Add vault extra audiences #6718
Conversation
--------- Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
jetstack-bot
added
release-note
|
Hi @andrey-dubnik. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
needs-ok-to-test
|
@SgtCoDFish here is a new PR with corrected DCO, I had to abort another one as it was past saving... |
|
/kind feature Linked to #6686 |
jetstack-bot
added
ok-to-test
kind/feature
Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
|
/test pull-cert-manager-master-e2e-v1-28 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
|
Hey, sorry for the delay, I see that the PR has already been merged. 😅 It took me a while to test everything manually. I described how I manually tested this in this Hackmd page. As Ash explained, I went "too deep" in the risk analysis of I have a few remarks:
Note: Just before you submitted your PR, I was working with @SpectralHiss on documenting using the JWT authentication method in cert-manager/website#1397 (see preview). We thought the JWT auth would be easier to handle... but we found some hurdles (mainly when folks are using OpenShift), and we were happy to see your PR; it made us realize that giving the possibility of configuring the |
| // TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token | ||
| // consisting of the issuer's namespace and name is always included. | ||
| // +optional | ||
| TokenAudiences []string `json:"audiences,omitempty"` |
There was a problem hiding this comment.
This should be moved under serviceAccountRef IMO. audiences and secretRef wouldn't make sense for example:
kind: Issuer
spec:
auth:
kubernetes:
secretRef:
name: vault
key: token
audiences:
- https://kubernetes.default.svc.cluster.local
|
Thanks for commenting. Here is a line of thinking. This change should not be a breaking change so if and when the audiences are supplied they are merged with the default audience. This way current users won't experience a failure during a version upgrade. Since it is possible to add audiences now there is no reason to limit it to only one. E.g. default k8s token in aks have quite a few which include the issuer and the host. It is up to user to decide which audiences to provide if any. For my use case I would put k8s (AKS) public url into the audiences list as this is what is expected on the vault side. But can be more expressive and mention multiple audiences if on vault end I need to explicitly configure the audience validation. Not sure if I'm going to need more than one and need to think on the possible use case. Either way having multiple options is better than having only one. Reg. the placement of the audiences, I thought the same way you did initially but end of the day mimicked the hashicorp spec where they have it on the same level with SA property so there is a level of consistency between the cert-manager and vault operator. |
|
One of the theoretical use cases for having multiple audiences would be in decoupling the vault role config from the cert-manager config as if I am to change vault role aud requirement I can register new aud as additional audiences list item in the cert-manager config and make changes on the vault side without breaking things. |
I think I agree with Maël's suggestion here to be honest, I think it would be better to have it under serviceAccountRef. I think that design is cleaner and better matches what I'd expect. Would you maybe be open to creating a PR with that change? 😇 |
|
Other thought: since 99% of folks who will be using the kind: Issuer
spec:
auth:
kubernetes:
serviceAccountRef:
enableKubeAudience: trueThe cluster's issuer URL is automatically added by cert-manager without having to figure out what is the issuer URL of the cluster, since each cluster has its own issuer URL |
Probably not as I'd like to keep the option open for the audiences, at least the proposal won't meet our potential use scenarios. Cluster issuer in AUD is not what vault expects by default from what I've seen as it is looking for the kube API server as aud instead, which may change depending on what Vault or K8s teams do. If aud is flexible then user can coordinate the aud and the vault role. I will make another PR to change the aud to be within the SA scope |
enable audiences example
Example of the spec
Pull Request Motivation
Motivation is elaborated in #6666
Kind
/feature
Release Note