Bug 2013616

Summary: rfe: service account based authentication for vault
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Matt Benjamin (redhat) <mbenjamin>
Component: RGWAssignee: Jiffin <jthottan>
Status: CLOSED WONTFIX QA Contact: Vidushi Mishra <vimishra>
Severity: medium Docs Contact:
Priority: high    
Version: 4.2CC: cbodley, ceph-eng-bugs, jthottan, kbader, mbenjamin, vereddy
Target Milestone: ---Keywords: FutureFeature
Target Release: 7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-04 06:15:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Benjamin (redhat) 2021-10-13 11:30:14 UTC 
Currently, vault server authenticates RGW via token which is saved in a file.
In Kubernetes or OCS world service account can be used as authenticating between those two.
For that following need to be done:
At vault side,
Need to create a role and attach the role with service account and policy.

At RGW side,
There will be jwt token present in /var/run/secrets/kubernetes.io/serviceaccount/token and
using role specified send request to vault server as follows:

# KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
# VAULT_SA_LOGIN=http://vault.default:8200/v1/auth/kubernetes/login
# curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "rook-ceph-rgw"}' $VAULT_SA_LOGIN | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1652  100   687  100   965  38166  53611 --:--:-- --:--:-- --:--:-- 91777
{
  "request_id": "d3b3a7ba-6f9f-ed1e-2f7f-a5e3a3c0e119",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": null,
  "auth": {
    "client_token": "s.J31TfjkCEYske7VXOzZ0hOjZ",
    "accessor": "UKBLKjFpjv9lctzohTDizyQf",
    "policies": [
      "default",
      "rgw-kv-policy"
    ],
    "token_policies": [
      "default",
      "rgw-kv-policy"
    ],
    "metadata": {
      "role": "rook-ceph-rgw",
      "service_account_name": "rook-ceph-rgw",
      "service_account_namespace": "rook-ceph",
      "service_account_secret_name": "rook-ceph-rgw-token-g2q44",
      "service_account_uid": "01393961-3ceb-4df3-a384-8b78aba7b8f6"
    },
    "lease_duration": 86400,
    "renewable": true,
    "entity_id": "3fc23dc9-f850-9f41-0ae2-fbb0322979de",
    "token_type": "service",
    "orphan": true
  }
}
Fetch the "auth.client_token" from it and follows existing code flows in rgw_kms.cc
Comment 1 RHEL Program Management 2021-10-13 11:30:22 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.