[Documentation] - Include `audience` field as part of Hashicorp Vault Kubernetes Auth

[luis-garza]

Describe the solution you'd like

There are scenarios where using Hashicorp Vault Kubernetes Auth, one needs to use a JWT with custom audience.
Right now one only can define a JWT through a static secret which could not be used in a GitOps deployment, or through service account name which can't customize JWT

What is the added value?

Enabling TokenRequest API to fetch service account tokens in Hashipotp Vault Kubernetes Auth will increase the scenarios where this secure auth method could be used.

Observations (Constraints, Context, etc):

The TokenRequest API it's being used alredy in Hashicorp Vault JWT/OIDC Auth, see field kubernetesServiceAccountToken.

[gusfcarvalho]

Hi @luis-garza ! What eso version are you using? From 0.5.9 eso by default used token Request API when you provide a service account configuration

[luis-garza]

Hi @gusfcarvalho,
thanks for the quick response.

I'm using v0.6.1, and following the current documentation, using Kubernetes Auth one can't change the audience for service account JWT.

Or it is possible? I'm missing something? 🤔

[luis-garza]

Oh wait!
Even is not defined in the documentation nor API, I've played adding audience field and it worked! 😮

...
      auth:
        kubernetes:
          mountPath: kubernetes/my-cluster
          role: my-role
          serviceAccountRef:
            name: my-service-account
            audiences:
              - vault
...

Please, would be nice if some one could update the documentation with hidden fields to help other users.

[gusfcarvalho]

hi @luis-garza ! Yes I agree. Sorry for that 😅

[luis-garza]

BTW, it looks like there are other fields, it could be checked by kubectl explain command

$ kubectl explain secretstore.spec.provider.vault.auth.kubernetes --recursive
KIND:     SecretStore
VERSION:  external-secrets.io/v1beta1

RESOURCE: kubernetes <Object>

DESCRIPTION:
     Kubernetes authenticates with Vault by passing the ServiceAccount token
     stored in the named Secret resource to the Vault server.

FIELDS:
   mountPath	<string>
   role	<string>
   secretRef	<Object>
      key	<string>
      name	<string>
      namespace	<string>
   serviceAccountRef	<Object>
      audiences	<[]string>
      name	<string>
      namespace	<string>

[moolen]

We set the default "vault" aud in the jwt auth method, but we don't do it in the Kubernetes auth method:

external-secrets/pkg/provider/vault/vault.go

Lines 1258 to 1262 in 7f6ba97

	audiences := k8sServiceAccountToken.Audiences
	if audiences == nil {
	audiences = &[]string{"vault"}
	}
	expirationSeconds := k8sServiceAccountToken.ExpirationSeconds

Looking at it now i think we should add the audience handling there, too. 🤔

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.