serviceAccountRef: remove aud and exp, secretRef now a pointer

Changing SecretRef to be a pointer will break people using the package as a library. I disabled the ability to set the audience and expiry time for security reasons: We decided to generate the audience dynamically instead of letting the user configure it, and we also decided to encode the namespace and issuer name into the audience to remediate the risk of hijacking an existing issuer and service account with a malicious issuer. Regarding the expiration duration of the JWT, it doesn't make sense to let the user configure it since cert-manager will authenticate using the JWT and immediately discard it. We thought that 1 minute would be acceptable, although the Kubernetes API server may return a totally different duration. Signed-off-by: Maël Valais <mael@vls.dev>
2023-01-27 17:19:56 +01:00 · 2023-01-27 17:19:56 +01:00 · bfce543640
commit bfce543640
parent 76eef68730
17 changed files with 347 additions and 105 deletions
--- a/deploy/crds/crd-clusterissuers.yaml
+++ b/deploy/crds/crd-clusterissuers.yaml
@ -1152,13 +1152,6 @@ spec:
                              required:
                                - name
                              properties:
-                                audience:
-                                  description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
-                                  type: string
-                                expirationSeconds:
-                                  description: ExpirationSeconds is the requested duration of validity of the service account token. Defaults to 1 hour and must be at least 10 minutes.
-                                  type: integer
-                                  format: int64
                                name:
                                  description: Name of the ServiceAccount used to request a token.
                                  type: string
--- a/deploy/crds/crd-issuers.yaml
+++ b/deploy/crds/crd-issuers.yaml
@ -1152,13 +1152,6 @@ spec:
                              required:
                                - name
                              properties:
-                                audience:
-                                  description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
-                                  type: string
-                                expirationSeconds:
-                                  description: ExpirationSeconds is the requested duration of validity of the service account token. Defaults to 1 hour and must be at least 10 minutes.
-                                  type: integer
-                                  format: int64
                                name:
                                  description: Name of the ServiceAccount used to request a token.
                                  type: string
--- a/internal/apis/certmanager/types_issuer.go
+++ b/internal/apis/certmanager/types_issuer.go
@ -232,7 +232,7 @@ type VaultAppRole struct {
 	SecretRef cmmeta.SecretKeySelector
 }

-// VaultKubernetesAuth is used to authenticate against Vault using a Kubernetes ServiceAccount token stored in
+// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
 // a Secret.
 type VaultKubernetesAuth struct {
 	// The Vault mountPath here is the mount path to use when authenticating with
@ -244,7 +244,8 @@ type VaultKubernetesAuth struct {
 	// The required Secret field containing a Kubernetes ServiceAccount JWT used
 	// for authenticating with Vault. Use of 'ambient credentials' is not
 	// supported. This field should not be set if serviceAccountRef is set.
-	SecretRef cmmeta.SecretKeySelector
+	// +optional
+	SecretRef *cmmeta.SecretKeySelector

 	// A reference to a service account that will be used to request a bound
 	// token (also known as "projected token"). Compared to using "secretRef",
@ -252,7 +253,7 @@ type VaultKubernetesAuth struct {
 	// use this field, you must configure an RBAC rule to let cert-manager
 	// request a token. See <link to a page in cert-manager.io> to learn more.
 	// +optional
-	ServiceAccountRef ServiceAccountRef `json:"serviceAccountRef,omitempty"`
+	ServiceAccountRef *ServiceAccountRef

 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
@ -260,22 +261,13 @@ type VaultKubernetesAuth struct {
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
-// token.
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
-	Name string `json:"name"`
-
-	// Audience is the intended audience of the token. A recipient of a token
-	// must identify itself with an identifier specified in the audience of the
-	// token, and otherwise should reject the token. The audience defaults to the
-	// identifier of the apiserver.
-	// +optional
-	Audience string `json:"audience,omitempty"`
-
-	// ExpirationSeconds is the requested duration of validity of the service
-	// account token. Defaults to 1 hour and must be at least 10 minutes.
-	// +optional
-	ExpirationSeconds int64 `json:"expirationSeconds,omitempty"`
+	Name string
 }

 // CAIssuer configures an issuer that can issue certificates from its provided
--- a/internal/apis/certmanager/v1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1/zz_generated.conversion.go
@ -1289,8 +1289,6 @@ func Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in *certmanager

 func autoConvert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
-	out.Audience = in.Audience
-	out.ExpirationSeconds = in.ExpirationSeconds
 	return nil
 }

@ -1301,8 +1299,6 @@ func Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.Servic

 func autoConvert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *v1.ServiceAccountRef, s conversion.Scope) error {
 	out.Name = in.Name
-	out.Audience = in.Audience
-	out.ExpirationSeconds = in.ExpirationSeconds
 	return nil
 }

@ -1463,12 +1459,16 @@ func Convert_certmanager_VaultIssuer_To_v1_VaultIssuer(in *certmanager.VaultIssu

 func autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v1.VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
-	}
-	if err := Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(&in.ServiceAccountRef, &out.ServiceAccountRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.SecretKeySelector)
+		if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
+	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
@ -1480,12 +1480,16 @@ func Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v1.Va

 func autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *v1.VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
-	}
-	if err := Convert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(&in.ServiceAccountRef, &out.ServiceAccountRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
+	out.ServiceAccountRef = (*v1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
--- a/internal/apis/certmanager/v1alpha2/types_issuer.go
+++ b/internal/apis/certmanager/v1alpha2/types_issuer.go
@ -266,13 +266,31 @@ type VaultKubernetesAuth struct {
 	// for authenticating with Vault. Use of 'ambient credentials' is not
 	// supported.
 	// +optional
-	SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+	SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+	// A reference to a service account that will be used to request a bound
+	// token (also known as "projected token"). Compared to using "secretRef",
+	// using this field means that you don't rely on statically bound tokens. To
+	// use this field, you must configure an RBAC rule to let cert-manager
+	// request a token. See <link to a page in cert-manager.io> to learn more.
+	// +optional
+	ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`

 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
 }

+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
+type ServiceAccountRef struct {
+	// Name of the ServiceAccount used to request a token.
+	Name string `json:"name"`
+}
+
 type CAIssuer struct {
 	// SecretName is the name of the secret used to sign Certificates issued
 	// by this Issuer.
--- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
@ -277,6 +277,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*ServiceAccountRef), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_VaultAppRole_To_certmanager_VaultAppRole(a.(*VaultAppRole), b.(*certmanager.VaultAppRole), scope)
 	}); err != nil {
@ -312,11 +322,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*certmanager.VaultKubernetesAuth)(nil), (*VaultKubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(a.(*certmanager.VaultKubernetesAuth), b.(*VaultKubernetesAuth), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*VenafiCloud)(nil), (*certmanager.VenafiCloud)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_VenafiCloud_To_certmanager_VenafiCloud(a.(*VenafiCloud), b.(*certmanager.VenafiCloud), scope)
 	}); err != nil {
@ -367,6 +372,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*certmanager.VaultKubernetesAuth)(nil), (*VaultKubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(a.(*certmanager.VaultKubernetesAuth), b.(*VaultKubernetesAuth), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*certmanager.X509Subject)(nil), (*X509Subject)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_certmanager_X509Subject_To_v1alpha2_X509Subject(a.(*certmanager.X509Subject), b.(*X509Subject), scope)
 	}); err != nil {
@ -1293,6 +1303,26 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha2_SelfSignedIssuer(in *certm
 	return autoConvert_certmanager_SelfSignedIssuer_To_v1alpha2_SelfSignedIssuer(in, out, s)
 }

+func autoConvert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
+func Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+	return autoConvert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
+}
+
+func autoConvert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef is an autogenerated conversion function.
+func Convert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+	return autoConvert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in, out, s)
+}
+
 func autoConvert_v1alpha2_VaultAppRole_To_certmanager_VaultAppRole(in *VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
 	out.Path = in.Path
 	out.RoleId = in.RoleId
@ -1445,9 +1475,16 @@ func Convert_certmanager_VaultIssuer_To_v1alpha2_VaultIssuer(in *certmanager.Vau

 func autoConvert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.SecretKeySelector)
+		if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
+	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
@ -1459,10 +1496,16 @@ func Convert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in

 func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
-	// WARNING: in.ServiceAccountRef requires manual conversion: does not exist in peer-type
+	out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
--- a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
@ -822,6 +822,22 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
+func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
 	*out = *in
@ -855,7 +871,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(VaultKubernetesAuth)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@ -900,7 +916,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	*out = *in
-	out.SecretRef = in.SecretRef
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(ServiceAccountRef)
+		**out = **in
+	}
 	return
 }

