Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault: document serviceAccountRef with an external Vault #1455

Merged
merged 4 commits into from
Apr 18, 2024
Merged

Vault: document serviceAccountRef with an external Vault #1455

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8de9069
vault: document https://github.com/cert-manager/cert-manager/issues/6666
maelvls Mar 28, 2024
0a44814
vault: add a mention of the cert-manager version required
maelvls Apr 5, 2024
859d51b
spelling
maelvls Apr 5, 2024
18dbb7e
spelling
maelvls Apr 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 44 additions & 2 deletions content/docs/configuration/vault.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,9 @@ Kubernetes service account token can be provided in two ways:
- [Secretless Authentication with a Service Account](#secretless-authentication-with-a-service-account) (recommended),
- [Authentication with a Static Service Account Token](#static-service-account-token).

#### Secretless Authentication with a Service Account
<a name="static-service-account-token"></a>

#### Secretless Authentication with a Service Account (In-Cluster Vault)

ℹ️ This feature is available in cert-manager >= v1.12.0.

Expand Down Expand Up @@ -464,7 +466,47 @@ needs to talks to Vault.
Although it is not recommended, you can also use the same Vault role for all of
your Issuers and ClusterIssuers by omitting the `audience` field and re-using
the same service account.
<a name="static-service-account-token"></a>

#### Secretless Authentication with a Service Account (External Vault)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maelvls I just realized we need to add a little footnote to say this feature is available starting cert-manager 1.15 (just like it says for the above paragraph line 366

If you are using a Vault instance external to your cluster, you will need to set
the `audiences` to an audience accepted by your Kubernetes cluster. When using
an external Vault instance, the short-lived token created by cert-manager to
authenticate to Vault will be used by Vault for authenticating to Kubernetes.
First, find what your cluster's issuer is:

```sh
kubectl get --raw /.well-known/openid-configuration | jq .issuer -r
```

Then, set the `audiences` field to the issuer URL:

```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: sandbox
spec:
vault:
path: pki_int/sign/example-dot-com
server: https://vault.local
auth:
kubernetes:
role: my-app-1
mountPath: /v1/auth/kubernetes
serviceAccountRef:
name: vault-issuer
audiences: [https://kubernetes.default.svc.cluster.local]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the audiences also include something like vault to tighten the integration?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default "computed" audience (e.g., vault://namespace/issuer-name) is still added to the audiences by default, so I'd say it would be redundant to add vault there? Of course, that's only useful if folks are also using audience in their vault role, otherwise the audience isn't checked by vault.

Copy link
Contributor

@SpectralHiss SpectralHiss Mar 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yeah, perhaps I would add a sentence to say that the default behavior will also include vault://namespace/issuer-name which you can use in the vault role if one wishes (and that it works by default).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

```

When using `audiences`, the JWT will still include the generated audience
`vault://namespace/issuer-name` or `vault://cluster-issuer`. The generated
audience is useful for restricting access to a Vault role to a certain issuer.

When configuring the Kubernetes Vault auth method, omit the `token_reviewer_jwt`
parameter so that Vault uses the token provided by cert-manager to authenticate
with the Kubernetes API server when reviewing the token.

#### Authentication with a Static Service Account Token

Expand Down
Loading