fix: use local token for TokenReviewer JWT only when using token for CA crt (#93)

[cyrus-mc]

PR #83 added ability to read ca.crt and TokenReviewer JWT from the default service account under which Vault is running.

This ended up causing a breakage when trying to authenticate against external clusters in which no TokenReview JWT is specified in the configuration.

The changes in this PR make the assumption that the default service account TokenReviewer JWT should only be used if no CA certificate (or pem keys) are supplied and therefore they are read from the default service account.

[cyrus-mc]

A more elegant solution might be to determine somehow if the auth backend represents an in-cluster config. Key off the hostname (although that might not be 100% conclusive). Or add another option to the config that indicates this.

As token_reviewer_jwt is an optional setting, assuming its value when it isn't set is not correct.

[eh-steve]

I'd be happy with this, though we should probably update the docs to explain the default behaviour under each of these 3 cases:

• No CA and no token reviewer JWT set (default to local Vault SA credentials if present, otherwise error)
• CA set, no token reviewer JWT (defaults to using the JWT to be verified as the token reviewer JWT - requires giving your SAs which need to authenticate the system:auth-delegator role)
• Both CA and token reviewer JWT set, (explicitly uses the provided credentials)

[cyrus-mc]

Any further discussion required on this? With the current state the docs don’t match the actual functionality.

[yurifrl]

So, I'm getting this error

failed to request new Vault token Error making API request.\n\nURL: PUT $VAULT_ADDR/v1/auth/$ENGINE/login\nCode: 400. Errors:\n\n* missing client token

Is that related?

[tvoran]

Hi folks, thanks for the discussion and contribution here, but we decided to add an explicit option to control this behavior, which was released in vault 1.5.4; see #97 and hashicorp/vault#9992 for the details.