+1 for EKS. Is Azure ACS still there? We use AKS on Azure, though it's preview but apart from some limitations (and odd cluster delete stuck) it works well for us.
We deploy to all major cloud providers and we need to frequently interact with them - thus we have containers for all the AWS, Azure and Google CLI. The clusters we deploy they have OpenFaaS deployed - and also the CLI container pod (we run everything in Kubernetes) for the particular cloud. When we need to fix/investigate an issue we need to get into the pod and use the CLI, etc - or SSH to a DMZ and install the CLI, add the credentials or IAM role, etc - so one idea was to wrap this into a function (as the example at end of the blog) and just be able to invoke any CLI command through the REST API (secured with OAuth2 tokens). I am less and less convinced that this is a good idea - any feedback?
We use JWT because the user data is already stored upront (w/out needing to check a database) and it’s a well defined storage mechanism. With Vault we check only the token ID not the full token, so it’s not a heavyweight select. On the other hand we have 3d party (used internally) systems using the same mechanism (e.g. Drone).
But then you have to handle expiration and revocation synchronously. Is the extra network + cpu to unmarshall a token that much of a savings over 1 redis call on the server for the user details?
Which storage backend are you using for Vault? With MySql you could use scheduled events (no need to run/manage your own process), a created_at column in the Vault table and a scheduled check for created_at+ttl and have the DB to remove the tokens once the lease is expired. Also, if you were to use an etcd backend you could configure it to have it removed once the lease is expired. The only drawback is that the tokens TTL's are global and you can't set per user.
