Merge pull request #48 from GitGuardian/fperucki/-/fix-hcv-k8s

FlorianPerucki · web-flow · commit 9c09e2f56148 · 2025-07-03T15:43:57.000+02:00
docs(hashicorp): improve hashicorp kube authentication method doc
diff --git a/charts/ggscout/examples/hashicorpvault-k8s/README.md b/charts/ggscout/examples/hashicorpvault-k8s/README.md
@@ -2,33 +2,36 @@
 
 This example demonstrates how to configure ggscout to authenticate with HashiCorp Vault using Kubernetes authentication when running in a Kubernetes cluster.
 
-## Prerequisites
-
-1. HashiCorp Vault with Kubernetes auth method enabled
-2. Proper Vault policies and roles configured
-3. ggscout deployed in a Kubernetes cluster
-
 ## Vault Configuration
 
 ### 1. Enable Kubernetes Auth Method
 
 ```bash
 # Enable Kubernetes auth method
-vault auth enable kubernetes
+vault auth enable kubernetes --path=kubernetes
 ```
 
+Note: the `--path` argument is not mandatory but lets you rename your authentication path, which must be unique, in case you have multiple kubernetes authentication methods configured.
+
 See HashiCorp Vault reference [documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuration)
 
 ### 2. Configure Kubernetes Auth Method
 
 ```bash
+
+CA_CRT=$(kubectl get cm kube-root-ca.crt -o jsonpath="{['data']['ca\.crt']}")
+
 # Configure the Kubernetes auth method
 vault write auth/kubernetes/config \
-    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
-    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    kubernetes_host="https://$KUBERNETES_ADDR" \
+    kubernetes_ca_cert="$CA_CRT"
 ```
 
+Note: replace `auth/kubernetes` with `auth/yourpath` if you used the `--path` argument in the `vault auth enable` command above.
+
+If your Vault is running in Kubernetes, you need add `disable_local_ca_jwt=true` in the command above. For more details, follow (these steps)[https://developer.hashicorp.com/vault/docs/auth/kubernetes#use-the-vault-client-s-jwt-as-the-reviewer-jwt] from the HashiCorp documentation.
+
+
 ### 3. Create Vault Policy
 
 ```bash
@@ -60,6 +63,7 @@ vault write auth/kubernetes/role/ggscout \
     ttl=24h
 ```
 
+
 ## Deployment
 
 ### 1. Update Configuration
diff --git a/charts/ggscout/examples/hashicorpvault-k8s/values.yaml b/charts/ggscout/examples/hashicorpvault-k8s/values.yaml
@@ -11,6 +11,7 @@ inventory:
           auth_mode: "k8s"
           k8s:
             role: "${VAULT_K8S_ROLE}"
+            mount: "kubernetes"  # This is the default; if the authentication path has changed, this must be updated
         fetch_all_versions: true # Fetch all versions of secrets or not
         path: "secret/dev" # Vault path or unspecified
         mode: "read/write" # Can be `read`, `write` or `read/write` depending on wether fetch and/or sync are enabled
