developer-guy · January 4, 2022 18:21
diff --git a/configure-k8s-auth-method-notes.sh b/configure-k8s-auth-method-notes.sh
 # Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token.
 # Enable the Kubernetes authentication method.
 $ vault auth enable kubernetes
 Success! Enabled kubernetes auth method at: kubernetes/

 # Configure the Kubernetes authentication method to use location of the Kubernetes API, the service account token, its certificate, and the name of Kubernetes' service account issuer (required with Kubernetes 1.21+).
 $ vault write auth/kubernetes/config \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
    issuer="https://kubernetes.default.svc.cluster.local"
 Success! Data written to: auth/kubernetes/config

 > You can validate the issuer name of your Kubernetes cluster using this method. 
 > https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer

 # Finally, create a Kubernetes authentication role named issuer that binds the pki policy with a Kubernetes service account named issuer.
 $ vault write auth/kubernetes/role/issuer \
    bound_service_account_names=issuer \
    bound_service_account_namespaces=platform \
    policies=pki \
    ttl=20m
 Success! Data written to: auth/kubernetes/role/issuer

 > The tokens returned after authentication are valid for 20 minutes.
	# Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token.
	# Enable the Kubernetes authentication method.
	$ vault auth enable kubernetes
	Success! Enabled kubernetes auth method at: kubernetes/

	# Configure the Kubernetes authentication method to use location of the Kubernetes API, the service account token, its certificate, and the name of Kubernetes' service account issuer (required with Kubernetes 1.21+).
	$ vault write auth/kubernetes/config \
	kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
	token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
	kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
	issuer="https://kubernetes.default.svc.cluster.local"
	Success! Data written to: auth/kubernetes/config

	> You can validate the issuer name of your Kubernetes cluster using this method.
	> https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer

	# Finally, create a Kubernetes authentication role named issuer that binds the pki policy with a Kubernetes service account named issuer.
	$ vault write auth/kubernetes/role/issuer \
	bound_service_account_names=issuer \
	bound_service_account_namespaces=platform \
	policies=pki \
	ttl=20m
	Success! Data written to: auth/kubernetes/role/issuer

	> The tokens returned after authentication are valid for 20 minutes.