diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml
index d8ddacfba..2461df9dc 100644
--- a/deploy/crds/crd-clusterissuers.yaml
+++ b/deploy/crds/crd-clusterissuers.yaml
@@ -1152,13 +1152,6 @@ spec:
required:
- name
properties:
- audience:
- description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
- type: string
- expirationSeconds:
- description: ExpirationSeconds is the requested duration of validity of the service account token. Defaults to 1 hour and must be at least 10 minutes.
- type: integer
- format: int64
name:
description: Name of the ServiceAccount used to request a token.
type: string
diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml
index cff094021..674a5a453 100644
--- a/deploy/crds/crd-issuers.yaml
+++ b/deploy/crds/crd-issuers.yaml
@@ -1152,13 +1152,6 @@ spec:
required:
- name
properties:
- audience:
- description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.
- type: string
- expirationSeconds:
- description: ExpirationSeconds is the requested duration of validity of the service account token. Defaults to 1 hour and must be at least 10 minutes.
- type: integer
- format: int64
name:
description: Name of the ServiceAccount used to request a token.
type: string
diff --git a/internal/apis/certmanager/types_issuer.go b/internal/apis/certmanager/types_issuer.go
index 65aa20710..2ec46ce6b 100644
--- a/internal/apis/certmanager/types_issuer.go
+++ b/internal/apis/certmanager/types_issuer.go
@@ -232,7 +232,7 @@ type VaultAppRole struct {
SecretRef cmmeta.SecretKeySelector
}
-// VaultKubernetesAuth is used to authenticate against Vault using a Kubernetes ServiceAccount token stored in
+// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
// a Secret.
type VaultKubernetesAuth struct {
// The Vault mountPath here is the mount path to use when authenticating with
@@ -244,7 +244,8 @@ type VaultKubernetesAuth struct {
// The required Secret field containing a Kubernetes ServiceAccount JWT used
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported. This field should not be set if serviceAccountRef is set.
- SecretRef cmmeta.SecretKeySelector
+ // +optional
+ SecretRef *cmmeta.SecretKeySelector
// A reference to a service account that will be used to request a bound
// token (also known as "projected token"). Compared to using "secretRef",
@@ -252,7 +253,7 @@ type VaultKubernetesAuth struct {
// use this field, you must configure an RBAC rule to let cert-manager
// request a token. See to learn more.
// +optional
- ServiceAccountRef ServiceAccountRef `json:"serviceAccountRef,omitempty"`
+ ServiceAccountRef *ServiceAccountRef
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
@@ -260,22 +261,13 @@ type VaultKubernetesAuth struct {
}
// ServiceAccountRef is a service account used by cert-manager to request a
-// token.
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
type ServiceAccountRef struct {
// Name of the ServiceAccount used to request a token.
- Name string `json:"name"`
-
- // Audience is the intended audience of the token. A recipient of a token
- // must identify itself with an identifier specified in the audience of the
- // token, and otherwise should reject the token. The audience defaults to the
- // identifier of the apiserver.
- // +optional
- Audience string `json:"audience,omitempty"`
-
- // ExpirationSeconds is the requested duration of validity of the service
- // account token. Defaults to 1 hour and must be at least 10 minutes.
- // +optional
- ExpirationSeconds int64 `json:"expirationSeconds,omitempty"`
+ Name string
}
// CAIssuer configures an issuer that can issue certificates from its provided
diff --git a/internal/apis/certmanager/v1/zz_generated.conversion.go b/internal/apis/certmanager/v1/zz_generated.conversion.go
index f570a6723..90ffe3508 100644
--- a/internal/apis/certmanager/v1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1/zz_generated.conversion.go
@@ -1289,8 +1289,6 @@ func Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in *certmanager
func autoConvert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
out.Name = in.Name
- out.Audience = in.Audience
- out.ExpirationSeconds = in.ExpirationSeconds
return nil
}
@@ -1301,8 +1299,6 @@ func Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *v1.Servic
func autoConvert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *v1.ServiceAccountRef, s conversion.Scope) error {
out.Name = in.Name
- out.Audience = in.Audience
- out.ExpirationSeconds = in.ExpirationSeconds
return nil
}
@@ -1463,12 +1459,16 @@ func Convert_certmanager_VaultIssuer_To_v1_VaultIssuer(in *certmanager.VaultIssu
func autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v1.VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
- }
- if err := Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(&in.ServiceAccountRef, &out.ServiceAccountRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(meta.SecretKeySelector)
+ if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
+ out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
@@ -1480,12 +1480,16 @@ func Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *v1.Va
func autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *v1.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
- }
- if err := Convert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(&in.ServiceAccountRef, &out.ServiceAccountRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(apismetav1.SecretKeySelector)
+ if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
+ out.ServiceAccountRef = (*v1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
diff --git a/internal/apis/certmanager/v1alpha2/types_issuer.go b/internal/apis/certmanager/v1alpha2/types_issuer.go
index 551cde183..6482f7159 100644
--- a/internal/apis/certmanager/v1alpha2/types_issuer.go
+++ b/internal/apis/certmanager/v1alpha2/types_issuer.go
@@ -266,13 +266,31 @@ type VaultKubernetesAuth struct {
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported.
// +optional
- SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+ SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+ // A reference to a service account that will be used to request a bound
+ // token (also known as "projected token"). Compared to using "secretRef",
+ // using this field means that you don't rely on statically bound tokens. To
+ // use this field, you must configure an RBAC rule to let cert-manager
+ // request a token. See to learn more.
+ // +optional
+ ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string `json:"role"`
}
+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
+type ServiceAccountRef struct {
+ // Name of the ServiceAccount used to request a token.
+ Name string `json:"name"`
+}
+
type CAIssuer struct {
// SecretName is the name of the secret used to sign Certificates issued
// by this Issuer.
diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
index eef4dafa5..bdc7c4732 100644
--- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
@@ -277,6 +277,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
+ if err := s.AddGeneratedConversionFunc((*ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
+ }); err != nil {
+ return err
+ }
+ if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*ServiceAccountRef), scope)
+ }); err != nil {
+ return err
+ }
if err := s.AddGeneratedConversionFunc((*VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha2_VaultAppRole_To_certmanager_VaultAppRole(a.(*VaultAppRole), b.(*certmanager.VaultAppRole), scope)
}); err != nil {
@@ -312,11 +322,6 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
- if err := s.AddGeneratedConversionFunc((*certmanager.VaultKubernetesAuth)(nil), (*VaultKubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
- return Convert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(a.(*certmanager.VaultKubernetesAuth), b.(*VaultKubernetesAuth), scope)
- }); err != nil {
- return err
- }
if err := s.AddGeneratedConversionFunc((*VenafiCloud)(nil), (*certmanager.VenafiCloud)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha2_VenafiCloud_To_certmanager_VenafiCloud(a.(*VenafiCloud), b.(*certmanager.VenafiCloud), scope)
}); err != nil {
@@ -367,6 +372,11 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
+ if err := s.AddConversionFunc((*certmanager.VaultKubernetesAuth)(nil), (*VaultKubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(a.(*certmanager.VaultKubernetesAuth), b.(*VaultKubernetesAuth), scope)
+ }); err != nil {
+ return err
+ }
if err := s.AddConversionFunc((*certmanager.X509Subject)(nil), (*X509Subject)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_X509Subject_To_v1alpha2_X509Subject(a.(*certmanager.X509Subject), b.(*X509Subject), scope)
}); err != nil {
@@ -1293,6 +1303,26 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha2_SelfSignedIssuer(in *certm
return autoConvert_certmanager_SelfSignedIssuer_To_v1alpha2_SelfSignedIssuer(in, out, s)
}
+func autoConvert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+ out.Name = in.Name
+ return nil
+}
+
+// Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
+func Convert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+ return autoConvert_v1alpha2_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
+}
+
+func autoConvert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+ out.Name = in.Name
+ return nil
+}
+
+// Convert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef is an autogenerated conversion function.
