* Added an otherName SAN extension mechanism
* Can take any otherName OID with String (UTF-8) like value
* cf [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) p 37 for
more info
* otherName is only a subset of GeneralName, our specific need for for
UserPrincipalName used in Microsoft AD/ LDAP
* We treat UPN special but we might remove this in a later commit
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
Changing SecretRef to be a pointer will break people using the package as
a library.
I disabled the ability to set the audience and expiry time for security
reasons:
We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.
Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.
Signed-off-by: Maël Valais <mael@vls.dev>
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.
Signed-off-by: Nils Mueller <nm@impactful.it>
DER Format to create key.der binary format of the private key.
CombinedPEM Format to create tls-combined.pem containing tls.key + tls.crt.
Added Unit and e2e tests for secret with Additional output format.
Feature flag AdditionalCertificateOutputFormats to enable feature.
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
