0

I am using spring vault to access Vault from Spring boot app running in Kubernetes.

Version

<dependency>  
   <groupId>org.springframework.vault</groupId>  
   <artifactId>spring-vault-core</artifactId>  
   <version>2.1.3.RELEASE</version>  
</dependency>

Config

vault:
  uri: https://xxx.xxx.com:8200
  authentication: KUBERNETES
  kubernetes:
    role: abc
    kubernetes-path: path/to/k8s
    service_account_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

Error

o.s.v.a.VaultLoginException: Cannot login using Kubernetes: invalid role name \"abc\";

When I try to login using curl with the same role and token, its success:

VAULT_LOGIN="{\"role\":\"$SA_ROLE\", \"jwt\":\"$SA_JWT_TOKEN\"}"
curl --request POST --data "$VAULT_LOGIN" https://xxx.xxx.com:8200/v1/auth/path/to/k8s/login
cppcoder
  • 22,227
  • 6
  • 56
  • 81

1 Answers1

0

It is a bug in spring vault. It does not support custom auth backend path. Pleae find the issue here: https://github.com/spring-projects/spring-vault/issues/462

As a workaround we can fix this by overriding kubeAuthentication method.

@Override
protected ClientAuthentication kubeAuthentication() {

    String role = getEnvironment().getProperty("vault.kubernetes.role");
    Assert.hasText(role, "Vault Kubernetes authentication: role must not be empty");

    String tokenFile = getEnvironment().getProperty("vault.kubernetes.service-account-token-file");
    if (!StringUtils.hasText(tokenFile)) {
        tokenFile = KubernetesServiceAccountTokenFile.DEFAULT_KUBERNETES_SERVICE_ACCOUNT_TOKEN_FILE;
    }
    KubernetesJwtSupplier jwtSupplier = new KubernetesServiceAccountTokenFile(
            tokenFile);

    String path = getEnvironment().getProperty("vault.kubernetes.kubernetes-path");
    KubernetesAuthenticationOptions authenticationOptions = KubernetesAuthenticationOptions
            .builder() //
            .role(role) //
            .path(path)
            .jwtSupplier(jwtSupplier) //
            .build();

    return new KubernetesAuthentication(authenticationOptions, restOperations());
}
cppcoder
  • 22,227
  • 6
  • 56
  • 81