+func Convert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+ return autoConvert_certmanager_ServiceAccountRef_To_v1alpha2_ServiceAccountRef(in, out, s)
+}
+
func autoConvert_v1alpha2_VaultAppRole_To_certmanager_VaultAppRole(in *VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
out.Path = in.Path
out.RoleId = in.RoleId
@@ -1445,9 +1475,16 @@ func Convert_certmanager_VaultIssuer_To_v1alpha2_VaultIssuer(in *certmanager.Vau
func autoConvert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(meta.SecretKeySelector)
+ if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
+ out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
@@ -1459,10 +1496,16 @@ func Convert_v1alpha2_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in
func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha2_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
- // WARNING: in.ServiceAccountRef requires manual conversion: does not exist in peer-type
+ out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
index a8e69faa2..40085f7ee 100644
--- a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go
@@ -822,6 +822,22 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
+func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
+ if in == nil {
+ return nil
+ }
+ out := new(ServiceAccountRef)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
*out = *in
@@ -855,7 +871,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
return
}
@@ -900,7 +916,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
- out.SecretRef = in.SecretRef
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ **out = **in
+ }
+ if in.ServiceAccountRef != nil {
+ in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+ *out = new(ServiceAccountRef)
+ **out = **in
+ }
return
}
diff --git a/internal/apis/certmanager/v1alpha3/types_issuer.go b/internal/apis/certmanager/v1alpha3/types_issuer.go
index 65cf89688..23bb2c626 100644
--- a/internal/apis/certmanager/v1alpha3/types_issuer.go
+++ b/internal/apis/certmanager/v1alpha3/types_issuer.go
@@ -266,13 +266,31 @@ type VaultKubernetesAuth struct {
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported.
// +optional
- SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+ SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+ // A reference to a service account that will be used to request a bound
+ // token (also known as "projected token"). Compared to using "secretRef",
+ // using this field means that you don't rely on statically bound tokens. To
+ // use this field, you must configure an RBAC rule to let cert-manager
+ // request a token. See to learn more.
+ // +optional
+ ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string `json:"role"`
}
+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
+type ServiceAccountRef struct {
+ // Name of the ServiceAccount used to request a token.
+ Name string `json:"name"`
+}
+
type CAIssuer struct {
// SecretName is the name of the secret used to sign Certificates issued
// by this Issuer.
diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
index 4c2660c5b..93b52cb7d 100644
--- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
@@ -277,6 +277,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
+ if err := s.AddGeneratedConversionFunc((*ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
+ }); err != nil {
+ return err
+ }
+ if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*ServiceAccountRef), scope)
+ }); err != nil {
+ return err
+ }
if err := s.AddGeneratedConversionFunc((*VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha3_VaultAppRole_To_certmanager_VaultAppRole(a.(*VaultAppRole), b.(*certmanager.VaultAppRole), scope)
}); err != nil {
@@ -1292,6 +1302,26 @@ func Convert_certmanager_SelfSignedIssuer_To_v1alpha3_SelfSignedIssuer(in *certm
return autoConvert_certmanager_SelfSignedIssuer_To_v1alpha3_SelfSignedIssuer(in, out, s)
}
+func autoConvert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+ out.Name = in.Name
+ return nil
+}
+
+// Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
+func Convert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+ return autoConvert_v1alpha3_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
+}
+
+func autoConvert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+ out.Name = in.Name
+ return nil
+}
+
+// Convert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef is an autogenerated conversion function.
