Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
The documentation [1] mentions that `StdoutPipe` should not be used
along with `Run`:
"Wait will close the pipe after seeing the command exit, so most callers
need not close the pipe themselves. It is thus incorrect to call Wait
before all reads from the pipe have completed. For the same reason, it
is incorrect to call Run when using StdoutPipe. See the example for
idiomatic usage."
It seems we are using `Run`, meaning that the StdoutPipe gets closed
when `Run` returns (because `Run` calls `Wait` and closes the StdoutPipe
before returning).
To reproduce:
git fetch fa4c2cfcad79f0a8a806b71caefbf96b049533c5
git checkout fa4c2cfcad79f0a8a806b71caefbf96b049533c5
go test -tags=e2e_test ./test/e2e -- -test.outputdir=$PWD/_bin/artifacts \
-ginkgo.junit-report=junit__01.xml -ginkgo.flake-attempts=1 \
-test.timeout=24h -ginkgo.v -test.v -ginkgo.randomize-all \
-ginkgo.progress -ginkgo.trace -ginkgo.slow-spec-threshold=300s \
--repo-root=/home/mvalais/code/cert-manager \
--report-dir=/home/mvalais/code/cert-manager/_bin/artifacts \
--acme-dns-server=10.0.0.16 --acme-ingress-ip=10.0.0.15 \
--acme-gateway-ip=10.0.0.14 \
--ingress-controller-domain=ingress-nginx.http01.example.com \
--gateway-domain=gateway.http01.example.com \
--feature-gates="" \
--ginkgo.focus=".*should be ready with a valid serviceAccountRef"
Result:
error install helm chart: cmd.Run: exit status 1: io.Copy: write /dev/stdout: copy_file_range: use of closed file
Signed-off-by: Maël Valais <mael@vls.dev>
The main reason for bumping Vault's version is because 1.2.3 is not
compatible with the config parameter `disable_iss_validation`, which is
needed for accommodating the future tests [1] that rely on bound tokens
and static tokens.
For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but
`disable_iss_validation` was only added on July 21st, 2020 in Vault
1.5.0.
Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault
started loading the pod's token instead of using the same token (to be
reviewed) for authenticating. An alternative solution could have been to
prevent the service account from being mounted to the pod, but I figured
that having the two service accounts separated is a better practice.
[1]: https://github.com/cert-manager/cert-manager/pull/5502
[2]: https://github.com/hashicorp/vault/commit/c14bd9a2
[3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150
Signed-off-by: Maël Valais <mael@vls.dev>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
