mbp-935: Configure Vault to support JWT authentication #33
Conversation
|
@posip-redhat @sabre1041 |
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
@mlorenzofr Ran into a failure attempting to execute the PR
TASK [rhvp.cluster_utils.vault_utils : Write JWT configuration] *************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": true, "rc": 2, "return_code": 2, "stderr": "Error writing data to auth/jwt/config: Error making API request.\n\nURL: PUT https://vault.vault.svc.cluster.local:8200/v1/auth/jwt/config\nCode: 400. Errors:\n\n* error checking oidc discovery URL\n", "stderr_lines": ["Error writing data to auth/jwt/config: Error making API request.", "", "URL: PUT https://vault.vault.svc.cluster.local:8200/v1/auth/jwt/config", "Code: 400. Errors:", "", "* error checking oidc discovery URL"], "stdout": "", "stdout_lines": []}
The challenge is that logic in the rhvp.cluster_utils collection for enabling JWT auth assumes the default router certificate is being used. However, on clusters where custom certificates (either at the router, route or pod level) are used, this will fail..
Given the various options for how a certificate could be sourced, an alternate solution could be to retrieve the remote certificate and use the retrieved certificate in the auth configuration
Okay. I'll implement it as you suggested, using the same certificate served by the endpoint as the CA for validation. |
|
I have created a new PR in the rhvp.cluster_utils to implement the changes. Since tomorrow is a US holiday, it may take some time for review and approval. I have built a version of the utility container with these changes for my testing, and it can also be used to validate these changes in our project. To use the utility container build with the suggested changes: export PATTERN_UTILITY_CONTAINER=quay.io/mlorenzofr/utility-containerI used the svc name oidcDiscoveryUrl: https://spire-spiffe-oidc-discovery-provider.zero-trust-workload-identity-manager.svc.cluster.local |
There was a problem hiding this comment.
This looks really good. Also great collaboration with the VP team on working to integrate changes upstream.
Tested using a container that @mlorenzofr built containing updated content to be integrated upstream.
Set the following prior to running the pattern
export PATTERN_UTILITY_CONTAINER=quay.io/mlorenzofr/utility-container
Also utilized some of the steps as described here to work around ZTWIM TP1 challenges:
- Execute pattern install
- Stop execution when attempting to verify Vault is active
- Wait until Argo CD has deployed ZTWIM
- Apply TP1 adjustments (starting with Kyverno steps)
- Rerun pattern install
| ingress: | ||
| enabled: true | ||
| annotations: | ||
| route.openshift.io/termination: reencrypt |
There was a problem hiding this comment.
This is great for ZTWIM TP1. We will need to revisit the necessary changes for TP2
Signed-off-by: Manuel Lorenzo <[email protected]>
ghost
merged commit 
* fix: add ripple ns Signed-off-by: Chris Butler <[email protected]> * feat: enable LE Signed-off-by: Chris Butler <[email protected]> * chore(docs): add nat gateway Signed-off-by: Chris Butler <[email protected]> --------- Signed-off-by: Chris Butler <[email protected]>
2 participants
This is the first draft to automate the JWT/SPIFFE configuration of Vault.
To configure Vault JWT authentication parameters, we can change the settings in the
clusterGroup.applications.vault.jwtattribute, in thevalues-hub.yamlfile:If enabled, it will cause the Ansible tasks included in the
vault_jwt.yamlfile (rhvp.cluster_utils) to run to configure JWT authentication in Vault.Although I've added the
oidcDiscoveryCaandpoliciesfields to the roles, this part isn't fully implemented in Ansible, as there are some issues with the current version of ZTWIM. I'll leave this for future versions.wdyt?