7/30/2023 0 Comments Vault loginVault auth list includes an entry with type kubernetes, so I assume it is only available via the HTTP API. Additionally, some auth methods are only available via the HTTP API. Use "vault auth list" to see the complete list of auth methods. But for vault login -method kubernetes it fails with: Especially since there is the vault login command. First of all parsing the output feels kind of strange. The solution works, but I'm not sure if this is the proper way to do this. I grep and parse the line with the token to save it into VAULT_TOKEN.Īfterwards the raft snapshot save command executes successfully and I have my snapshot saved to the volume. It returns a formatted output (by default table) containing the token. This command now uses the JWT token of the service account vault-backups to login with the role vault_backup. Jwt=$(cat /run/secrets/kubernetes.io/serviceaccount/token) |\ So I added a role vault_backups to Vault, that is bound to the service account vault-backups in the vault namespace and assigned it a new policy raft_snapshots_read with the following content: path "/sys/storage/raft/snapshot"įor the actual login I'm currently doing the following: export VAULT_TOKEN=$(vault write auth/kubernetes/login \ The Pods created by the CronJob/Job are running with a service account vault-backups. I have the Kubernetes Auth Method enabled. Of course the Pod needs to be authenticated to Vault. backups is a persistent volume mounted to the Pod. So I created a Kubernetes CronJob running the same image as my Vault cluster, that executes the following command on a schedule: vault operator raft snapshot save /backups/daily-$(date "%Y-%m-%d-%H-%M").snap I want to create regular snapshots from my HashiCorp Vault raft storage. TL DR: What is the proper way to login from Vault CLI in a Kubernetes Pod using the Kubernetes Auth Method.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |