From aed8a2ec85616fd68e93037efa577780d5fc5356 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 27 Jan 2023 18:00:55 +0100 Subject: [PATCH] serviceAccountRef: auto-generate "aud" and hardcode "exp" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maƫl Valais --- internal/apis/certmanager/types_issuer.go | 2 +- .../certmanager/v1/zz_generated.conversion.go | 20 ++----- .../apis/certmanager/v1alpha2/types_issuer.go | 2 +- .../v1alpha2/zz_generated.conversion.go | 20 ++----- .../v1alpha2/zz_generated.deepcopy.go | 6 +- .../apis/certmanager/v1alpha3/types_issuer.go | 2 +- .../v1alpha3/zz_generated.conversion.go | 20 ++----- .../v1alpha3/zz_generated.deepcopy.go | 6 +- .../apis/certmanager/v1beta1/types_issuer.go | 2 +- .../v1beta1/zz_generated.conversion.go | 20 ++----- .../v1beta1/zz_generated.deepcopy.go | 6 +- .../apis/certmanager/zz_generated.deepcopy.go | 6 +- internal/vault/vault.go | 20 ++++++- internal/vault/vault_test.go | 58 +++++++++++++++---- pkg/apis/certmanager/v1/types_issuer.go | 4 +- .../certmanager/v1/zz_generated.deepcopy.go | 6 +- test/unit/gen/issuer.go | 6 +- 17 files changed, 94 insertions(+), 112 deletions(-) diff --git a/internal/apis/certmanager/types_issuer.go b/internal/apis/certmanager/types_issuer.go index 2ec46ce6b..7994b2522 100644 --- a/internal/apis/certmanager/types_issuer.go +++ b/internal/apis/certmanager/types_issuer.go @@ -245,7 +245,7 @@ type VaultKubernetesAuth struct { // for authenticating with Vault. Use of 'ambient credentials' is not // supported. This field should not be set if serviceAccountRef is set. // +optional - SecretRef *cmmeta.SecretKeySelector + SecretRef cmmeta.SecretKeySelector // A reference to a service account that will be used to request a bound // token (also known as "projected token"). Compared to using "secretRef", diff --git a/internal/apis/certmanager/v1/zz_generated.conversion.go b/internal/apis/certmanager/v1/zz_generated.conversion.go index 90ffe3508..41e6cd26b 100644 --- a/internal/apis/certmanager/v1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1/zz_generated.conversion.go @@ -1459,14 +1459,8 @@ func Convert_certmanager_VaultIssuer_To_v1_VaultIssuer(in *certmanager.VaultIssu func autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v1.VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(meta.SecretKeySelector) - if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role @@ -1480,14 +1474,8 @@ func Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v1.Va func autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *v1.VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(apismetav1.SecretKeySelector) - if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*v1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role diff --git a/internal/apis/certmanager/v1alpha2/types_issuer.go b/internal/apis/certmanager/v1alpha2/types_issuer.go index 6482f7159..601f42626 100644 --- a/internal/apis/certmanager/v1alpha2/types_issuer.go +++ b/internal/apis/certmanager/v1alpha2/types_issuer.go @@ -266,7 +266,7 @@ type VaultKubernetesAuth struct { // for authenticating with Vault. Use of 'ambient credentials' is not // supported. // +optional - SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"` + SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"` // A reference to a service account that will be used to request a bound // token (also known as "projected token"). Compared to using "secretRef", diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index bdc7c4732..427b8c168 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -1475,14 +1475,8 @@ func Convert_certmanager_VaultIssuer_To_v1alpha2_VaultIssuer(in *certmanager.Vau func autoConvert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(meta.SecretKeySelector) - if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role @@ -1496,14 +1490,8 @@ func Convert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(metav1.SecretKeySelector) - if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go index 40085f7ee..fba61454a 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go @@ -916,11 +916,7 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { *out = *in - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(metav1.SecretKeySelector) - **out = **in - } + out.SecretRef = in.SecretRef if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) diff --git a/internal/apis/certmanager/v1alpha3/types_issuer.go b/internal/apis/certmanager/v1alpha3/types_issuer.go index 23bb2c626..101f56c26 100644 --- a/internal/apis/certmanager/v1alpha3/types_issuer.go +++ b/internal/apis/certmanager/v1alpha3/types_issuer.go @@ -266,7 +266,7 @@ type VaultKubernetesAuth struct { // for authenticating with Vault. Use of 'ambient credentials' is not // supported. // +optional - SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"` + SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"` // A reference to a service account that will be used to request a bound // token (also known as "projected token"). Compared to using "secretRef", diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go index 93b52cb7d..958d721f4 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go @@ -1474,14 +1474,8 @@ func