luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

docs: Improve sample commands for querying k8s API (#15686)

This commit is contained in:
Tom Proctor 2022-05-31 21:20:31 +01:00 committed by GitHub
parent 2e215975ff
commit 1c2f3c8ddf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
website/content/docs/auth/jwt/oidc_providers.mdx
View File

@ -339,11 +339,7 @@ Configuration steps:
1. Find the issuer URL of the cluster.
```bash
kubectl proxy &
ISSUER="$(curl --fail --silent --show-error 127.0.0.1:8001/.well-known/openid-configuration | jq -r '.issuer')"
# Kill the background proxy process when you're done
kill %%
ISSUER="$(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')"
```
1. Enable and configure JWT auth in Vault.
@ -395,16 +391,10 @@ Configuration steps:
```bash
# 1. Find the issuer URL of the cluster.
kubectl proxy &
ISSUER="$(curl --fail --silent --show-error 127.0.0.1:8001/.well-known/openid-configuration | jq -r '.issuer')"
ISSUER="$(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')"
# 2. Query the jwks_uri specified in /.well-known/openid-configuration
# NB: You may need to run this from a pod within the cluster if the $ISSUER
# URL is not available outside the cluster.
curl "$(curl --fail --silent --show-error "${ISSUER}/.well-known/openid-configuration" | jq -r '.jwks_uri')"
# Kill the background proxy process when you're done
kill %%
kubectl get --raw "$(kubectl get --raw /.well-known/openid-configuration | jq -r '.jwks_uri' | sed -r 's/.*\.[^/]+(.*)/\1/')"
```
1. Convert the keys from JWK format to PEM. You can use a CLI tool or an online

16
website/content/docs/auth/kubernetes.mdx
View File

@ -262,28 +262,18 @@ unable to check this value directly, you can run the following and look for the
`"iss"` field to find the required value:
```bash
kubectl proxy &
curl --silent http://127.0.0.1:8001/api/v1/namespaces/default/serviceaccounts/default/token \
-H "Content-Type: application/json" \
-X POST \
-d '{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest"}' \
echo '{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest"}' \
| kubectl create -f- --raw /api/v1/namespaces/default/serviceaccounts/default/token \
| jq -r '.status.token' \
| cut -d . -f2 \
| base64 -D
# Kill the background proxy process when you're done
kill %%
```
Most clusters will also have that information available at the
`.well-known/openid-configuration` endpoint:
```bash
kubectl proxy &
curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer
# Kill the background proxy process when you're done
kill %%
kubectl get --raw /.well-known/openid-configuration | jq -r .issuer
```
This value is then used when configuring Kubernetes auth, e.g.: