Scan Job has automountServiceAccountToken: false, doesn't work with Vault
madianas21 opened this issue · comments
What steps did you take and what happened:
Deployed starboard-operator with a helm chart with these values overrides:
trivy:
githubToken: "vault:secret/data/starboard-system/starboard-operator#GITHUB_TOKEN"
starboard:
scanJobAnnotations: 'vault.security.banzaicloud.io/vault-addr=https://vault.vault:8200,vault.security.banzaicloud.io/vault-role=starboard-system-starboard-operator,vault.security.banzaicloud.io/vault-skip-verify=true'
scanJobPodTemplateLabels: 'app.kubernetes.io/owner=platform'
podAnnotations:
vault.security.banzaicloud.io/vault-addr: https://vault.vault:8200
vault.security.banzaicloud.io/vault-role: starboard-system-starboard-operator
vault.security.banzaicloud.io/vault-skip-verify: true
Getting this error in vault-env logs:
level=error msg="failed to read login data" app=vault-env err="open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory" type=jwt
Looking at the scan job yaml file, shows automountServiceAccountToken: false, hence service account token is not being mounted. This token is needed for vault to populate githubToken value before scanjob container launches.
What did you expect to happen:
Expected for Vault to replace the github_token secret env at the container init stage.
Environment:
- Starboard version (use
starboard version): 0.14.1 - Kubernetes version (use
kubectl version): v1.21.5-eks-9017834 - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Ubuntu 21.04
Thank you for the feedback @madianas21 Do you think it makes sense to introduce Trivy plugin config to enable / disable mounting service account token? For users who don't deploy Vault disabling it is still a good thing. WDYT?