Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
The documentation [1] mentions that `StdoutPipe` should not be used
along with `Run`:
"Wait will close the pipe after seeing the command exit, so most callers
need not close the pipe themselves. It is thus incorrect to call Wait
before all reads from the pipe have completed. For the same reason, it
is incorrect to call Run when using StdoutPipe. See the example for
idiomatic usage."
It seems we are using `Run`, meaning that the StdoutPipe gets closed
when `Run` returns (because `Run` calls `Wait` and closes the StdoutPipe
before returning).
To reproduce:
git fetch fa4c2cfcad79f0a8a806b71caefbf96b049533c5
git checkout fa4c2cfcad79f0a8a806b71caefbf96b049533c5
go test -tags=e2e_test ./test/e2e -- -test.outputdir=$PWD/_bin/artifacts \
-ginkgo.junit-report=junit__01.xml -ginkgo.flake-attempts=1 \
-test.timeout=24h -ginkgo.v -test.v -ginkgo.randomize-all \
-ginkgo.progress -ginkgo.trace -ginkgo.slow-spec-threshold=300s \
--repo-root=/home/mvalais/code/cert-manager \
--report-dir=/home/mvalais/code/cert-manager/_bin/artifacts \
--acme-dns-server=10.0.0.16 --acme-ingress-ip=10.0.0.15 \
--acme-gateway-ip=10.0.0.14 \
--ingress-controller-domain=ingress-nginx.http01.example.com \
--gateway-domain=gateway.http01.example.com \
--feature-gates="" \
--ginkgo.focus=".*should be ready with a valid serviceAccountRef"
Result:
error install helm chart: cmd.Run: exit status 1: io.Copy: write /dev/stdout: copy_file_range: use of closed file
Signed-off-by: Maël Valais <mael@vls.dev>
The main reason for bumping Vault's version is because 1.2.3 is not
compatible with the config parameter `disable_iss_validation`, which is
needed for accommodating the future tests [1] that rely on bound tokens
and static tokens.
For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but
`disable_iss_validation` was only added on July 21st, 2020 in Vault
1.5.0.
Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault
started loading the pod's token instead of using the same token (to be
reviewed) for authenticating. An alternative solution could have been to
prevent the service account from being mounted to the pod, but I figured
that having the two service accounts separated is a better practice.
[1]: https://github.com/cert-manager/cert-manager/pull/5502
[2]: https://github.com/hashicorp/vault/commit/c14bd9a2
[3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150
Signed-off-by: Maël Valais <mael@vls.dev>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This change adds the ability to express certificate duration using
the Kubernetes CSR spec.expirationSeconds field alongside the existing
approach of using the experimental.cert-manager.io/request-duration
annotation. Both approaches are supported as the expirationSeconds
field requires Kubernetes v1.22+.
Signed-off-by: Monis Khan <mok@vmware.com>
DER Format to create key.der binary format of the private key.
CombinedPEM Format to create tls-combined.pem containing tls.key + tls.crt.
Added Unit and e2e tests for secret with Additional output format.
Feature flag AdditionalCertificateOutputFormats to enable feature.
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
rather than using the default suggested `v1` names for some imports, we
use more descriptive names
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
