Skip to content

Add tool to allow creating credentials from vault

Jonas Schäfer requested to merge feature/admin-conf-from-vault into devel

Version Control Information

Source branch: feature/admin-conf-from-vault
Target branch: devel

Commits:

* Add tool to allow creating credentials from vault

This allows configuring Vault in such a way that it is possible to
source a fully-functional admin.conf file from Vault.

* Remove unused k8s-pki issuer role

I'm not sure what this role was intended to be used for; it is
referenced in the policy in init.sh for the orchestrator role, however,
the privileges granted by the certificate from this issue role are
useless. You can use it to impersonate a node, but that doesn't seem
like a useful thing to be able to do, in particular because the
orchestrator can create approle roles for nodes and then use that (which
is needed in the bare metal flow) to obtain credentials for the node.

Thus, we drop it, as well as the privileges to use it.

Description

This MR provides the necessary tooling to generate admin.conf-like files from certificates issued by the Vault instance.

There are a couple open questions:

  • Is there a better way to obtain the cluster_name, username and kubernetes_server in the k8s-login.sh script?
  • Docs need to be written

Merge Prerequisites

  • MR title (and description) are descriptive
  • Code is readable and syntactically correct
  • Code is understandable
  • Documentation has been updated, if necessary
  • Commit messages look good
  • Release note file added in latest commit

As a developer: please do not tick these boxes yourself. As a reviewer: please get yourself a hot cold beverage.

Edited by Jonas Schäfer

Merge request reports