developer-guy/configure-k8s-auth-method-notes.sh

## configure-k8s-auth-method-notes.sh
# Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token.
# Enable the Kubernetes authentication method.
$ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/

# Configure the Kubernetes authentication method to use location of the Kubernetes API, the service account token, its certificate, and the name of Kubernetes' service account issuer (required with Kubernetes 1.21+).
$ vault write auth/kubernetes/config \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
    issuer="https://kubernetes.default.svc.cluster.local"
Success! Data written to: auth/kubernetes/config

> You can validate the issuer name of your Kubernetes cluster using this method.
> https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer

# Finally, create a Kubernetes authentication role named issuer that binds the pki policy with a Kubernetes service account named issuer.
$ vault write auth/kubernetes/role/issuer \
    bound_service_account_names=issuer \
    bound_service_account_namespaces=platform \
    policies=pki \
    ttl=20m
Success! Data written to: auth/kubernetes/role/issuer

> The tokens returned after authentication are valid for 20 minutes.
	# Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token.
	# Enable the Kubernetes authentication method.
	$ vault auth enable kubernetes
	Success! Enabled kubernetes auth method at: kubernetes/

	# Configure the Kubernetes authentication method to use location of the Kubernetes API, the service account token, its certificate, and the name of Kubernetes' service account issuer (required with Kubernetes 1.21+).
	$ vault write auth/kubernetes/config \
	kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
	token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
	kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
	issuer="https://kubernetes.default.svc.cluster.local"
	Success! Data written to: auth/kubernetes/config

	> You can validate the issuer name of your Kubernetes cluster using this method.
	> https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer

	# Finally, create a Kubernetes authentication role named issuer that binds the pki policy with a Kubernetes service account named issuer.
	$ vault write auth/kubernetes/role/issuer \
	bound_service_account_names=issuer \
	bound_service_account_namespaces=platform \
	policies=pki \
	ttl=20m
	Success! Data written to: auth/kubernetes/role/issuer

	> The tokens returned after authentication are valid for 20 minutes.