diff --git a/deploy/charts/cert-manager/crds/clusterissuers.yaml b/deploy/charts/cert-manager/crds/clusterissuers.yaml index ba93c0ccf..7ac0e1cf2 100644 --- a/deploy/charts/cert-manager/crds/clusterissuers.yaml +++ b/deploy/charts/cert-manager/crds/clusterissuers.yaml @@ -1473,10 +1473,11 @@ spec: - secretRef properties: mountPath: - description: The vault here is the path to use when authenticating - with vault, for example setting a value to `/v1/auth/foo/login`. - If unspecified, the default value "/v1/auth/kubernetes/login" - will be used. + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. type: string role: description: A required field containing the Vault Role diff --git a/deploy/charts/cert-manager/crds/issuers.yaml b/deploy/charts/cert-manager/crds/issuers.yaml index d7382c669..cc53bc178 100644 --- a/deploy/charts/cert-manager/crds/issuers.yaml +++ b/deploy/charts/cert-manager/crds/issuers.yaml @@ -1473,10 +1473,11 @@ spec: - secretRef properties: mountPath: - description: The vault here is the path to use when authenticating - with vault, for example setting a value to `/v1/auth/foo/login`. - If unspecified, the default value "/v1/auth/kubernetes/login" - will be used. + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. type: string role: description: A required field containing the Vault Role diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 0f555c59e..a575729c9 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -3257,10 +3257,11 @@ spec: - secretRef properties: mountPath: - description: The vault here is the path to use when authenticating - with vault, for example setting a value to `/v1/auth/foo/login`. - If unspecified, the default value "/v1/auth/kubernetes/login" - will be used. + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. type: string role: description: A required field containing the Vault Role @@ -4911,10 +4912,11 @@ spec: - secretRef properties: mountPath: - description: The vault here is the path to use when authenticating - with vault, for example setting a value to `/v1/auth/foo/login`. - If unspecified, the default value "/v1/auth/kubernetes/login" - will be used. + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. type: string role: description: A required field containing the Vault Role diff --git a/docs/generated/reference/output/reference/api-docs/index.html b/docs/generated/reference/output/reference/api-docs/index.html index 616326daf..e68d6d8a3 100755 --- a/docs/generated/reference/output/reference/api-docs/index.html +++ b/docs/generated/reference/output/reference/api-docs/index.html @@ -2691,7 +2691,7 @@ Appears In: mountPath
string -The vault here is the path to use when authenticating with vault, for example setting a value to /v1/auth/foo/login. If unspecified, the default value "/v1/auth/kubernetes/login" will be used. +The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo, will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. role
string diff --git a/pkg/apis/certmanager/v1alpha2/const.go b/pkg/apis/certmanager/v1alpha2/const.go index 2a4dbabdb..4344c08c5 100644 --- a/pkg/apis/certmanager/v1alpha2/const.go +++ b/pkg/apis/certmanager/v1alpha2/const.go @@ -37,6 +37,7 @@ const ( DefaultVaultTokenAuthSecretKey = "token" // Default mount path location for Kubernetes ServiceAccount authentication - // (/v1/auth/kubernetes/login) - DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes/login" + // (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so + // left as the default, `/v1/auth/kubernetes/login` will be called. + DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes" ) diff --git a/pkg/apis/certmanager/v1alpha2/types_issuer.go b/pkg/apis/certmanager/v1alpha2/types_issuer.go index 274db4926..d823dc74e 100644 --- a/pkg/apis/certmanager/v1alpha2/types_issuer.go +++ b/pkg/apis/certmanager/v1alpha2/types_issuer.go @@ -193,9 +193,10 @@ type VaultAppRole struct { // Authenticate against Vault using a Kubernetes ServiceAccount token stored in // a Secret. type VaultKubernetesAuth struct { - // The vault here is the path to use when authenticating with vault, for - // example setting a value to `/v1/auth/foo/login`. If unspecified, the - // default value "/v1/auth/kubernetes/login" will be used. + // The Vault mountPath here is the mount path to use when authenticating with + // Vault. For example, setting a value to `/v1/auth/foo`, will use the path + // `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the + // default value "/v1/auth/kubernetes" will be used. // +optional Path string `json:"mountPath,omitempty"` diff --git a/pkg/internal/vault/vault.go b/pkg/internal/vault/vault.go index 690f00a89..1f24dbc61 100644 --- a/pkg/internal/vault/vault.go +++ b/pkg/internal/vault/vault.go @@ -22,6 +22,7 @@ import ( "fmt" "net/http" "path" + "path/filepath" "strings" "time" @@ -317,7 +318,8 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1 mountPath = v1alpha2.DefaultVaultKubernetesAuthMountPath } - request := client.NewRequest("POST", mountPath) + url := filepath.Join(mountPath, "login") + request := client.NewRequest("POST", url) err = request.SetJSONBody(parameters) if err != nil { return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error()) diff --git a/test/e2e/suite/issuers/vault/issuer.go b/test/e2e/suite/issuers/vault/issuer.go index cec16ea8d..501009bf5 100644 --- a/test/e2e/suite/issuers/vault/issuer.go +++ b/test/e2e/suite/issuers/vault/issuer.go @@ -63,7 +63,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() { vaultKubernetesRoleName := "kubernetes-role" vaultPath := path.Join(intermediateMount, "sign", role) appRoleAuthPath := "approle" - kubernetesAuthPath := "/v1/auth/kubernetes/login" + kubernetesAuthPath := "/v1/auth/kubernetes" var roleId, secretId string var vaultInit *vaultaddon.VaultInitializer