--- a/internal/apis/certmanager/v1alpha3/types_issuer.go
+++ b/internal/apis/certmanager/v1alpha3/types_issuer.go
@ -266,13 +266,31 @@ type VaultKubernetesAuth struct {
 	// for authenticating with Vault. Use of 'ambient credentials' is not
 	// supported.
 	// +optional
-	SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+	SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+	// A reference to a service account that will be used to request a bound
+	// token (also known as "projected token"). Compared to using "secretRef",
+	// using this field means that you don't rely on statically bound tokens. To
+	// use this field, you must configure an RBAC rule to let cert-manager
+	// request a token. See <link to a page in cert-manager.io> to learn more.
+	// +optional
+	ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`

 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
 }

+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
+type ServiceAccountRef struct {
+	// Name of the ServiceAccount used to request a token.
+	Name string `json:"name"`
+}
+
 type CAIssuer struct {
 	// SecretName is the name of the secret used to sign Certificates issued
 	// by this Issuer.
--- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
@ -277,6 +277,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*ServiceAccountRef), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_VaultAppRole_To_certmanager_VaultAppRole(a.(*VaultAppRole), b.(*certmanager.VaultAppRole), scope)
 	}); err != nil {
@ -1292,6 +1302,26 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha3_SelfSignedIssuer(in *certm
 	return autoConvert_certmanager_SelfSignedIssuer_To_v1alpha3_SelfSignedIssuer(in, out, s)
 }

+func autoConvert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
+func Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+	return autoConvert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
+}
+
+func autoConvert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef is an autogenerated conversion function.
+func Convert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+	return autoConvert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in, out, s)
+}
+
 func autoConvert_v1alpha3_VaultAppRole_To_certmanager_VaultAppRole(in *VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
 	out.Path = in.Path
 	out.RoleId = in.RoleId
@ -1444,9 +1474,16 @@ func Convert_certmanager_VaultIssuer_To_v1alpha3_VaultIssuer(in *certmanager.Vau

 func autoConvert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.SecretKeySelector)
+		if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
+	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
@ -1458,10 +1495,16 @@ func Convert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in

 func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha3_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
-	// WARNING: in.ServiceAccountRef requires manual conversion: does not exist in peer-type
+	out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
--- a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
@ -817,6 +817,22 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
+func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
 	*out = *in
@ -850,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(VaultKubernetesAuth)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@ -895,7 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	*out = *in
-	out.SecretRef = in.SecretRef
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(ServiceAccountRef)
+		**out = **in
+	}
 	return
 }

--- a/internal/apis/certmanager/v1beta1/conversion.go
+++ b/internal/apis/certmanager/v1beta1/conversion.go
@ -1,10 +0,0 @@
-package v1beta1
-
-import (
-	certmanager "github.com/cert-manager/cert-manager/internal/apis/certmanager"
-	conversion "k8s.io/apimachinery/pkg/conversion"
-)
-
-func Convert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
-	return autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in, out, s)
-}
--- a/internal/apis/certmanager/v1beta1/types_issuer.go
+++ b/internal/apis/certmanager/v1beta1/types_issuer.go
@ -268,13 +268,31 @@ type VaultKubernetesAuth struct {
 	// for authenticating with Vault. Use of 'ambient credentials' is not
 	// supported.
 	// +optional
-	SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+	SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+	// A reference to a service account that will be used to request a bound
+	// token (also known as "projected token"). Compared to using "secretRef",
+	// using this field means that you don't rely on statically bound tokens. To
+	// use this field, you must configure an RBAC rule to let cert-manager
+	// request a token. See <link to a page in cert-manager.io> to learn more.
+	// +optional
+	ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`

 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	Role string `json:"role"`
 }

+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 1 minute.
+type ServiceAccountRef struct {
+	// Name of the ServiceAccount used to request a token.
+	Name string `json:"name"`
+}
+
 type CAIssuer struct {
 	// SecretName is the name of the secret used to sign Certificates issued
 	// by this Issuer.
--- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
@ -302,6 +302,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*ServiceAccountRef), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_VaultAppRole_To_certmanager_VaultAppRole(a.(*VaultAppRole), b.(*certmanager.VaultAppRole), scope)
 	}); err != nil {
@ -1285,6 +1295,26 @@ func Convert_certmanager_SelfSignedIssuer_To_v1beta1_SelfSignedIssuer(in *certma
 	return autoConvert_certmanager_SelfSignedIssuer_To_v1beta1_SelfSignedIssuer(in, out, s)
 }

