From 8de9069be525c0ee77c8847599b56d1fab3c5684 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Thu, 28 Mar 2024 13:00:25 +0100 Subject: [PATCH 1/4] vault: document https://github.com/cert-manager/cert-manager/issues/6666 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I made sure to explain that the vault:// audience is still there. Signed-off-by: Maël Valais --- content/docs/configuration/vault.md | 46 +++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md index d7571758f45..6f35d4bc403 100644 --- a/content/docs/configuration/vault.md +++ b/content/docs/configuration/vault.md @@ -361,7 +361,9 @@ Kubernetes service account token can be provided in two ways: - [Secretless Authentication with a Service Account](#secretless-authentication-with-a-service-account) (recommended), - [Authentication with a Static Service Account Token](#static-service-account-token). -#### Secretless Authentication with a Service Account + + +#### Secretless Authentication with a Service Account (In-Cluster Vault) ℹ️ This feature is available in cert-manager >= v1.12.0. @@ -464,7 +466,47 @@ needs to talks to Vault. Although it is not recommended, you can also use the same Vault role for all of your Issuers and ClusterIssuers by omitting the `audience` field and re-using the same service account. - + +#### Secretless Authentication with a Service Account (External Vault) + +If you are using a Vault instance external to your cluster, you will need to set +the `audiences` to an audience accepted by your Kubernetes cluster. When using +an external Vault instance, the short-lived token created by cert-manager to +authenticate to Vault will be used by Vault for authenticating to Kubernetes. +First, find what your cluster's issuer is: + +```sh +kubectl get --raw /.well-known/openid-configuration | jq .issuer -r +``` + +Then, set the `audiences` field to the issuer URL: + +```yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: vault-issuer + namespace: sandbox +spec: + vault: + path: pki_int/sign/example-dot-com + server: https://vault.local + auth: + kubernetes: + role: my-app-1 + mountPath: /v1/auth/kubernetes + serviceAccountRef: + name: vault-issuer + audiences: [https://kubernetes.default.svc.cluster.local] +``` + +When using `audiences`, the JWT will still include the generated audience +`vault://namespace/issuer-name` or `vault://cluster-issuer`. The generated +audience is useful for restricting access to a Vault role to a certain issuer. + +When configuring the Kubernetes Vault auth method, omit the `token_reviewer_jwt` +parameter so that Vault uses the token provided by cert-manager to authenticate +with the Kubernetes API server when reviewing the token. #### Authentication with a Static Service Account Token From 0a44814ab297d705adb6dd02c07a5a1ef82da098 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 5 Apr 2024 13:55:13 +0200 Subject: [PATCH 2/4] vault: add a mention of the cert-manager version required MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/configuration/vault.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md index 6f35d4bc403..fdc2edc1852 100644 --- a/content/docs/configuration/vault.md +++ b/content/docs/configuration/vault.md @@ -469,6 +469,8 @@ the same service account. #### Secretless Authentication with a Service Account (External Vault) +ℹ️ This feature is available in cert-manager >= v1.15.0. + If you are using a Vault instance external to your cluster, you will need to set the `audiences` to an audience accepted by your Kubernetes cluster. When using an external Vault instance, the short-lived token created by cert-manager to From 859d51b22002723381562f01cd39b19752d9925a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 5 Apr 2024 14:20:12 +0200 Subject: [PATCH 3/4] spelling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 1 + 1 file changed, 1 insertion(+) diff --git a/.spelling b/.spelling index 56bcae48472..e0f8761d355 100644 --- a/.spelling +++ b/.spelling @@ -532,6 +532,7 @@ v1.12.0 v1.12.1. v1.12.2. v1.12.3. +v1.15.0 v1alpha1 v1alpha2 v1alpha3 From 18dbb7e5d9c4a7faa1f3009c5de79d1f76bd54f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 5 Apr 2024 15:40:30 +0200 Subject: [PATCH 4/4] spelling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.spelling b/.spelling index e0f8761d355..a6cd2bfe89a 100644 --- a/.spelling +++ b/.spelling @@ -532,7 +532,7 @@ v1.12.0 v1.12.1. v1.12.2. v1.12.3. -v1.15.0 +v1.15.0. v1alpha1 v1alpha2 v1alpha3