Using OpenShift 4.14 & Vault 1.15.2, I’ve been trying to generate tokens that last for longer than 32 days but whatever I try doesn’t seem to work and I get back this error:
WARNING! The following warnings were returned from Vault:
* max_ttl is greater than the system or backend mount's maximum TTL value;
issued tokens' max TTL value will be truncated
What’s the backend configuration?
oc exec -n hashicorp-vault vault-0 -- vault read sys/mounts/pki/tune
I set that with:
oc exec -n hashicorp-vault vault-0 -- vault secrets tune -default-lease-ttl=38400h -max-lease-ttl=76800h pki
oc exec -n hashicorp-vault vault-0 -- vault secrets enable "-path=myplace" -default-lease-ttl=38400h -max-lease-ttl=76800h pki
and for kv:
oc exec -n hashicorp-vault vault-0 -- vault secrets enable "-path=myplace-ocs" -default-lease-ttl=1600d -max-lease-ttl=3200d kv
Could you possibly expand on what command you are running that is generating the warning?
If I were to venture a guess, it’s an auth mount’s max lease ttl or a system wide max lease ttl is coming into play, and not the TTL values for the PKI/KV secret mounts.
When I do this (for PKI):
oc exec -n hashicorp-vault -it vault-0 – vault write “auth/kubernetes/role/myplace-issuer” “bound_service_account_names=myplace-issuer” “bound_service_account_namespaces=myplace” token_policies=“myplace-pki” ttl=24h token_max_ttl=276480000 token_ttl=138240000
and this for kv:
oc exec -n hashicorp-vault vault-0 – vault write “auth/kubernetes/role/myplace-ocs-issuer” bound_service_account_names=storage-sa bound_service_account_namespaces=openshift-storage,myplace token_policies=“myplace-ocs” token_max_ttl=3200d token_ttl=1600d token_explicit_max_ttl=3200d ttl=1600d
Have a look at the ttl values that are configured for the kubernetes auth mount, within the
config key, when running the command
vault read sys/auth/kubernetes
Or possibly the Vault cluster’s
max_lease_ttl by running
vault read /sys/config/state/sanitized
oc exec -ti -n hashicorp-vault vault-0 -- vault read /sys/config/state/sanitized | grep ttl
oc exec -ti -n hashicorp-vault vault-0 -- vault read sys/auth/kubernetes | grep ttl
config map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0 token_type:default-service]
So values of 0 for both means that nothing has overwritten Vault’s default TTL values, so you have a max lease ttl value of 32 days.
You can bump the TTL values on the
auth/kubernetes mount point like you did within the PKI mount point and the warning should go away and new tokens will be allowed to have a lifetime longer than 32 days.
Ok, thanks for the pointers. I got the kubernetes config done with this:
oc exec -n hashicorp-vault vault-0 -- vault auth tune -default-lease-ttl=38400h -max-lease-ttl=76800h kubernetes
I haven’t yet worked out how to poke /sys/config/state/sanitized
Tuning the Kubernetes auth mount point should be enough for the warning message to go away and allow you to create token’s longer than 32 days.
In regards to changing the values from
/sys/config/state/sanitized, which you shouldn’t need too, those values come from Vault’s main configuration file you specify at startup. See this page for more details about max_lease_ttl config parameter.