Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

agent/auto-auth: add exit_on_err configurable #17091

Merged
merged 5 commits into from
Sep 15, 2022
Merged

Conversation

jasonodonnell
Copy link
Contributor

@jasonodonnell jasonodonnell commented Sep 9, 2022

When Agent's auto-auth encounters a problem it will retry indefinitely, regardless of the error. This configurable allows users to specify if Vault should exit on auto-auth error, similar to exit_on_err in the caching engine: https://www.vaultproject.io/docs/agent/caching#exit_on_err.

At the moment this will exit on any error, but I'm open to only exiting on some errors (such as 400 errors).

@jasonodonnell jasonodonnell requested review from swenson, tvoran, tomhjp and a team September 9, 2022 19:00
@ncabatoff
Copy link
Collaborator

What's the motivation/use case here? And can you clarify in the docs that this applies not just to initial auth, but also any re-auth that occurs once renewal is no longer possible, either due to a renewal failure or the token TTL being reached?

@jasonodonnell
Copy link
Contributor Author

What's the motivation/use case here? And can you clarify in the docs that this applies not just to initial auth, but also any re-auth that occurs once renewal is no longer possible, either due to a renewal failure or the token TTL being reached?

The motivation here is that auto-auth will continually try to auth indefinitely, even if there's a misconfiguration (role doesn't exist) or the Vault server isn't online. I will update the doc with more information as well, good call out.

command/agent/auth/auth.go Outdated Show resolved Hide resolved
command/agent/auth/auth.go Outdated Show resolved Hide resolved
@jasonodonnell jasonodonnell added this to the 1.12 milestone Sep 15, 2022
@jasonodonnell
Copy link
Contributor Author

@ncabatoff Updated the doc. Thanks for the suggestion!

Copy link
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jasonodonnell jasonodonnell enabled auto-merge (squash) September 15, 2022 17:42
@jasonodonnell jasonodonnell merged commit 8fddccd into main Sep 15, 2022
@raskchanky raskchanky deleted the exit-on-err-auto-auth branch September 15, 2022 18:03
swenson pushed a commit to hashicorp/vault-k8s that referenced this pull request Oct 28, 2022
Support was added in the Vault agent in hashicorp/vault#17091

Additionally, I tested this on a cluster by adding the
`vault.hashicorp.com/agent-auto-auth-exit-on-err: "true"`
annotation on a pod, and observing that the agent configuration
was:

```json
{
  "auto_auth": {
    "method": {
      "type": "kubernetes",
      "mount_path": "auth/kubernetes",
      "config": {
        "role": "internal-app",
        "token_path": "/var/run/secrets/kubernetes.io/serviceaccount/token"
      },
      "exit_on_err": true
    }...
```
swenson pushed a commit to hashicorp/vault-k8s that referenced this pull request Oct 31, 2022
Support was added in the Vault agent in hashicorp/vault#17091

Additionally, I tested this on a cluster by adding the
`vault.hashicorp.com/agent-auto-auth-exit-on-err: "true"`
annotation on a pod, and observing that the agent configuration
was:

```json
{
  "auto_auth": {
    "method": {
      "type": "kubernetes",
      "mount_path": "auth/kubernetes",
      "config": {
        "role": "internal-app",
        "token_path": "/var/run/secrets/kubernetes.io/serviceaccount/token"
      },
      "exit_on_err": true
    }...
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants