can introduce a path
field instead.
Could you also add |
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
/retest |
/lgtm |
fixes #2205