Better support for hashivault KMS - based validation
raffaelespazzoli opened this issue · comments
Description
With hashivault KMS-based validation the following environment variables must be set:
VAULT_ADDR: probably a static value.
VAULT_TOKEN: usually a dynamic value that is retrieved by authenticating to vault and cannot be statically passed.
The fact that the VAULT_TOKEN is expected as a (immutable) environment variable is a problem for a long-running process as Vault tokens have a TTL and the best practice is to make them short-lived.
Additionally, when running in Kubernetes its a safe assumption that the kube authentication method will be used. For this to work, two more pieces of information are required:
- the authentication path.
- the requested role.
At the moment the policy-controller does not know how to authenticate to Vault.
The next best option is to use the vault agent as a pod sidecar to retrieve the VAULT_TOKEN. In this case the policy-controller would need to be able to read a file before every attempt to connect to Vault
So here is the RFE:
- [best] support for kube authentication approach from withing the policy controller.
- [fall-back] support for reading the token from a file instead than from an environment variable.