AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeVault KubeVault
github-icon twitter-icon
TRY NOW FREE

We use cookies and other similar technology to collect data to improve your experience on our site, as described in our Privacy Policy.

New to KubeVault? Please start here.

The JWT auth method can be used to authenticate with Vault using OIDC or by providing a JWT.

The OIDC method allows authentication via a configured OIDC Provider using the user’s web browser. This method may be initiated from the Vault UI or the command line. Alternatively, a JWT can be provided directly.

Enable & Configure JWT/OIDC Auth method

While deploying the VaultServer it’s possible to define the list of auth methods users want to enable with it.

A VaultServer .spec.authMethods section may look like this:

spec:
  authMethods:
    - type: jwt
      path: jwt
      jwtConfig:
        ...
    - type: oidc
      path: oidc
      oidcConfig:
        ...
  • .spec.authMethods.type is a required field, the type of authentication method we want to enable.
  • .spec.authMethods.path is a required field, the path where we want to enable this authentication method.
  • .spec.authMethods.jwtConfig / .spec.authMethods.oidcConfig contains various configuration for this authentication method. Some of the paramerters are listed here:
    • defaultLeaseTTL - The default lease duration, specified as a string duration like “5s” or “30m”.
    • maxLeaseTTL - The maximum lease duration, specified as a string duration like “5s” or “30m”.
    • pluginName - The name of the plugin in the plugin catalog to use.
    • auditNonHMACRequestKeys - List of keys that will not be HMAC’d by audit devices in the request data object.
    • auditNonHMACResponseKeys - List of keys that will not be HMAC’d by audit devices in the response data object.
    • listingVisibility - Specifies whether to show this mount in the UI-specific listing endpoint.
    • passthroughRequestHeaders - List of headers to whitelist and pass from the request to the backend.
    • credentialSecretRef - K8s Secret reference containing credential related secrets.
    • tlsSecretRef - K8s Secret reference containing tls related secrets.
    • oidcDiscoveryURL - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with “jwks_url” or “jwt_validation_pubkeys”.
    • oidcClientID - The OAuth Client ID from the provider for OIDC roles.
    • oidcResponseMode - The response mode to be used in the OAuth2 request. Allowed values are “query” and “form_post”. Defaults to “query”. If using Vault namespaces, and oidc_response_mode is “form_post”, then “namespace_in_state” should be set to false.
    • oidcResponseTypes - (comma-separated string, or array of strings: ) - The response types to request. Allowed values are “code” and “id_token”. Defaults to “code”. Note: “id_token” may only be used if “oidc_response_mode” is set to “form_post”.
    • defaultRole - The default role to use if none is provided during login.
    • providerConfig - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google. The options are described in each provider’s section in OIDC Provider Setup.
    • jwksURL - JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
    • jwtValidationPubkeys - (comma-separated string, or array of strings: ). A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with “jwks_url” or “oidc_discovery_url”.
    • jwtSupportedAlgs - (comma-separated string, or array of strings: ) A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all available algorithms for JWT roles.
    • boundIssuer - The value against which to match the iss claim in a JWT.

After an authentication method is successfully enabled, KubeVault operator will configure it with the provided configuration.

After successfully enabling & configuring authentication methods, a VaultServer .status.authMethodStatus may look like this:

status:
  authMethodStatus:
  - path: jwt
    status: EnableSucceeded
    type: jwt
  - path: kubernetes
    status: EnableSucceeded
    type: kubernetes

We can verify it using the Vault CLI:

$ vault auth list

Path           Type          Accessor                    Description
----           ----          --------                    -----------
jwt/           jwt           auth_jwt_ba23cc30           n/a
kubernetes/    kubernetes    auth_kubernetes_40fd86fd    n/a
token/         token         auth_token_950c8b80         token based credentials

So, this is how JWT/OIDC authentication method could be enabled & configured with KubeVault.

For a step-by-step guide on JWT/OIDC authentication method, see this.

What's on this Page

Search
Improve This Page