Comments (12)
Hi @thomas-riccardi, thanks for the feedback! We are indeed planning something in this area. The likely route is that we will do #82 first, and then start deploying Vault Agent as a sidecar to the vault-csi-provider daemonset and route all requests though the Agent. Then we can use the same exact mechanism as the sidecar injector.
from vault-csi-provider.
@jonpjenkins yep I've been thinking about this quite a bit lately. Adding lease renewal should now be relatively straightforward, and I think it probably won't even require any further changes in this repo - it should all be deployment changes which we'll help automate in hashicorp/vault-helm.
One slight wrinkle as far as caching is concerned though: the cache entry key depends on the Vault token, but because we generate a fresh k8s token on every mount request, the provider will never get a cache hit from Agent. That means when auto rotation is used (via the flag on the driver), a fresh secret will be fetched on every re-mount. I'm wondering about a new Agent feature to help fix this, which could perhaps rely on JWT validation because even if the token isn't stable, the identity is, so that could be a verifiably correct way to allow cache hits from different tokens. But I haven't explored that in depth yet.
from vault-csi-provider.
For anyone following this issue, #163 and hashicorp/vault-helm#749 are relevant. It's not quite the whole picture, but they should be good steps forward when merged.
from vault-csi-provider.
Thanks for the ping, it is! I've just pushed some updates to that PR and requested review.
from vault-csi-provider.
To add, as alluded to by @thomas-riccardi , this would be really useful with regards to vault provided dynamic credentials, which can be renewable but would need to be handled by an agent. Thanks much for the work!
from vault-csi-provider.
@tomhjp checking in on this - now that #138 closed #82 , is this work able to go forward? This feature would be really useful for our use case.
from vault-csi-provider.
Hello @tomhjp,
hope everything is fine.
I am also interested on the issue raised by @thomas-riccardi; if possibile, is there a time estimation for the realization of that feature?
Thanks so much,
Angelo.
from vault-csi-provider.
@tomhjp I wanted to bump the above ask - the question of time estimation. I am on the cusp of writing a work-around for now until this is resolved.
from vault-csi-provider.
@tomhjp Thanks for getting #163 taken care of 🎉 🥇
Is that #749 WIP close to being complete?
from vault-csi-provider.
@tomhjp I saw that, thanks so much!
from vault-csi-provider.
@tomhjp I see the referenced PR is merged, and the agent is included by default now -- thanks! 🎉 🙌
Would you be wiling to offer your thoughts on what would be left yet to do on this front?
from vault-csi-provider.
I think #202 probably wraps up this issue. Alongside the Agent sidecar deployed by vault-helm, it will mean that tokens and secret leases are always renewed by Vault Agent for as long as possible, and each pod will only have one dynamic lease generated at a time per requested secret. There are some other TTL-related issues like #149 and #151 that won't be fixed, but as this issue is primarily about TTL renewal, I think I'll close this with #202.
from vault-csi-provider.
Related Issues (20)
- volume mode "Ephemeral" not supported by driver secrets-store.csi.k8s.io (no CSIDriver object) HOT 7
- Docker image not uploaded to ECR public HOT 2
- Running Cloud Control Manager in vcluster HOT 1
- Failed to mount vault secrets store objects through Container Storage Interface (CSI) Volume HOT 2
- Vault provider not found , inter cluster connection . HOT 1
- Vulnerabilites in v1.2.0 of vault-csi-provider image HOT 1
- Permission denied when trying to access secret from vault on another kubernetes cluster . HOT 2
- Use the sync to secret feature without a pod mount? HOT 1
- Implicit mapping of secrets / objects - SecretProviderClass HOT 2
- vault-csi-provider Pod throws cannot unmarshal !!map into []config.Secret HOT 2
- Feature request: Ability to consume entire secret data rather than just a single key
- Extra fields
- Can the dynamic secrets auto renew as long as the pod is alive HOT 8
- Updating the values in the KV Secrets Engine HOT 1
- mounting from Vault fails with "invalid role name" HOT 2
- Support for AppRole auth method
- User vault-csi-provider cannot create resource serviceaccounts token
- "aud" claim should be list, not string HOT 4
- Lease cache not working for PKI engine HOT 5
- Need to release new version as crypto CVE is fixed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-csi-provider.