+func Convert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+ return autoConvert_certmanager_ServiceAccountRef_To_v1alpha3_ServiceAccountRef(in, out, s)
+}
+
func autoConvert_v1alpha3_VaultAppRole_To_certmanager_VaultAppRole(in *VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
out.Path = in.Path
out.RoleId = in.RoleId
@@ -1444,9 +1474,16 @@ func Convert_certmanager_VaultIssuer_To_v1alpha3_VaultIssuer(in *certmanager.Vau
func autoConvert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(meta.SecretKeySelector)
+ if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
+ out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
@@ -1458,10 +1495,16 @@ func Convert_v1alpha3_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in
func autoConvert_certmanager_VaultKubernetesAuth_To_v1alpha3_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
- // WARNING: in.ServiceAccountRef requires manual conversion: does not exist in peer-type
+ out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
index 36d7391ca..2944da0f3 100644
--- a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go
@@ -817,6 +817,22 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
+func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
+ if in == nil {
+ return nil
+ }
+ out := new(ServiceAccountRef)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
*out = *in
@@ -850,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
return
}
@@ -895,7 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
- out.SecretRef = in.SecretRef
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ **out = **in
+ }
+ if in.ServiceAccountRef != nil {
+ in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+ *out = new(ServiceAccountRef)
+ **out = **in
+ }
return
}
diff --git a/internal/apis/certmanager/v1beta1/conversion.go b/internal/apis/certmanager/v1beta1/conversion.go
deleted file mode 100644
index 91836ad3e..000000000
--- a/internal/apis/certmanager/v1beta1/conversion.go
+++ /dev/null
@@ -1,10 +0,0 @@
-package v1beta1
-
-import (
- certmanager "github.com/cert-manager/cert-manager/internal/apis/certmanager"
- conversion "k8s.io/apimachinery/pkg/conversion"
-)
-
-func Convert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
- return autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in, out, s)
-}
diff --git a/internal/apis/certmanager/v1beta1/types_issuer.go b/internal/apis/certmanager/v1beta1/types_issuer.go
index 63fc8b3b1..ea464dc6a 100644
--- a/internal/apis/certmanager/v1beta1/types_issuer.go
+++ b/internal/apis/certmanager/v1beta1/types_issuer.go
@@ -268,13 +268,31 @@ type VaultKubernetesAuth struct {
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported.
// +optional
- SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+ SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+ // A reference to a service account that will be used to request a bound
+ // token (also known as "projected token"). Compared to using "secretRef",
+ // using this field means that you don't rely on statically bound tokens. To
+ // use this field, you must configure an RBAC rule to let cert-manager
+ // request a token. See to learn more.
+ // +optional
+ ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string `json:"role"`
}
+// ServiceAccountRef is a service account used by cert-manager to request a
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 1 minute.
+type ServiceAccountRef struct {
+ // Name of the ServiceAccount used to request a token.
+ Name string `json:"name"`
+}
+
type CAIssuer struct {
// SecretName is the name of the secret used to sign Certificates issued
// by this Issuer.
diff --git a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
index 876bd1918..72457d36b 100644
--- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
@@ -302,6 +302,16 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
+ if err := s.AddGeneratedConversionFunc((*ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
+ }); err != nil {
+ return err
+ }
+ if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
+ return Convert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*ServiceAccountRef), scope)
+ }); err != nil {
+ return err
+ }
if err := s.AddGeneratedConversionFunc((*VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_VaultAppRole_To_certmanager_VaultAppRole(a.(*VaultAppRole), b.(*certmanager.VaultAppRole), scope)
}); err != nil {
@@ -1285,6 +1295,26 @@ func Convert_certmanager_SelfSignedIssuer_To_v1beta1_SelfSignedIssuer(in *certma
return autoConvert_certmanager_SelfSignedIssuer_To_v1beta1_SelfSignedIssuer(in, out, s)
}
+func autoConvert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+ out.Name = in.Name
+ return nil
+}
+
+// Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
+func Convert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
+ return autoConvert_v1beta1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
+}
+
+func autoConvert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+ out.Name = in.Name
+ return nil
+}
+
+// Convert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef is an autogenerated conversion function.
+func Convert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *ServiceAccountRef, s conversion.Scope) error {
+ return autoConvert_certmanager_ServiceAccountRef_To_v1beta1_ServiceAccountRef(in, out, s)
+}
+
func autoConvert_v1beta1_VaultAppRole_To_certmanager_VaultAppRole(in *VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
out.Path = in.Path
out.RoleId = in.RoleId
@@ -1437,9 +1467,16 @@ func Convert_certmanager_VaultIssuer_To_v1beta1_VaultIssuer(in *certmanager.Vaul
func autoConvert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(meta.SecretKeySelector)
+ if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
+ out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
@@ -1451,14 +1488,25 @@ func Convert_v1beta1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *
func autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
- if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
- return err
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+ return err
+ }
+ } else {
+ out.SecretRef = nil
}
- // WARNING: in.ServiceAccountRef requires manual conversion: does not exist in peer-type
+ out.ServiceAccountRef = (*ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
+// Convert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth is an autogenerated conversion function.
