cert-manager

History

Maël Valais 76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens Previously, the Vault issuer was only able to use a Secret in order to use the "Kubernetes authentication" method. The downside to this service account Secret token is that it has the default JWT iss "kubernetes/serviceaccount" (along with the fact that the token is not bound to a particular pod and has no expiry). With the new serviceAccountRef, cert-manager now requests the token on behalf of the pod in order to authenticate with Vault. Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
..
vault_test.go	serviceAccountRef: the vault issuer can now use bound SA tokens	2023-02-06 18:28:49 +01:00
vault.go	serviceAccountRef: the vault issuer can now use bound SA tokens	2023-02-06 18:28:49 +01:00

Maël Valais 76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens

Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>

2023-02-06 18:28:49 +01:00

vault_test.go

serviceAccountRef: the vault issuer can now use bound SA tokens

2023-02-06 18:28:49 +01:00

vault.go

serviceAccountRef: the vault issuer can now use bound SA tokens

2023-02-06 18:28:49 +01:00