move audiences under the SA ref

Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
2024-02-08 14:07:03 +00:00 · 2024-02-08 14:07:03 +00:00 · 75d1449903
commit 75d1449903
parent 63bd488bfa
18 changed files with 79 additions and 80 deletions
--- a/deploy/crds/crd-clusterissuers.yaml
+++ b/deploy/crds/crd-clusterissuers.yaml
@ -1195,11 +1195,6 @@ spec:
                          required:
                            - role
                          properties:
-                            audiences:
-                              description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included.
-                              type: array
-                              items:
-                                type: string
                            mountPath:
                              description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
                              type: string
@ -1224,6 +1219,11 @@ spec:
                              required:
                                - name
                              properties:
+                                audiences:
+                                  description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included.
+                                  type: array
+                                  items:
+                                    type: string
                                name:
                                  description: Name of the ServiceAccount used to request a token.
                                  type: string
--- a/deploy/crds/crd-issuers.yaml
+++ b/deploy/crds/crd-issuers.yaml
@ -1195,11 +1195,6 @@ spec:
                          required:
                            - role
                          properties:
-                            audiences:
-                              description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included.
-                              type: array
-                              items:
-                                type: string
                            mountPath:
                              description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
                              type: string
@ -1224,6 +1219,11 @@ spec:
                              required:
                                - name
                              properties:
+                                audiences:
+                                  description: TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer's namespace and name is always included.
+                                  type: array
+                                  items:
+                                    type: string
                                name:
                                  description: Name of the ServiceAccount used to request a token.
                                  type: string
--- a/internal/apis/certmanager/types_issuer.go
+++ b/internal/apis/certmanager/types_issuer.go
@ -259,11 +259,6 @@ type VaultKubernetesAuth struct {
 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string
-
-	// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
-	// consisting of the issuer's namespace and name is always included.
-	// +optional
-	TokenAudiences []string
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
@ -274,6 +269,11 @@ type VaultKubernetesAuth struct {
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
 	Name string
+
+	// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+	// consisting of the issuer's namespace and name is always included.
+	// +optional
+	TokenAudiences []string
 }

 // CAIssuer configures an issuer that can issue certificates from its provided
--- a/internal/apis/certmanager/v1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1/zz_generated.conversion.go
@ -1409,6 +1409,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in *certmanager

 func autoConvert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1419,6 +1420,7 @@ func Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.Servic

 func autoConvert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *v1.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1584,7 +1586,6 @@ func autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v
 	}
 	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1600,7 +1601,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *c
 	}
 	out.ServiceAccountRef = (*v1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

--- a/internal/apis/certmanager/v1alpha2/types_issuer.go
+++ b/internal/apis/certmanager/v1alpha2/types_issuer.go
@ -279,11 +279,6 @@ type VaultKubernetesAuth struct {
 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
-
-	// TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token
-	// consisting of the issuer's namespace and name is always included.
-	// +optional
-	TokenAudiences []string `json:"audiences,omitempty"`
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
@ -294,6 +289,11 @@ type VaultKubernetesAuth struct {
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
 	Name string `json:"name"`
+
+	// TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token
+	// consisting of the issuer's namespace and name is always included.
+	// +optional
+	TokenAudiences []string `json:"audiences,omitempty"`
 }

 type CAIssuer struct {
--- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
@ -1415,6 +1415,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha2_SelfSignedIssuer(in *certm

 func autoConvert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1425,6 +1426,7 @@ func Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *Ser

 func autoConvert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1590,7 +1592,6 @@ func autoConvert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth
 	}
 	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1606,7 +1607,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth
 	}
 	out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

--- a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
@ -918,6 +918,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
 	*out = *in
+	if in.TokenAudiences != nil {
+		in, out := &in.TokenAudiences, &out.TokenAudiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }

@ -1013,12 +1018,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	if in.ServiceAccountRef != nil {
 		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
 		*out = new(ServiceAccountRef)
-		**out = **in
-	}
-	if in.TokenAudiences != nil {
-		in, out := &in.TokenAudiences, &out.TokenAudiences
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
--- a/internal/apis/certmanager/v1alpha3/types_issuer.go
+++ b/internal/apis/certmanager/v1alpha3/types_issuer.go
@ -279,11 +279,6 @@ type VaultKubernetesAuth struct {
 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
-
-	// TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token
-	// consisting of the issuer's namespace and name is always included.
-	// +optional
-	TokenAudiences []string `json:"audiences,omitempty"`
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
@ -294,6 +289,11 @@ type VaultKubernetesAuth struct {
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
 	Name string `json:"name"`
+
+	// TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token
+	// consisting of the issuer's namespace and name is always included.
+	// +optional
+	TokenAudiences []string `json:"audiences,omitempty"`
 }

 type CAIssuer struct {
--- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
@ -1414,6 +1414,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha3_SelfSignedIssuer(in *certm

 func autoConvert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1424,6 +1425,7 @@ func Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *Ser

 func autoConvert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1589,7 +1591,6 @@ func autoConvert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth
 	}
 	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1605,7 +1606,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha3_VaultKubernetesAuth
 	}
 	out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

--- a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
 	*out = *in
+	if in.TokenAudiences != nil {
+		in, out := &in.TokenAudiences, &out.TokenAudiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }

@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	if in.ServiceAccountRef != nil {
 		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
 		*out = new(ServiceAccountRef)
-		**out = **in
-	}
-	if in.TokenAudiences != nil {
-		in, out := &in.TokenAudiences, &out.TokenAudiences
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
--- a/internal/apis/certmanager/v1beta1/types_issuer.go
+++ b/internal/apis/certmanager/v1beta1/types_issuer.go
@ -281,11 +281,6 @@ type VaultKubernetesAuth struct {
 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
-
-	// TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token
-	// consisting of the issuer's namespace and name is always included.
-	// +optional
-	TokenAudiences []string `json:"audiences,omitempty"`
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
@ -296,6 +291,11 @@ type VaultKubernetesAuth struct {
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
 	Name string `json:"name"`
+
+	// TokenAudiences is an option list of extra audiences to include in the token passed to Vault. The default token
+	// consisting of the issuer's namespace and name is always included.
+	// +optional
+	TokenAudiences []string `json:"audiences,omitempty"`
 }

 type CAIssuer struct {
--- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
@ -1397,6 +1397,7 @@ func Convert_certmanager_SelfSignedIssuer_To_v1beta1_SelfSignedIssuer(in *certma

 func autoConvert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1407,6 +1408,7 @@ func Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *Serv

 func autoConvert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
+	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1572,7 +1574,6 @@ func autoConvert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(
 	}
 	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

@ -1588,7 +1589,6 @@ func autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(
 	}
 	out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
-	out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
 	return nil
 }

--- a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
 	*out = *in
+	if in.TokenAudiences != nil {
+		in, out := &in.TokenAudiences, &out.TokenAudiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }

@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	if in.ServiceAccountRef != nil {
 		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
 		*out = new(ServiceAccountRef)
-		**out = **in
-	}
-	if in.TokenAudiences != nil {
-		in, out := &in.TokenAudiences, &out.TokenAudiences
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
--- a/internal/apis/certmanager/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/zz_generated.deepcopy.go
@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
 	*out = *in
+	if in.TokenAudiences != nil {
+		in, out := &in.TokenAudiences, &out.TokenAudiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }

@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	if in.ServiceAccountRef != nil {
 		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
 		*out = new(ServiceAccountRef)
-		**out = **in
-	}
-	if in.TokenAudiences != nil {
-		in, out := &in.TokenAudiences, &out.TokenAudiences
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@ -403,7 +403,7 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1
 		}
 		defaultAudience += v.issuer.GetName()

-		audiences := append(kubernetesAuth.TokenAudiences, defaultAudience)
+		audiences := append(kubernetesAuth.ServiceAccountRef.TokenAudiences, defaultAudience)

 		tokenrequest, err := v.createToken(context.Background(), kubernetesAuth.ServiceAccountRef.Name, &authv1.TokenRequest{
 			Spec: authv1.TokenRequestSpec{
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@ -724,11 +724,11 @@ func TestSetToken(t *testing.T) {
 							Role: "kube-vault-role",
 							ServiceAccountRef: &v1.ServiceAccountRef{
 								Name: "my-service-account",
+								TokenAudiences: []string{
+									"https://custom-audience",
+								},
 							},
 							Path: "my-path",
-							TokenAudiences: []string{
-								"https://custom-audience",
-							},
 						},
 					},
 				}),
@ -766,11 +766,11 @@ func TestSetToken(t *testing.T) {
 							Role: "kube-vault-role",
 							ServiceAccountRef: &v1.ServiceAccountRef{
 								Name: "my-service-account",
+								TokenAudiences: []string{
+									"https://custom-audience",
+								},
 							},
 							Path: "my-path",
-							TokenAudiences: []string{
-								"https://custom-audience",
-							},
 						},
 					},
 				}),
--- a/pkg/apis/certmanager/v1/types_issuer.go
+++ b/pkg/apis/certmanager/v1/types_issuer.go
@ -284,11 +284,6 @@ type VaultKubernetesAuth struct {
 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
-
-	// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
-	// consisting of the issuer's namespace and name is always included.
-	// +optional
-	TokenAudiences []string `json:"audiences,omitempty"`
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
@ -299,6 +294,10 @@ type VaultKubernetesAuth struct {
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
 	Name string `json:"name"`
+	// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+	// consisting of the issuer's namespace and name is always included.
+	// +optional
+	TokenAudiences []string `json:"audiences,omitempty"`
 }

 type CAIssuer struct {
--- a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
@ -913,6 +913,11 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
 	*out = *in
+	if in.TokenAudiences != nil {
+		in, out := &in.TokenAudiences, &out.TokenAudiences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }

@ -1008,12 +1013,7 @@ func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	if in.ServiceAccountRef != nil {
 		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
 		*out = new(ServiceAccountRef)
-		**out = **in
-	}
-	if in.TokenAudiences != nil {
-		in, out := &in.TokenAudiences, &out.TokenAudiences
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }