Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault: document serviceAccountRef with an external Vault #1455

Merged
merged 4 commits into from
Apr 18, 2024
Merged

Vault: document serviceAccountRef with an external Vault #1455

merged 4 commits into from
Apr 18, 2024

Conversation

maelvls
Copy link
Member

@maelvls maelvls commented Mar 28, 2024

We forgot to document this feature after cert-manager/cert-manager#6666 was merged.

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 28, 2024
@maelvls maelvls requested a review from SpectralHiss March 28, 2024 12:03
@netlify Netlify
Copy link

netlify bot commented Mar 28, 2024
edited
Loading

Deploy Preview for cert-manager-website ready!

Name Link
🔨 Latest commit 18dbb7e
🔍 Latest deploy log https://app.netlify.com/sites/cert-manager-website/deploys/660fff5000830e00090913c0
😎 Deploy Preview https://deploy-preview-1455--cert-manager-website.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

SpectralHiss
SpectralHiss reviewed Mar 28, 2024
View reviewed changes
Copy link
Contributor

@SpectralHiss SpectralHiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice this looks good, probably means we can close this and not confuse most cert-manager users!

content/docs/configuration/vault.md
mountPath: /v1/auth/kubernetes
serviceAccountRef:
name: vault-issuer
audiences: [https://kubernetes.default.svc.cluster.local]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the audiences also include something like vault to tighten the integration?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default "computed" audience (e.g., vault://namespace/issuer-name) is still added to the audiences by default, so I'd say it would be redundant to add vault there? Of course, that's only useful if folks are also using audience in their vault role, otherwise the audience isn't checked by vault.

Copy link
Contributor

@SpectralHiss SpectralHiss Mar 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yeah, perhaps I would add a sentence to say that the default behavior will also include vault://namespace/issuer-name which you can use in the vault role if one wishes (and that it works by default).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@maelvls maelvls changed the base branch from master to release-next March 29, 2024 08:54
@jetstack-bot jetstack-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 29, 2024
@maelvls
vault: document cert-manager/cert-manager#6666
8de9069 
I made sure to explain that the vault:// audience is still there.

Signed-off-by: Maël Valais <mael@vls.dev>
@maelvls maelvls force-pushed the docs-external-vault branch from d57a68e to 8de9069 Compare March 29, 2024 08:58
@jetstack-bot jetstack-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Mar 29, 2024
@maelvls maelvls added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 29, 2024
SpectralHiss
SpectralHiss reviewed Apr 3, 2024
View reviewed changes
content/docs/configuration/vault.md
<a name="static-service-account-token"></a>

#### Secretless Authentication with a Service Account (External Vault)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maelvls I just realized we need to add a little footnote to say this feature is available starting cert-manager 1.15 (just like it says for the above paragraph line 366

@maelvls
Copy link
Member Author

maelvls commented Apr 4, 2024

/hold I need to add a mention that the external Vault with service account ref requires 1.15

@jetstack-bot jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 4, 2024
@maelvls
vault: add a mention of the cert-manager version required
0a44814 
Signed-off-by: Maël Valais <mael@vls.dev>
@maelvls
Copy link
Member Author

maelvls commented Apr 5, 2024

/unhold Done!

ThatsMrTalbot
ThatsMrTalbot reviewed Apr 5, 2024
View reviewed changes
Copy link
Contributor

@ThatsMrTalbot ThatsMrTalbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to add v1.15.0 to the spelling file for the checks to pass

@maelvls
spelling
859d51b 
Signed-off-by: Maël Valais <mael@vls.dev>
ThatsMrTalbot
ThatsMrTalbot reviewed Apr 5, 2024
View reviewed changes
@maelvls
spelling
18dbb7e 
Signed-off-by: Maël Valais <mael@vls.dev>
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: SpectralHiss

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ThatsMrTalbot
Copy link
Contributor

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 6, 2024
@maelvls maelvls removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 18, 2024
@cert-manager-prow cert-manager-prow bot merged commit b9aa1e9 into cert-manager:release-next Apr 18, 2024
4 checks passed
@cert-manager-prow cert-manager-prow bot mentioned this pull request Apr 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThatsMrTalbot ThatsMrTalbot ThatsMrTalbot left review comments

@SpectralHiss SpectralHiss SpectralHiss approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@maelvls @jetstack-bot @ThatsMrTalbot @SpectralHiss