Vault token (and credentials) active renew of lease during lifetime of Pod to avoid TTL expiration? about vault-csi-provider HOT 12 CLOSED

Hi @thomas-riccardi, thanks for the feedback! We are indeed planning something in this area. The likely route is that we will do #82 first, and then start deploying Vault Agent as a sidecar to the vault-csi-provider daemonset and route all requests though the Agent. Then we can use the same exact mechanism as the sidecar injector.

from vault-csi-provider.

@jonpjenkins yep I've been thinking about this quite a bit lately. Adding lease renewal should now be relatively straightforward, and I think it probably won't even require any further changes in this repo - it should all be deployment changes which we'll help automate in hashicorp/vault-helm.

One slight wrinkle as far as caching is concerned though: the cache entry key depends on the Vault token, but because we generate a fresh k8s token on every mount request, the provider will never get a cache hit from Agent. That means when auto rotation is used (via the flag on the driver), a fresh secret will be fetched on every re-mount. I'm wondering about a new Agent feature to help fix this, which could perhaps rely on JWT validation because even if the token isn't stable, the identity is, so that could be a verifiably correct way to allow cache hits from different tokens. But I haven't explored that in depth yet.

from vault-csi-provider.

For anyone following this issue, #163 and hashicorp/vault-helm#749 are relevant. It's not quite the whole picture, but they should be good steps forward when merged.

from vault-csi-provider.

Thanks for the ping, it is! I've just pushed some updates to that PR and requested review.

from vault-csi-provider.

To add, as alluded to by @thomas-riccardi , this would be really useful with regards to vault provided dynamic credentials, which can be renewable but would need to be handled by an agent. Thanks much for the work!

from vault-csi-provider.

@tomhjp checking in on this - now that #138 closed #82 , is this work able to go forward? This feature would be really useful for our use case.

from vault-csi-provider.

Hello @tomhjp,
hope everything is fine.
I am also interested on the issue raised by @thomas-riccardi; if possibile, is there a time estimation for the realization of that feature?
Thanks so much,
Angelo.

from vault-csi-provider.

@tomhjp I wanted to bump the above ask - the question of time estimation. I am on the cusp of writing a work-around for now until this is resolved.

from vault-csi-provider.

@tomhjp Thanks for getting #163 taken care of 🎉 🥇

Is that #749 WIP close to being complete?

from vault-csi-provider.

@tomhjp I saw that, thanks so much!

from vault-csi-provider.

@tomhjp I see the referenced PR is merged, and the agent is included by default now -- thanks! 🎉 🙌

Would you be wiling to offer your thoughts on what would be left yet to do on this front?

from vault-csi-provider.

I think #202 probably wraps up this issue. Alongside the Agent sidecar deployed by vault-helm, it will mean that tokens and secret leases are always renewed by Vault Agent for as long as possible, and each pod will only have one dynamic lease generated at a time per requested secret. There are some other TTL-related issues like #149 and #151 that won't be fixed, but as this issue is primarily about TTL renewal, I think I'll close this with #202.

from vault-csi-provider.