+func autoConvert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
+func Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+	return autoConvert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
+}
+
+func autoConvert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef is an autogenerated conversion function.
+func Convert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+	return autoConvert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in, out, s)
+}
+
 func autoConvert_v1beta1_VaultAppRole_To_certmanager_VaultAppRole(in *VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
 	out.Path = in.Path
 	out.RoleId = in.RoleId
@ -1437,9 +1467,16 @@ func Convert_certmanager_VaultIssuer_To_v1beta1_VaultIssuer(in *certmanager.Vaul

 func autoConvert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.SecretKeySelector)
+		if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
+	out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }
@ -1451,14 +1488,25 @@ func Convert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *

 func autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
 	out.Path = in.Path
-	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
-		return err
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretRef = nil
 	}
-	// WARNING: in.ServiceAccountRef requires manual conversion: does not exist in peer-type
+	out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
 	out.Role = in.Role
 	return nil
 }

+// Convert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth is an autogenerated conversion function.
+func Convert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
+	return autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in, out, s)
+}
+
 func autoConvert_v1beta1_VenafiCloud_To_certmanager_VenafiCloud(in *VenafiCloud, out *certmanager.VenafiCloud, s conversion.Scope) error {
 	out.URL = in.URL
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.APITokenSecretRef, &out.APITokenSecretRef, s); err != nil {
--- a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
@ -817,6 +817,22 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
+func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
 	*out = *in
@ -850,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(VaultKubernetesAuth)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@ -895,7 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	*out = *in
-	out.SecretRef = in.SecretRef
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(ServiceAccountRef)
+		**out = **in
+	}
 	return
 }

--- a/internal/apis/certmanager/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/zz_generated.deepcopy.go
@ -866,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(VaultKubernetesAuth)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@ -911,8 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	*out = *in
-	out.SecretRef = in.SecretRef
-	out.ServiceAccountRef = in.ServiceAccountRef
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.SecretKeySelector)
+		**out = **in
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(ServiceAccountRef)
+		**out = **in
+	}
 	return
 }

--- a/pkg/apis/certmanager/v1/types_issuer.go
+++ b/pkg/apis/certmanager/v1/types_issuer.go
@ -270,7 +270,7 @@ type VaultKubernetesAuth struct {
 	// for authenticating with Vault. Use of 'ambient credentials' is not
 	// supported.
 	// +optional
-	SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+	SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`

 	// A reference to a service account that will be used to request a bound
 	// token (also known as "projected token"). Compared to using "secretRef",
@ -278,7 +278,7 @@ type VaultKubernetesAuth struct {
 	// use this field, you must configure an RBAC rule to let cert-manager
 	// request a token. See <link to a page in cert-manager.io> to learn more.
 	// +optional
-	ServiceAccountRef ServiceAccountRef `json:"serviceAccountRef,omitempty"`
+	ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`

 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
@ -286,22 +286,13 @@ type VaultKubernetesAuth struct {
 }

 // ServiceAccountRef is a service account used by cert-manager to request a
-// token.
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
 type ServiceAccountRef struct {
 	// Name of the ServiceAccount used to request a token.
 	Name string `json:"name"`
-
-	// Audience is the intended audience of the token. A recipient of a token
-	// must identify itself with an identifier specified in the audience of the
-	// token, and otherwise should reject the token. The audience defaults to the
-	// identifier of the apiserver.
-	// +optional
-	Audience string `json:"audience,omitempty"`
-
-	// ExpirationSeconds is the requested duration of validity of the service
-	// account token. Defaults to 1 hour and must be at least 10 minutes.
-	// +optional
-	ExpirationSeconds int64 `json:"expirationSeconds,omitempty"`
 }

 type CAIssuer struct {
--- a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
@ -866,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
 	if in.Kubernetes != nil {
 		in, out := &in.Kubernetes, &out.Kubernetes
 		*out = new(VaultKubernetesAuth)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@ -911,8 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
 	*out = *in
-	out.SecretRef = in.SecretRef
-	out.ServiceAccountRef = in.ServiceAccountRef
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		**out = **in
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(ServiceAccountRef)
+		**out = **in
+	}
 	return
 }