Rotating Vault tokens.

[bweston92]

Is your feature request related to a problem? Please describe.

When using the proxy there is no way to rotate the token without restarting the proxy with the updated configuration.

Describe the solution you'd like

The proxy to attempt to rotate the key when is it near expiry.

Additional context

Vault expiring tokens that are used to obtain access to the API.

[johanbrandhorst]

Some thoughts on this:

1. What kind of configuration would users expect to use here?
2. Deprecate the token field in the config and replacing it with an interface that would supply the token at call time. Then we could implement StaticToken and AutoRenewToken or any number of different options.

[bweston92]

I think an interface would be great for giving the Vault issuer an easy way to handle this with implementations like you suggest for both static and renewable tokens.

There is methods to lookup the expiry date of the token here: https://www.vaultproject.io/api/auth/token/index.html#lookup-a-token

Then we would be able to renew using the API too here: https://www.vaultproject.io/api/auth/token/index.html#renew-a-token

A problem I would like solved is using the proxy as a Kubernetes sidecar. Vault allows you to authenticate with a Kubernetes JWT (which is mounted to the container) which is used to create the first renewable token used to access Vault.

Which you can see an example request here: https://www.vaultproject.io/api/auth/kubernetes/index.html#login

[johanbrandhorst]

Thanks, that sounds like it could be another type of authentication provider. I'll see if I have some time to investigate over the holiday period :).

[bweston92]

Ok, the cool thing I believe to be the case is the token doesn't actually change just the lease is extended. Will submit a PR for checking a renewable token and renewing near the time.

[bweston92]

Looks like we can ignore the Kubernetes part, we can have an init container that will provision the Vault token and allow us to mount it within the proxy. Just need a way of telling the issuer to load it from file maybe an env var like VAULT_TOKEN_FILE?

https://github.com/sethvargo/vault-kubernetes-authenticator

[johanbrandhorst]

This is another use case for the flexible authentication option. I see something like func GetToken that we could call before any calls to vault. That interface could then be implemented by different types.

[johanbrandhorst]

@bweston92 #103 added the AuthMethod interface and the ConstantToken type. With something like what you linked before, you could create a ConstantToken from a file by reading it before creating your Certify struct. Do you require something more automatic? I'll work on adding an auto-renewing token as well, because that is something I've wanted.

[bweston92]

That’s fine thank you.

[johanbrandhorst]

@bweston92 Don't upgrade your client version just yet, I think I may have a better idea for the interface. I'll make the change together with the dynamic renewing token.

[johanbrandhorst]

I added a renewable token type in #104, I think we should be ok to close this. I will make a pre-release so you can test this out.

[bweston92]

Thanks :D