Convert_certmanager_VaultIssuer_To_v1alpha3_VaultIssuer(in *certmanager.Vau func autoConvert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(meta.SecretKeySelector) - if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role @@ -1495,14 +1489,8 @@ func Convert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha3_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(metav1.SecretKeySelector) - if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go index 2944da0f3..6f3bcaebc 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go @@ -911,11 +911,7 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { *out = *in - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(metav1.SecretKeySelector) - **out = **in - } + out.SecretRef = in.SecretRef if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) diff --git a/internal/apis/certmanager/v1beta1/types_issuer.go b/internal/apis/certmanager/v1beta1/types_issuer.go index ea464dc6a..d420cee40 100644 --- a/internal/apis/certmanager/v1beta1/types_issuer.go +++ b/internal/apis/certmanager/v1beta1/types_issuer.go @@ -268,7 +268,7 @@ type VaultKubernetesAuth struct { // for authenticating with Vault. Use of 'ambient credentials' is not // supported. // +optional - SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"` + SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"` // A reference to a service account that will be used to request a bound // token (also known as "projected token"). Compared to using "secretRef", diff --git a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go index 72457d36b..72b72178e 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go @@ -1467,14 +1467,8 @@ func Convert_certmanager_VaultIssuer_To_v1beta1_VaultIssuer(in *certmanager.Vaul func autoConvert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(meta.SecretKeySelector) - if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role @@ -1488,14 +1482,8 @@ func Convert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in * func autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error { out.Path = in.Path - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(metav1.SecretKeySelector) - if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil { - return err - } - } else { - out.SecretRef = nil + if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil { + return err } out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef)) out.Role = in.Role diff --git a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go index e49d641d5..7644138e1 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go @@ -911,11 +911,7 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { *out = *in - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(metav1.SecretKeySelector) - **out = **in - } + out.SecretRef = in.SecretRef if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) diff --git a/internal/apis/certmanager/zz_generated.deepcopy.go b/internal/apis/certmanager/zz_generated.deepcopy.go index c61107358..67361a89e 100644 --- a/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/zz_generated.deepcopy.go @@ -911,11 +911,7 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { *out = *in - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(meta.SecretKeySelector) - **out = **in - } + out.SecretRef = in.SecretRef if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 1dc86d2ed..c8495715b 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -32,6 +32,7 @@ import ( authv1 "k8s.io/api/authentication/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corelisters "k8s.io/client-go/listers/core/v1" + "k8s.io/utils/pointer" v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" @@ -389,10 +390,25 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1 jwt = string(keyBytes) case kubernetesAuth.ServiceAccountRef.Name != "": + aud := "vault://" + if v.issuer.GetNamespace() != "" { + aud += v.issuer.GetNamespace() + "/" + } + aud += v.issuer.GetName() + tokenrequest, err := v.createToken(context.Background(), kubernetesAuth.ServiceAccountRef.Name, &authv1.TokenRequest{ Spec: authv1.TokenRequestSpec{ - Audiences: []string{kubernetesAuth.ServiceAccountRef.Audience}, - ExpirationSeconds: &kubernetesAuth.ServiceAccountRef.ExpirationSeconds, + // The audience is generated by cert-manager and can't be + // configured by the user for security reasons. The format is: + // "vault:///" (for an Issuer) + // "vault://" (for a ClusterIssuer) + Audiences: []string{aud}, + + // Since the JWT is only used to authenticate with Vault and is + // immediately discarded, 1 minute is more than enough. Note + // that all Kubernetes API servers won't accept that duration, + // they may return a JWT with a longer lifetime. + ExpirationSeconds: pointer.Int64(60), }, }, metav1.CreateOptions{}) if err != nil { diff --git a/internal/vault/vault_test.go b/internal/vault/vault_test.go index 66edac29b..4f8acddc4 100644 --- a/internal/vault/vault_test.go +++ b/internal/vault/vault_test.go @@ -388,7 +388,7 @@ func TestSetToken(t *testing.T) { expectedToken string expectedErr error - issuer *cmapi.Issuer + issuer cmapi.GenericIssuer fakeLister *listers.FakeSecretLister mockCreateToken func(t *testing.T) CreateToken @@ -641,17 +641,15 @@ func TestSetToken(t *testing.T) { expectedErr: nil, }, - "if kubernetes.serviceAccountRef set, request token and exchange it for a vault token": { + "if kubernetes.serviceAccountRef set, request token and exchange it for a vault token (Issuer)": { issuer: gen.Issuer("vault-issuer", gen.SetIssuerVault(cmapi.VaultIssuer{ CABundle: []byte(testLeafCertificate), Auth: cmapi.VaultAuth{ Kubernetes: &cmapi.VaultKubernetesAuth{ Role: "kube-vault-role", - ServiceAccountRef: v1.ServiceAccountRef{ - Name: "my-service-account", - Audience: "my-audience", - ExpirationSeconds: 100, + ServiceAccountRef: &v1.ServiceAccountRef{ + Name: "my-service-account", }, Path: "my-path", }, @@ -661,8 +659,45 @@ func TestSetToken(t *testing.T) { mockCreateToken: func(t *testing.T) CreateToken { return func(_ context.Context, saName string, req *authv1.TokenRequest, _ metav1.CreateOptions) (*authv1.TokenRequest, error) { assert.Equal(t, "my-service-account", saName) - assert.Equal(t, "my-audience", req.Spec.Audiences[0]) - assert.Equal(t, int64(100), *req.Spec.ExpirationSeconds) + assert.Equal(t, "vault://default-unit-test-ns/vault-issuer", req.Spec.Audiences[0]) + assert.Equal(t, int64(60), *req.Spec.ExpirationSeconds) + return &authv1.TokenRequest{Status: authv1.TokenRequestStatus{ + Token: "kube-sa-token", + }}, nil + } + }, + fakeClient: vaultfake.NewFakeClient().WithRawRequestFn(func(t *testing.T, req *vault.Request) (*vault.Response, error) { + // Vault exhanges the Kubernetes token with a Vault token. + assert.Equal(t, "kube-sa-token", req.Obj.(map[string]string)["jwt"]) + assert.Equal(t, "kube-vault-role", req.Obj.(map[string]string)["role"]) + return &vault.Response{Response: &http.Response{Body: io.NopCloser(strings.NewReader( + `{"request_id":"","lease_id":"","lease_duration":0,"renewable":false,"data":null,"warnings":null,"data":{"id":"vault-token"}}`, + ))}}, nil + }), + expectedToken: "vault-token", + expectedErr: nil, + }, + + "if kubernetes.serviceAccountRef set, request token and exchange it for a vault token (ClusterIssuer)": { + issuer: gen.ClusterIssuer("vault-issuer", + gen.SetIssuerVault(cmapi.VaultIssuer{ + CABundle: []byte(testLeafCertificate), + Auth: cmapi.VaultAuth{ + Kubernetes: &cmapi.VaultKubernetesAuth{ + Role: "kube-vault-role", + ServiceAccountRef: &v1.ServiceAccountRef{ + Name: "my-service-account", + }, + Path: "my-path", + }, + }, + }), + ), + mockCreateToken: func(t *testing.T) CreateToken { + return func(_ context.Context, saName string, req *authv1.TokenRequest, _ metav1.CreateOptions) (*authv1.TokenRequest, error) { + assert.Equal(t, "my-service-account", saName) + assert.Equal(t, "vault://vault-issuer", req.Spec.Audiences[0]) + assert.Equal(t, int64(60), *req.Spec.ExpirationSeconds) return &authv1.TokenRequest{Status: authv1.TokenRequestStatus{ Token: "kube-sa-token", }}, nil @@ -692,6 +727,7 @@ func TestSetToken(t *testing.T) { if test.mockCreateToken != nil { mockCreateToken = test.mockCreateToken(t) } + v := &Vault{ namespace: "test-namespace", secretsLister: test.fakeLister, @@ -1076,10 +1112,8 @@ func TestNewConfig(t *testing.T) { Auth: cmapi.VaultAuth{ Kubernetes: &cmapi.VaultKubernetesAuth{ Role: "my-role", - ServiceAccountRef: v1.ServiceAccountRef{ - Name: "my-sa", - Audience: "my-audience", - ExpirationSeconds: 100, + ServiceAccountRef: &v1.ServiceAccountRef{ + Name: "my-sa", }, }, }})), diff --git a/pkg/apis/certmanager/v1/types_issuer.go b/pkg/apis/certmanager/v1/types_issuer.go index 94da0d398..ddd246372 100644 --- a/pkg/apis/certmanager/v1/types_issuer.go +++ b/pkg/apis/certmanager/v1/types_issuer.go @@ -270,7 +270,9 @@ type VaultKubernetesAuth struct { // for authenticating with Vault. Use of 'ambient credentials' is not // supported. // +optional - SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"` + SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"` + // Note: it should be a pointer because it is optional. However, for + // backward compatibility, we cannot change it to a pointer. // A reference to a service account that will be used to request a bound // token (also known as "projected token"). Compared to using "secretRef", diff --git a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go index 262c7239e..8ba5ea3aa 100644 --- a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go @@ -911,11 +911,7 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) { *out = *in - if in.SecretRef != nil { - in, out := &in.SecretRef, &out.SecretRef - *out = new(apismetav1.SecretKeySelector) - **out = **in - } + out.SecretRef = in.SecretRef if in.ServiceAccountRef != nil { in, out := &in.ServiceAccountRef, &out.ServiceAccountRef *out = new(ServiceAccountRef) diff --git a/test/unit/gen/issuer.go b/test/unit/gen/issuer.go index 749e2b7d2..f4f076824 100644 --- a/test/unit/gen/issuer.go +++ b/test/unit/gen/issuer.go @@ -354,10 +354,8 @@ func SetIssuerVaultKubernetesAuthServiceAccount(serviceAccount, role, path strin spec.Vault.Auth.Kubernetes = &v1.VaultKubernetesAuth{ Path: path, Role: role, - ServiceAccountRef: v1.ServiceAccountRef{ - Name: serviceAccount, - Audience: "vault", - ExpirationSeconds: 600, + ServiceAccountRef: &v1.ServiceAccountRef{ + Name: serviceAccount, }, }