Hello Team,
We have a requirement to retrieve data from Vault using the HashiCorp Vault plugin in XL-Deploy. While we can successfully connect to Vault and retrieve data, the tokens in Vault need to be renewed every 30 days, and cannot be set to no expiration. This constant renewal is problematic.
To address this, we’re exploring whether XL-Deploy can utilize a JWT token to authenticate with third-party tools like Vault. This would eliminate the need for users to create or renew tokens every time in XL-Deploy. We have a similar functionality in GitLab.
Here’s a reference to the GitLab documentation: CI_JOB_JWT, https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
Can we investigate implementing something similar in XL-Deploy?
Best regards,
Keerthi
by: ALM t. | 7 months ago | Integrations
Comments
We will assess the necessary changes and the effort required in November 2024, and will provide updates in this thread.
During our investigation, we realized that we need to gather additional detailed information. Could you please provide the following:
1) What is the current authentication method used in your Vault framework - token or AppRole?
2) What is the refresh mechanism for renewing your token and secret ID?
3) Can you provide more details on how the JWT/OIDC authentication method would be beneficial?
Hello Team,
Thanks for the response,
Please find the details as follows:
1) What is the current authentication method used in your Vault framework - token or AppRole?
Currently we are using the Token based authentication to fetch the secrets from Vault to XL-Deploy
2) What is the refresh mechanism for renewing your token and secret ID?
Every time in XL-Deploy we are unable to fetch the secrets from Vault, if Vault token is expired from XL-Deploy configurations
If token expires, we use to go to Vault and copy the new Vault token and copy it to XL-Deploy configurations
XL-Deploy sample error attached in ticket
3) Can you provide more details on how the JWT/OIDC authentication method would be beneficial?
Earlier Procedure:
-------------------------
Previously, application users share their keys with us(XL-Deploy Admins) and we will store the their keys in our backend configurations, using the keys they will be able to connect to their remote servers via XL-Deploy
Current Procedure:
--------------------------
To eliminate the earlier procedure, XL-Deploy application users will directly save their PEM keys in Vault, and using the Vault tokens users will be able to fetch their secret PEM keys
Kindly let us know if you need any further information
Thanks
Raveendra