+func Convert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *VaultKubernetesAuth, s conversion.Scope) error {
+ return autoConvert_certmanager_VaultKubernetesAuth_To_v1beta1_VaultKubernetesAuth(in, out, s)
+}
+
func autoConvert_v1beta1_VenafiCloud_To_certmanager_VenafiCloud(in *VenafiCloud, out *certmanager.VenafiCloud, s conversion.Scope) error {
out.URL = in.URL
if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.APITokenSecretRef, &out.APITokenSecretRef, s); err != nil {
diff --git a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
index 9eeea27d9..e49d641d5 100644
--- a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go
@@ -817,6 +817,22 @@ func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
+func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
+ if in == nil {
+ return nil
+ }
+ out := new(ServiceAccountRef)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
*out = *in
@@ -850,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
return
}
@@ -895,7 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
- out.SecretRef = in.SecretRef
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ **out = **in
+ }
+ if in.ServiceAccountRef != nil {
+ in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+ *out = new(ServiceAccountRef)
+ **out = **in
+ }
return
}
diff --git a/internal/apis/certmanager/zz_generated.deepcopy.go b/internal/apis/certmanager/zz_generated.deepcopy.go
index 246cfb13d..c61107358 100644
--- a/internal/apis/certmanager/zz_generated.deepcopy.go
+++ b/internal/apis/certmanager/zz_generated.deepcopy.go
@@ -866,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
return
}
@@ -911,8 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
- out.SecretRef = in.SecretRef
- out.ServiceAccountRef = in.ServiceAccountRef
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(meta.SecretKeySelector)
+ **out = **in
+ }
+ if in.ServiceAccountRef != nil {
+ in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+ *out = new(ServiceAccountRef)
+ **out = **in
+ }
return
}
diff --git a/pkg/apis/certmanager/v1/types_issuer.go b/pkg/apis/certmanager/v1/types_issuer.go
index efc7416c1..94da0d398 100644
--- a/pkg/apis/certmanager/v1/types_issuer.go
+++ b/pkg/apis/certmanager/v1/types_issuer.go
@@ -270,7 +270,7 @@ type VaultKubernetesAuth struct {
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported.
// +optional
- SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
+ SecretRef *cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
// A reference to a service account that will be used to request a bound
// token (also known as "projected token"). Compared to using "secretRef",
@@ -278,7 +278,7 @@ type VaultKubernetesAuth struct {
// use this field, you must configure an RBAC rule to let cert-manager
// request a token. See to learn more.
// +optional
- ServiceAccountRef ServiceAccountRef `json:"serviceAccountRef,omitempty"`
+ ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
@@ -286,22 +286,13 @@ type VaultKubernetesAuth struct {
}
// ServiceAccountRef is a service account used by cert-manager to request a
-// token.
+// token. The audience cannot be configured. The audience is generated by
+// cert-manager and takes the form `vault://namespace-name/issuer-name` for an
+// Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the
+// token is also set by cert-manager to 10 minutes.
type ServiceAccountRef struct {
// Name of the ServiceAccount used to request a token.
Name string `json:"name"`
-
- // Audience is the intended audience of the token. A recipient of a token
- // must identify itself with an identifier specified in the audience of the
- // token, and otherwise should reject the token. The audience defaults to the
- // identifier of the apiserver.
- // +optional
- Audience string `json:"audience,omitempty"`
-
- // ExpirationSeconds is the requested duration of validity of the service
- // account token. Defaults to 1 hour and must be at least 10 minutes.
- // +optional
- ExpirationSeconds int64 `json:"expirationSeconds,omitempty"`
}
type CAIssuer struct {
diff --git a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
index 5b1ffb691..262c7239e 100644
--- a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
@@ -866,7 +866,7 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
return
}
@@ -911,8 +911,16 @@ func (in *VaultIssuer) DeepCopy() *VaultIssuer {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
- out.SecretRef = in.SecretRef
- out.ServiceAccountRef = in.ServiceAccountRef
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(apismetav1.SecretKeySelector)
+ **out = **in
+ }
+ if in.ServiceAccountRef != nil {
+ in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+ *out = new(ServiceAccountRef)
+ **out = **in
+ }
return
}