Update k8s auth long-lived token instructions

[tomhjp]

Fixes #13844
As explained in the linked issue, we should advise creating a dedicated token for this purpose.

I've also updated the required version for auto-reloading, and slightly strengthened the wording about the downside of using long-lived tokens, especially now that we have released the auto-reloading feature.

[tvoran]

Now that #13853 is in stable-website, the backport of this one should go cleanly 🤞

[asenyaev]

Hi, @tomhjp!

As I understand, we can configure vault to use service-account`s token for an authentication, right?

I tried to follow the instruction on hashicorp website where I have to create a token as a secret of vault service-account, give system:auth-delegator ClusterRole for vault service-account and define token_reviewer_jwt to use this secret. However, I cannot apply k8s config in vault with defined token_reviewer_jwt. What am I doing wrong?

The command for k8s config inside Vault:

vault write auth/kubernetes/config \
    token_reviewer_jwt="vault-k8s-auth-secret" \
    kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

The output:

Error writing data to auth/kubernetes/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/kubernetes/config
Code: 500. Errors:

* 1 error occurred:
        * not a compact JWS

If I add a token for token_reviewer_jwt, it applies. But I think it's not a good way when we have to find a token, decode and use.