-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add oidc login to vault #249
Conversation
Signed-off-by: Brandon Mitchell <git@bmitch.net>
b6588fa
to
c1d6eb1
Compare
Test cases are in the works for this. I've got them done for passing the vault token, address, and transit path. Just doing a bit more research on the oidc side to see if that can be easily added to the e2e tests. |
@sudo-bmitch golangci-lint is complaining here https://github.com/sigstore/sigstore/runs/4951957521?check_suite_focus=true. |
@hectorj2f yup, I got those fixed in c1d6eb1. Sorry for missing that in the first pass, I know better. I'll have another commit later today for e2e testing, so no need to rerun CI just yet. |
Signed-off-by: Brandon Mitchell <git@bmitch.net>
Test cases added for the easy parts. I went down the path of trying to get a JWT out of Dex programmatically and started to hit a wall. If anyone has some go or shell code for that, I can add more tests for OIDC auth into vault. This should be ready for CI @dlorenc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: Brandon Mitchell <git@bmitch.net>
Double ack. I've now installed golint-ci so I can stop messing up that CI job. |
Signed-off-by: Brandon Mitchell git@bmitch.net
Summary
This adds the ability to login to vault using OIDC to get a token, and removes dependencies on environment variables.
I'm using this with Spire+OIDC to use Vault as a KMS without hard coding credentials in CI. Here's what that code looks like:
Ticket Link
Fixes
Release Note