e2e: disable iss validation in Hashicorp Vault

Testing encrypted PVCs does not work anymore since Kubernetes v1.21. It seems that disabling the iss validation in Hashicorp Vault is a relatively simple workaround that we can use instead of the more complex securing of the environment like should be done in production deployments. Updates: ceph#1963 See-also: external-secrets/kubernetes-external-secrets#721 Signed-off-by: Niels de Vos <[email protected]>
nixpanic · Jun 24, 2021 · 47b23cb · 47b23cb
1 parent a4548c3
commit 47b23cb
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/examples/kms/vault/vault.yaml b/examples/kms/vault/vault.yaml
@@ -100,6 +100,13 @@ items:
             bound_service_account_names="${SERVICE_ACCOUNTS}" \
             bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
             policies="${CLUSTER_IDENTIFIER}"
+
+        # disable iss validation
+        # from: external-secrets/kubernetes-external-secrets#721
+        vault write auth/${CLUSTER_IDENTIFIER}/config \
+          token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
+          kubernetes_host="${K8S_HOST}" \
+          disable_iss_validation=true
     kind: ConfigMap
     metadata:
       creationTimestamp: null