[Question] How do you actually renew the token?

Question

[Question] How do you actually renew the token?

fcgravalos opened this issue 6 years ago · 7 comments

Hi, this is more a question than an issue itself.

I'm trying to figure out how would you renew the token, it's not clear to me. What happens if the token expires and then pod gets deleted. Do I need to re-create the deployment with a new token?

On the other hand I'd like to know if you would be open to login using AppRole auth method instead of a token-based login.

Thanks!!

Answer 1 · 2018-08-20T14:55:16.000Z

Hi Fernando, Currently I don't have token refresh implented. I'll have a Look at the AppRole, parallel I evaluate the Kubernetes Auth Backend. I'll find some research, then I'll update the issue. Best regards, Björn Am 20.08.2018 16:32 schrieb Fernando <notifications@github.com>: Hi, this is more a question than an issue itself. I'm trying to figure out how you renew the token, it's not clear to me. On the other hand I'd like to know if you would be open to login using AppRole auth method instead of a token-based login. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#4>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACFNld1CJXXsllGElMVRQ44exWN3frBmks5uSsh7gaJpZM4WEHmR>.

Answer 2 · 2018-08-20T15:03:17.000Z

Thanks @DaspawnW !

AppRole/Kubernetes backend will still need a background thread that checks expiration time and if it's expired it will renew the token. But I think it's really worthy and it will be a killer feature for vault-crd ;)

Answer 3 · 2018-10-18T19:51:02.000Z

Hi @fcgravalos,

I've added support for Kubernetes Service Accounts. I'll have also a look for AppRole authentication but I think more important is Service Account authentication.

If you would like to use it please have a look at the documentation for it:
https://vault.koudingspawn.de/install-vault-crd#kubernetes-service-account-authentication

Answer 4 · 2018-10-18T20:20:42.000Z

Hi @DaspawnW

Thanks a lot for taking the time to implement this, for us it was important to have a way for the token to be self-renewed. Unfortunately, the rush of our projects and the amount of clusters we manage made us lean towards implementing our solution in language we feel more comfortable with, Go.

vault-crd has been an inspiration for us and with that idea in mind, we developed secrets-manager . In the README file we expressed why we decided to build it and we make a reference to vault-crd. I think it will be nice if we can give feedback to each other about both tools!

Answer 5 · 2019-05-01T14:53:26.000Z

We're running into the same issue. Due to organizational concerns, we cannot implement K8s service account authentication in Vault. This leaves us with:

an out-of-band solution to generate tokens via AppRole.
The token generate from the AppRole expiring, causing vault-crd to generate exceptions.

@fcgravalos we are very interested in secretes-manager, but for our workflows we like the CRD approach better.

Answer 6 · 2019-05-01T17:24:03.000Z

Hi @stevendborrelli,

I'm now on vacation for the next 3 weeks, after this I'll perform some additional tests for release 1.3, currently there is a docker image and a description in merge request #16

Answer 7 · 2020-01-25T10:28:46.000Z

Hi @stevendborrelli,

if its still required please reopen.

BR,
Björn