This does not actually change how the informers work. This also adds a partial metadata client to root context
Signed-off-by: irbekrm <irbekrm@gmail.com>
This will only be needed by the SecretsFilteredCaching feature, but I cannot think of any harm by adding it to general path
Signed-off-by: irbekrm <irbekrm@gmail.com>
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
The documentation [1] mentions that `StdoutPipe` should not be used
along with `Run`:
"Wait will close the pipe after seeing the command exit, so most callers
need not close the pipe themselves. It is thus incorrect to call Wait
before all reads from the pipe have completed. For the same reason, it
is incorrect to call Run when using StdoutPipe. See the example for
idiomatic usage."
It seems we are using `Run`, meaning that the StdoutPipe gets closed
when `Run` returns (because `Run` calls `Wait` and closes the StdoutPipe
before returning).
To reproduce:
git fetch fa4c2cfcad79f0a8a806b71caefbf96b049533c5
git checkout fa4c2cfcad79f0a8a806b71caefbf96b049533c5
go test -tags=e2e_test ./test/e2e -- -test.outputdir=$PWD/_bin/artifacts \
-ginkgo.junit-report=junit__01.xml -ginkgo.flake-attempts=1 \
-test.timeout=24h -ginkgo.v -test.v -ginkgo.randomize-all \
-ginkgo.progress -ginkgo.trace -ginkgo.slow-spec-threshold=300s \
--repo-root=/home/mvalais/code/cert-manager \
--report-dir=/home/mvalais/code/cert-manager/_bin/artifacts \
--acme-dns-server=10.0.0.16 --acme-ingress-ip=10.0.0.15 \
--acme-gateway-ip=10.0.0.14 \
--ingress-controller-domain=ingress-nginx.http01.example.com \
--gateway-domain=gateway.http01.example.com \
--feature-gates="" \
--ginkgo.focus=".*should be ready with a valid serviceAccountRef"
Result:
error install helm chart: cmd.Run: exit status 1: io.Copy: write /dev/stdout: copy_file_range: use of closed file
Signed-off-by: Maël Valais <mael@vls.dev>
The way the tests run (a new kube apiserver with a different client created for the same initialized solver) is not how this solver would actually run
Signed-off-by: irbekrm <irbekrm@gmail.com>
With the goal of making folks working on these parts of code be aware that this is the one bit that will be imported in external projects
Signed-off-by: irbekrm <irbekrm@gmail.com>
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.
Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.
Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
The main reason for bumping Vault's version is because 1.2.3 is not
compatible with the config parameter `disable_iss_validation`, which is
needed for accommodating the future tests [1] that rely on bound tokens
and static tokens.
For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but
`disable_iss_validation` was only added on July 21st, 2020 in Vault
1.5.0.
Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault
started loading the pod's token instead of using the same token (to be
reviewed) for authenticating. An alternative solution could have been to
prevent the service account from being mounted to the pod, but I figured
that having the two service accounts separated is a better practice.
[1]: https://github.com/cert-manager/cert-manager/pull/5502
[2]: https://github.com/hashicorp/vault/commit/c14bd9a2
[3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150
Signed-off-by: Maël Valais <mael@vls.dev>
