Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for a "token-only" injection annotation #77

Merged
merged 3 commits into from
Feb 18, 2020
Merged

Support for a "token-only" injection annotation #77

merged 3 commits into from
Feb 18, 2020

Conversation

tvoran
Copy link
Member

@tvoran tvoran commented Feb 14, 2020

The annotation "vault.hashicorp.com/agent-inject-token": "true"
results in a token file containing the lookup-self token.

Resolves #16

@tvoran
Support for a "token-only" injection annotation
1eb9d8f 
The annotation `"vault.hashicorp.com/agent-inject-token": "true"`
results in a `token` file containing the `lookup-self` token.
jasonodonnell
jasonodonnell reviewed Feb 14, 2020
View reviewed changes
Copy link
Contributor

@jasonodonnell jasonodonnell left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small changes and this is ready for merge! Thanks @tvoran!

agent-inject/agent/config.go Outdated
@@ -8,6 +8,8 @@ import (

const (
DefaultTemplate = "{{ with secret \"%s\" }}{{ range $k, $v := .Data }}{{ $k }}: {{ $v }}\n{{ end }}{{ end }}"
TokenTemplate = `{{ with secret "auth/token/lookup-self" }}{{ .Data.id }}{{ end }}`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small request: add a newline to the end of the .Data.id line (like the default template) because if you were to look at it in the container:

/vault/secrets $ ls
ca.cert      db-creds     server.cert  server.key   token
/vault/secrets $ cat token
s.gXuAjfknTq0dK1i5s5rsjxpI/vault/secrets $

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in d9dcbcd

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, it's literally writing the \n characters, not a new line.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in c2a7199

jasonodonnell
jasonodonnell reviewed Feb 14, 2020
View reviewed changes
agent-inject/agent/annotations.go Outdated
@@ -35,6 +35,10 @@ const (
// If not provided, a default generic template is used.
AnnotationAgentInjectTemplate = "vault.hashicorp.com/agent-inject-template"

// AnnotationAgentInjectToken is the annotation key for injecting the token
// from auth/token/lookup-self
AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token-only"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if vault.hashicorp.com/agent-inject-token-only is confusing: it suggests that we're only going to render a token. Maybe this should be renamed to agent-inject-share-token?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about just agent-inject-token?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me.

Copy link
Member Author

@tvoran tvoran Feb 18, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in d9dcbcd

jasonodonnell
jasonodonnell reviewed Feb 14, 2020
View reviewed changes
agent-inject/agent/annotations_test.go Outdated
{
"valid inject-token-only",
map[string]string{
"vault.hashicorp.com/agent-inject-token-only": "true",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: use the annotation variable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in d9dcbcd

@tvoran
changes based on feedback
d9dcbcd 
agent-inject-token-only --> agent-inject-token

using annotation and config variables in tests
jasonodonnell
jasonodonnell approved these changes Feb 18, 2020
View reviewed changes
Copy link
Contributor

@jasonodonnell jasonodonnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM!

@tvoran tvoran merged commit d5d3186 into master Feb 18, 2020
@tvoran tvoran deleted the token-only branch February 18, 2020 19:24
@jasonodonnell jasonodonnell added this to the 0.3.0 milestone Feb 20, 2020
@dcatalano-figure
Copy link

dcatalano-figure commented Feb 27, 2020
edited
Loading

this might be a dumb question, my apologies. is the lookup_self token the same as the client token that lives in /home/vault/.token on the vault-agent and vault-agent-init containers. if so is there a reason why there wouldn't want to be a shared k8s volume and mount to that path on all three containers that could share the token among all pods in the container, similar to how the original vault agent k8s guide did? say, if the above annotation is used? please excuse my naivety.

@jasonodonnell jasonodonnell mentioned this pull request Mar 4, 2020
Merged
RemcoBuddelmeijer pushed a commit to RemcoBuddelmeijer/vault-k8s that referenced this pull request Feb 22, 2022
@tvoran
Support for a "token-only" injection annotation (hashicorp#77)
5535713 
The annotation "vault.hashicorp.com/agent-inject-token": "true"
results in a token file containing the lookup-self token.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.3.0
Development

Successfully merging this pull request may close these issues.

Add support for token only
3 participants
@tvoran @dcatalano-figure @jasonodonnell