weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
bfce543640
cert-manager/internal/apis
History
Maël Valais bfce543640 serviceAccountRef: remove aud and exp, secretRef now a pointer 
Changing SecretRef to be a pointer will break people using the package as
a library.

I disabled the ability to set the audience and expiry time for security
reasons:

We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.

Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.

Signed-off-by: Maël Valais <mael@vls.dev>
2023-02-06 18:28:49 +01:00
..
acme add + use CABundle field for ACME servers in issuers 2022-12-15 16:21:07 +00:00
certmanager serviceAccountRef: remove aud and exp, secretRef now a pointer 2023-02-06 18:28:49 +01:00
config/webhook Remove bazel 🎉 2022-07-26 11:38:50 +01:00
meta Remove bazel 🎉 2022-07-26 11:38:50 +01:00