Votes

0

Enabling JWT Token Support in XL-Deploy for Vault Authentication

by: ALM t. | 7 months ago | Integrations
Cast your vote or comment ...
return to idea list

Hello Team,

We have a requirement to retrieve data from Vault using the HashiCorp Vault plugin in XL-Deploy. While we can successfully connect to Vault and retrieve data, the tokens in Vault need to be renewed every 30 days, and cannot be set to no expiration. This constant renewal is problematic.

To address this, we’re exploring whether XL-Deploy can utilize a JWT token to authenticate with third-party tools like Vault. This would eliminate the need for users to create or renew tokens every time in XL-Deploy. We have a similar functionality in GitLab.

Here’s a reference to the GitLab documentation: CI_JOB_JWT, https://docs.gitlab.com/ee/ci/variables/predefined_variables.html

Can we investigate implementing something similar in XL-Deploy?

Best regards,
Keerthi

by: ALM t. | 7 months ago | Integrations

Comments

  • We will assess the necessary changes and the effort required in November 2024, and will provide updates in this thread.

    by: DevOps Product team | 7 months ago
    official response

  • During our investigation, we realized that we need to gather additional detailed information. Could you please provide the following:

    1) What is the current authentication method used in your Vault framework - token or AppRole?
    2) What is the refresh mechanism for renewing your token and secret ID?
    3) Can you provide more details on how the JWT/OIDC authentication method would be beneficial?

    by: DevOps Product team | 6 months ago
    official response

  • Hello Team,

    Thanks for the response,

    Please find the details as follows:

    1) What is the current authentication method used in your Vault framework - token or AppRole?
    Currently we are using the Token based authentication to fetch the secrets from Vault to XL-Deploy

    2) What is the refresh mechanism for renewing your token and secret ID?
    Every time in XL-Deploy we are unable to fetch the secrets from Vault, if Vault token is expired from XL-Deploy configurations
    If token expires, we use to go to Vault and copy the new Vault token and copy it to XL-Deploy configurations

    XL-Deploy sample error attached in ticket


    3) Can you provide more details on how the JWT/OIDC authentication method would be beneficial?

    Earlier Procedure:
    -------------------------

    Previously, application users share their keys with us(XL-Deploy Admins) and we will store the their keys in our backend configurations, using the keys they will be able to connect to their remote servers via XL-Deploy

    Current Procedure:
    --------------------------
    To eliminate the earlier procedure, XL-Deploy application users will directly save their PEM keys in Vault, and using the Vault tokens users will be able to fetch their secret PEM keys


    Kindly let us know if you need any further information

    Thanks
    Raveendra

    by: ALM t. | 15 days ago