e2e: disable iss validation in Hashicorp Vault

Testing encrypted PVCs does not work anymore since Kubernetes v1.21. It seems that disabling the iss validation in Hashicorp Vault is a relatively simple workaround that we can use instead of the more complex securing of the environment like should be done in production deployments. Updates: #1963 See-also: external-secrets/kubernetes-external-secrets#721 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-11-22 14:20:19 +00:00 · 2021-06-23 16:44:56 +02:00 · 2021-06-23 16:44:56 +02:00 · fd9fee74de
commit fd9fee74de
parent c851b69160
1 changed files with 7 additions and 0 deletions
--- a/examples/kms/vault/vault.yaml
+++ b/examples/kms/vault/vault.yaml
@ -100,6 +100,13 @@ items:
            bound_service_account_names="${SERVICE_ACCOUNTS}" \
            bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
            policies="${CLUSTER_IDENTIFIER}"
+
+        # disable iss validation
+        # from: external-secrets/kubernetes-external-secrets#721
+        vault write auth/${CLUSTER_IDENTIFIER}/config \
+          token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
+          kubernetes_host="${K8S_HOST}" \
+          disable_iss_validation=true
    kind: ConfigMap
    metadata:
      creationTimestamp: null