-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disabling SSL for k8s auth method #88
Comments
Hello - I'm going to transfer this issue over to github.com/hashicorp/vault-helm |
Aren't k8s auth method features in realm of the core vault? |
@Reifier I'm transferring this over to https://github.com/hashicorp/vault-plugin-auth-kubernetes as this is related to Kubernetes auth, not the helm chart for deploying Vault to Kubernetes. Apologies for the confusion! |
Well +1
Can we have an update from Hashicorp? |
Worked with HashiCorp support engineer and got a stunnel working. You need to create a private SSL cert that has the right CN and SAN. |
Would removing the requirement for a CA certificate to be configured solve this, as requested in #62, or am I missing some other requirements? i.e. is it ok for the proxy -> private master endpoint to be plain http, or does that need to support unverified https? |
Is your feature request related to a problem? Please describe.
I have two k8s clusters in gke. One of them runs my application, another one runs vault. They are in separate projects and are connected over vcp peering. The application cluster is private and has a private master endpoint. That makes it impossible to access that endpoint directly from another vpc. Proxy has to be used: https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies
I've tried using http proxy, however, vault-init container has this issue: kelseyhightower/vault-init#16.
So I tried using a tcp proxy to access master directly. And vault does get to master through proxy but master cert does not match the ip address of the proxy and ssl connection gets refused with:
I tried to see if it's possible to customize master cert to include the desired ip, but it is not possible to do so on gke.
Describe the solution you'd like
The only solution I see is to allow to use a connection without SSL for now, but I can't turn of SSL verification on kuberentes method. I understand that it is necessary and defeats the whole purpose of authorization, but I am on internal net and literally ran out of options to make this work. Vault can still be useful for us and still want it for key managing, recycling, auth on per namespace/cluster/app basis, but I don't want to run a VM and create infra around it. UnSSLed connection for auth methods should be an option.
Later when google allows cert modifications or our situation changes we could fix this. Otherwise obstructs implementation in our org.
Describe alternatives you've considered
Described above.
Explain any additional use-cases
If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: