Hi all,
We have a central Vault server that we’d like to use to store secrets for our k8s clusters. The setup I’m trying to achieve is:
For each cluster, set up an authentication backend, e.g. k8s/cluster-x (all k8s auth backends would be under the same “root” path, k8s).
We set up a kv v2 secrets backend for all clusters, named k8s. The idea is then to write templated policies based off cluster name metadata, something like:
path "k8s/data/<cluster name>/*" {
capabilities = [ ... ]
}
The problem with this is that when a cluster authenticates with Vault, Vault will automatically generate an entity and an alias. With the “use JWT annotations for metadata” auth option enabled, the alias will get its metadata set from SA’s vault.hashicorp.com/alias-metadata-... annotations, but not the generated entity.
However, policy templates only support referencing metadata from entities or mount accessors. Using mount accessors in my scenario makes no sense, since a mount accessor represents a cluster.
The only option I see is to manually set cluster_name entity metadata once it’s created by Vault, or create the entity using, for example, Terraform and then move the created alias under that entity.
Is this correct, or am I missing something?
For this scenario, policy templates would have to be able to reference authenticated alias’ metadata.