Consider token lookup event configurable #231
Description
Hi,
In our scenario we have a public Vault endpoint and a mix of k8s clusters some with the public k8s API and some with the private only. If we are to use the service account auth it would work for the public clusters but won't work for the private ones cause token lookup can't be done from the Vault server towards the private endpoints.
Proposal is to make lookup option configurable based on the token's TTL e.g. lookup_after_ttl="10s". This way if we have a short lived token and TTL say <10m it is highly unlikely someone would revoke a token within that timeframe + it would give our offline clusters grace period where vault interaction could take place.
Token is still validated via CA so it can't be fake-issued just not going to be looked up in k8s if lookup_after_ttl is not due.
Does this feature makes sense?
Thanks,
A