Vault Secrets Operator with JWT

Vault
1

Hi,
I am using Vault SaaS for storing secrets needed for Kubernetes microservices.
I aim to leverage Vault Secrets Operator for secret propagation from Vault to the microservices.
From what I understand Vault authentication types typically need access to the k8s cluster API. Unfortunately, this means making the API publicly accessible, as my Vault is SaaS, which I feel uncomfortable doing. The only supported by the Vault Secrets Operator auth option not needing API access is JWT.

This leads to the logical conclusion that I should be able to have

  1. Vault SaaS
  2. Vault Secrets Operator
  3. JWT Auth

What I am struggling to figure out is how to configure this. JWT Auth requires secretRef config, which is a k8s secret object, containing β€œa key named jwt which holds the JWT token” as per the Vault documentation. This is not configurable.

Looking at k8s documentation this is quite hard to do in an automated way.
The legacy long-lived service account tokens supported in an automatable fashion like this, are stored as secret containing a key named token which holds the JWT token. This is not configurable.
This leads to problem #1 - it seems there is no automated out-of-the-box way to provide JWTs to the Vault Secret Operator for JWT Auth.

Unfortunately, there is one more problem. The linked above k8s documentation is for the legacy long-lived tokens. This looks bad because 1. They are legacy and 2. They actually lack data required by Vault Auth - more specifically the audience (aud) JWT claim. Both these issues are solved with the new short-lived service-account bound tokens. This is even stated in the Vault documentation and works just fine.

However, I do not see an automated way to provide the short-lived JWT to the Operator. Which means the whole setup would not be working for me.
Vault documentation for the short-lived tokens is under the Kubernetes auth method. Which is not applicable as it still needs access to the k8s cluster API.
This guide from the Vault documentation works like a charm. However, it still lacks the missing piece of how can I provide the short-lived JWT as a k8s secret to the operator.

I am misinterpreting the documentation in some way? Is there a configuration that would solve the problem?

2

What I am struggling to figure out is how to configure this. JWT Auth requires secretRef config, which is a k8s secret object, containing β€œa key named jwt which holds the JWT token ” as per the Vault documentation. This is not configurable.

I don’t think the secretRef is actually required; either secretRef or serviceAccount needs to be set. And if serviceAccount is set, the operator will create a short-lived token for that k8s service account for auth-ing to Vault. So no need to manage it yourself.

2 Likes
3

Has this really been confirmed that setting serviceAccount AND NOT secretRef automatically creates a short-lived token?
I tried different configurations and never managed to achieve this.