Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.
Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.
Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
The main reason for bumping Vault's version is because 1.2.3 is not
compatible with the config parameter `disable_iss_validation`, which is
needed for accommodating the future tests [1] that rely on bound tokens
and static tokens.
For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but
`disable_iss_validation` was only added on July 21st, 2020 in Vault
1.5.0.
Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault
started loading the pod's token instead of using the same token (to be
reviewed) for authenticating. An alternative solution could have been to
prevent the service account from being mounted to the pod, but I figured
that having the two service accounts separated is a better practice.
[1]: https://github.com/cert-manager/cert-manager/pull/5502
[2]: https://github.com/hashicorp/vault/commit/c14bd9a2
[3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150
Signed-off-by: Maël Valais <mael@vls.dev>
This fixes two instances where loop variables were being incorrectly
used:
- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.
With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.
Issues were automatically found with the `loopvarcapture` linter.
Signed-off-by: Renato Costa <renato@cockroachlabs.com>
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.
Signed-off-by: Nils Mueller <nm@impactful.it>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
