[Question] How do you actually renew the token? #4
Comments
fcgravalos
changed the title
|
Hi Fernando,
Currently I don't have token refresh implented.
I'll have a Look at the AppRole, parallel I evaluate the Kubernetes Auth Backend.
I'll find some research, then I'll update the issue.
Best regards,
Björn
Am 20.08.2018 16:32 schrieb Fernando <notifications@github.com>:
Hi, this is more a question than an issue itself. I'm trying to figure out how you renew the token, it's not clear to me.
On the other hand I'd like to know if you would be open to login using AppRole auth method instead of a token-based login.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#4>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACFNld1CJXXsllGElMVRQ44exWN3frBmks5uSsh7gaJpZM4WEHmR>.
|
|
Thanks @DaspawnW ! AppRole/Kubernetes backend will still need a background thread that checks expiration time and if it's expired it will renew the token. But I think it's really worthy and it will be a killer feature for vault-crd ;) |
this is the first step to allow different authentication methods as described in #4
|
Hi @fcgravalos, I've added support for Kubernetes Service Accounts. I'll have also a look for AppRole authentication but I think more important is Service Account authentication. If you would like to use it please have a look at the documentation for it: |
|
Hi @DaspawnW Thanks a lot for taking the time to implement this, for us it was important to have a way for the token to be self-renewed. Unfortunately, the rush of our projects and the amount of clusters we manage made us lean towards implementing our solution in language we feel more comfortable with, Go. vault-crd has been an inspiration for us and with that idea in mind, we developed secrets-manager . In the README file we expressed why we decided to build it and we make a reference to vault-crd. I think it will be nice if we can give feedback to each other about both tools! |
|
We're running into the same issue. Due to organizational concerns, we cannot implement K8s service account authentication in Vault. This leaves us with:
@fcgravalos we are very interested in secretes-manager, but for our workflows we like the CRD approach better. |
|
Hi @stevendborrelli, I'm now on vacation for the next 3 weeks, after this I'll perform some additional tests for release 1.3, currently there is a docker image and a description in merge request #16 |
|
Hi @stevendborrelli, if its still required please reopen. BR, |
Hi, this is more a question than an issue itself.
I'm trying to figure out how would you renew the token, it's not clear to me. What happens if the token expires and then pod gets deleted. Do I need to re-create the deployment with a new token?
On the other hand I'd like to know if you would be open to login using AppRole auth method instead of a token-based login.
Thanks!!
The text was updated successfully, but these errors were encountered: