Add support for vault kubernetes authentication

[justinas-b]

Hey! For the workloads running in kubernetes, usually kubernetes authentication method is used on a Vault, through it would be awesome to have this supported on envconsul also.

This would eliminate need of managing all the tokens for authentication with vault.

More about authentication method here: https://www.vaultproject.io/docs/auth/kubernetes

[justinas-b]

In some sort, related to #252

[yellowmegaman]

Having this implemented will enable really great level of security.
If only envconsul could get secrets only via k8s auth:

• we could inject secrets for pid 1, not leaving the file with secrets on disk (as with Vault injector)
• with proper user in container, kubectl exec won't be able to read /proc/1/environ
• we could also add a bit of RBAC and policies (e.g. gatekeeper) on top of that - and no one will be able to run workload with ServiceAccount that has access to those secrets.

So if I understood correctly, it's a killer feature, much better than vault injector or Vault CSI in current state.

[Kryvchun]

@eikenb Hi. I am going to implement this, and as I see, I will need to:

1. support k8s auth method in consul-template:
   a. Add new fields to CreateConsulClientInput:

   K8SAuthRoleName            string
   K8SServiceAccountMountPath string
   K8SServiceAccountToken     string

   b. If a token is unset in the function CreateVaultClient, then execute client.Auth().Login(...) with vault.auth.KubernetesAuth auth method, and set the token.
2. add config flags to envconsul.

Am I right about the idea of implementation?

I found only one mention about implementing other auth methods in the comment of consul-template:
hashicorp/consul-template#744 (comment)

[justinas-b]

Would it make sense to include vault namespace also?

[yellowmegaman]

Would it make sense to include vault namespace also?

Correct me if I'm wrong, it's already supported.

[yellowmegaman]

@eikenb John can you please take a look at @Kryvchun plan?

[eikenb]

Hey @Kryvchun, @yellowmegaman, @justinas-b...

Sorry for the silence. I've been busy trying to get up to speed on consul-esm to fix an important bug there and have been ignoring my inbox.

I haven't worked on the Auth portions of consul-template yet but will happily work through the PRs there. With a quick skim it seems like you're on the right path. The hardest part will probably be figuring out how to test it as consul-template relies heavily on integration tests which won't work here. But that would be part of the consul-template PR and we can figure that out there.

I'm not actively working on consul-template right now but try to spend time every Monday on community feedback for all the projects. I am planning on working on Envconsul soon-ish (next after the consul-esm 0.6.1 bugfix release I'm working on now) and we might be able to squeeze all this in at that point.

[gauravkr19]

Can anyone please share the documentation on using envconsul with Kubernetes workload.

[Kryvchun]

Are you about this https://github.com/hashicorp/envconsul/blob/main/README.md?plain=1#L460 ?

[gauravkr19]

Thanks @Kryvchun for the quick response. Is this part of the latest release ?
Do we have an example of its usage with Kubernetes?

[eikenb]

If anyone would like to write up a quick example to include in the README or, if better, another file I'd be happy to include it. Thanks.

[gauravkr19]

Hi John & Maksym,
I have been trying to place secrets with period in its Key, like “com.tibco.resource.password"=2323 from Vault to Pod's environment variable.
However, it errors out when exporting this as env variable, Error: "Bad identifier".

Can envconsul solve this. Can it export the variable with dot into container's shell.

[eikenb]

That should work with envconsul.

$ consul kv put foo/bar.zed.wha 1234
Success! Data written to: foo/bar.zed.wha
$ envconsul -pristine -prefix foo -once bash
jae@hidoshi:/home/jae/projects/envconsul$ env
bar.zed.wha=1234
[...]

I used consul as it was handy (testing stuff like this right now) but should work the same either way.

[gauravkr19]

thanks John for confirming this, I tested this with Vault and can use non-standard identifiars as secret keys.
Now, need to implement the same in openshift with K8s auth method. Any idea when this feature of K8s authentication will be released, did not find it in latest vers 0.12.1.

[eikenb]

Sorry @gauravkr19, my k8s knowledge is very limited. You might want to try asking in hashicorp's discuss forums, maybe the vault-k8s one will be able to help.

https://discuss.hashicorp.com/tags/c/vault/30/k8s

[eikenb]

Just realized this ticket is still open and I've merged this already. IE. it didn't auto-close.

This support was merged in with #281

[yellowmegaman]

@eikenb Great! Thank you. Can we have new release with it?

[eikenb]

@yellowmegaman.. I have 1 last bug to finish fixing then will be putting out a new release. Should be this week as I have a PR already up to fix the bug (upstream in consul-template) and am just waiting on a review.