Skip to content

Add Kubernetes JWT provider#368

Open
tsaarni wants to merge 1 commit intohashicorp:mainfrom
Nordix:jwt-oidc-with-kubernetes
Open

Add Kubernetes JWT provider#368
tsaarni wants to merge 1 commit intohashicorp:mainfrom
Nordix:jwt-oidc-with-kubernetes

Conversation

@tsaarni
Copy link
Copy Markdown

@tsaarni tsaarni commented Feb 6, 2026
edited
Loading

Overview

This change implements a Kubernetes-specific JWT provider that uses the pod's Service Account token and CA certificate for authenticating requests to the Kubernetes API server's OIDC endpoints.

This approach avoids requiring RBAC policy changes that would otherwise be needed to allow anonymous access to the OIDC discovery and JWKS endpoints.

The provider is configured in following way

$ vault write auth/jwt/config - <<EOF
{
    "oidc_discovery_url": "https://kubernetes.default.svc.cluster.local",
    "provider_config": {
        "provider": "kubernetes"
    }
}
EOF

The provider uses the default mount paths /var/run/secrets/kubernetes.io/serviceaccount/token and /var/run/secrets/kubernetes.io/serviceaccount/ca.crt which removes burden from user to configure anything further than setting the discovery URL and selecting the Kubernetes provider. The default automounted token is sufficient, no RBAC permissions need to be created.

Design of Change

This PR adds a new provider, kubernetes, which implements the new KeySetDiscovery interface. This interface allows the provider to handle fetching the discovery document, keys and return jwt.KeySet, enabling the Kubernetes provider to use a custom http.RoundTripper for authenticated all HTTP requests towards Kubernetes API server.

The provider "re-implements" discovery document download itself (retrieveJWKSURL, similar to jwt.NewOIDCDiscoveryKeySet()). This duplication could be eliminated if hashicorp/cap#176 is resolved.

Related Issues/Pull Requests

Fixes #367

I have previously submitted this patch also to the OpenBao project openbao/openbao#2114

Contributor Checklist

[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
Example
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[ ] Backwards compatible

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@tsaarni
Add Kubernetes JWT provider
2b0d253 
Implement a Kubernetes-specific JWT provider that uses the pod's Service
Account token and CA certificate for authenticating requests to the
Kubernetes API server's OIDC endpoints.

This approach avoids requiring RBAC policy changes that would otherwise be
needed to allow anonymous access to the OIDC discovery and JWKS endpoints.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
@tsaarni tsaarni requested a review from a team as a code owner February 6, 2026 17:12
@tsaarni
Copy link
Copy Markdown
Author

tsaarni commented Feb 19, 2026

@hashicorp/vault-ecosystem, @fairclothjm, please take a look when you have time 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: Support authenticated OIDC discovery for Kubernetes-based deployments

1 participant

@tsaarni