Merge pull request #1081 from maelvls/document-vault-bound-serviceaccount

Vault: document the new field "serviceAccountRef"

Author: jetstack-bot

.spelling

@@ -553,6 +553,10 @@ NetworkPolicy
 mjudeikis
 rgl
 1password
+secretless
+TokenRequest
+v1.12.0
+v1.12.0.
 
 # TEMPORARY
 # these are temporarily ignored because the spellchecker

content/docs/configuration/vault.md

@@ -144,13 +144,125 @@ spec:
           key: token
 ```
 
+<a id="authenticating-with-kubernetes-service-accounts"></a>
+
 ### Authenticating with Kubernetes Service Accounts
 
-Vault can be configured so that applications can authenticate using Kubernetes
-[`Service Account
-Tokens`](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin).
-You find documentation on how to configure Vault to authenticate using Service
-Account Tokens [here](https://www.vaultproject.io/docs/auth/kubernetes.html).
+The [Vault Kubernetes
+Auth](https://developer.hashicorp.com/vault/docs/auth/kubernetes) allows
+cert-manager to authenticate to Vault using a Kubernetes Service Account Token
+in order to issue certificates using Vault as a certification authority. The
+Kubernetes service account token can be provided in two ways:
+
+- [Secretless Authentication with a Service Account](#secretless-authentication-with-a-service-account) (recommended),
+- [Authentication with a Static Service Account Token](#static-service-account-token).
+
+#### Secretless Authentication with a Service Account
+
+ℹ️ This feature is available in cert-manager >= v1.12.0.
+
+With the secretless authentication with a service account, cert-manager creates
+an ephemeral service account token using the TokenRequest API and uses it to
+authenticate with Vault. These tokens are short-lived (10 minutes) and are
+never stored to disk.
+
+This is the recommended authentication method because it does not rely on the
+deprecated static service account tokens. The static service account tokens pose
+a threat due to their infinite lifetime. Static service account tokens have been
+disabled by default on Kubernetes 1.24.
+
+The first step is to create a `ServiceAccount` resource:
+
+```sh
+kubectl create serviceaccount -n sandbox vault-issuer
+```
+
+Then add an RBAC Role so that cert-manager can get tokens for the
+ServiceAccount:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-issuer
+  namespace: sandbox
+rules:
+  - apiGroups: ['']
+    resources: ['serviceaccounts/token']
+    resourceNames: ['vault-issuer']
+    verbs: ['create']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-issuer
+  namespace: sandbox
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-issuer
+```
+
+Finally, create the Issuer resource:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: sandbox
+spec:
+  vault:
+    path: pki_int/sign/example-dot-com
+    server: https://vault.local
+    auth:
+      kubernetes:
+        role: my-app-1
+        mountPath: /v1/auth/kubernetes
+        serviceAccountRef:
+          name: vault-issuer
+```
+
+> **Issuer vs. ClusterIssuer:** With an Issuer resource, you can only refer to a
+> service account located in the same namespace as the Issuer. With a
+> ClusterIssuer, the service account must be located in the namespace that is
+> configured by the flag `--cluster-resource-namespace`.
+
+To create the role in Vault, you can use the following command:
+
+```bash
+vault write auth/kubernetes/role/vault-issuer \
+    bound_service_account_names=vault-issuer \
+    bound_service_account_namespaces=sandbox \
+    audience="vault://sandbox/vault-issuer" \
+    policies=vault-issuer \
+    ttl=1m
+```
+
+It is recommended to use a different Vault role each per Issuer or
+ClusterIssuer. The `audience` allows you to restrict the Vault role to a single
+Issuer or ClusterIssuer. The syntax is the following:
+
+```yaml
+"vault://<namespace>/<issuer-name>"   # For an Issuer.
+"vault://<cluster-issuer-name>"       # For a ClusterIssuer.
+```
+
+The expiration duration for the Kubernetes tokens that are requested is
+hard-coded to 10 minutes (that's the minimum accepted). The `ttl` field can be
+as short as possible, since cert-manager requests a new token every time it
+needs to talks to Vault.
+
+Although it is not recommended, you can also use the same Vault role for all of
+your Issuers and ClusterIssuers by omitting the `audience` field and re-using
+the same service account.
+<a name="static-service-account-token"></a>
+
+#### Authentication with a Static Service Account Token
 
 For the Vault issuer to use this authentication, cert-manager must get access to
 the token that is stored in a Kubernetes `Secret`. Kubernetes Service Account

content/docs/manifest.json

@@ -8,8 +8,8 @@
           "path": "/docs/README.md"
         },
         {
-            "title": "Getting Started",
-            "path": "/docs/getting-started/README.md"
+          "title": "Getting Started",
+          "path": "/docs/getting-started/README.md"
         },
         {
           "title": "Installation",
@@ -70,8 +70,8 @@
                   "path": "/docs/installation/upgrading/upgrading-1.10-1.11.md"
                 },
                 {
-                    "title": "v1.9 to v1.10",
-                    "path": "/docs/installation/upgrading/upgrading-1.9-1.10.md"
+                  "title": "v1.9 to v1.10",
+                  "path": "/docs/installation/upgrading/upgrading-1.9-1.10.md"
                 },
                 {
                   "title": "v1.8 to v1.9",
@@ -353,12 +353,12 @@
               "title": "trust-manager",
               "routes": [
                 {
-                    "title": "Introduction",
-                    "path": "/docs/projects/trust-manager/README.md"
+                  "title": "Introduction",
+                  "path": "/docs/projects/trust-manager/README.md"
                 },
                 {
-                    "title": "API Reference",
-                    "path": "/docs/projects/trust-manager/api-reference.md"
+                  "title": "API Reference",
+                  "path": "/docs/projects/trust-manager/api-reference.md"
                 }
               ]
             }
@@ -372,20 +372,20 @@
               "path": "/docs/tutorials/README.md"
             },
             {
-                "title": "Securing NGINX-ingress",
-                "path": "/docs/tutorials/acme/nginx-ingress.md"
+              "title": "Securing NGINX-ingress",
+              "path": "/docs/tutorials/acme/nginx-ingress.md"
             },
             {
-                "title": "GKE + Ingress + Let's Encrypt",
-                "path": "/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/README.md"
+              "title": "GKE + Ingress + Let's Encrypt",
+              "path": "/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/README.md"
             },
             {
-                "title": "AKS + LoadBalancer + Let's Encrypt",
-                "path": "/docs/tutorials/getting-started-aks-letsencrypt/README.md"
+              "title": "AKS + LoadBalancer + Let's Encrypt",
+              "path": "/docs/tutorials/getting-started-aks-letsencrypt/README.md"
             },
             {
-                "title": "Migrating from Kube-LEGO",
-                "path": "/docs/tutorials/acme/migrating-from-kube-lego.md"
+              "title": "Migrating from Kube-LEGO",
+              "path": "/docs/tutorials/acme/migrating-from-kube-lego.md"
             },
             {
               "title": "Backup and Restore Resources",
@@ -421,22 +421,22 @@
             }
           ]
         },
-          {
-            "title": "Troubleshooting",
-            "routes": [
-                {
-                "title": "Introduction",
-                "path": "/docs/troubleshooting/README.md"
+        {
+          "title": "Troubleshooting",
+          "routes": [
+            {
+              "title": "Introduction",
+              "path": "/docs/troubleshooting/README.md"
             },
             {
-                "title": "Troubleshooting ACME / Let's Encrypt Certificates",
-                "path": "/docs/troubleshooting/acme.md"
+              "title": "Troubleshooting ACME / Let's Encrypt Certificates",
+              "path": "/docs/troubleshooting/acme.md"
             },
             {
-                "title": "Troubleshooting webhook",
-                "path": "/docs/troubleshooting/webhook.md"
+              "title": "Troubleshooting webhook",
+              "path": "/docs/troubleshooting/webhook.md"
             }
-            ]
+          ]
         },
         {
           "title": "FAQ",
@@ -544,13 +544,17 @@
               "title": "Introduction",
               "path": "/docs/release-notes/README.md"
             },
+            {
+              "title": "v1.12",
+              "path": "/docs/release-notes/release-notes-1.12.md"
+            },
             {
               "title": "v1.11",
               "path": "/docs/release-notes/release-notes-1.11.md"
             },
             {
-                "title": "v1.10",
-                "path": "/docs/release-notes/release-notes-1.10.md"
+              "title": "v1.10",
+              "path": "/docs/release-notes/release-notes-1.10.md"
             },
             {
               "title": "v1.9",
@@ -691,56 +695,56 @@
             }
           ]
         },
-          {
-            "title": "Reference",
-            "routes": [
+        {
+          "title": "Reference",
+          "routes": [
             {
-                "title": "Introduction",
-                "path": "/docs/reference/README.md"
+              "title": "Introduction",
+              "path": "/docs/reference/README.md"
             },
             {
-                "title": "Command Line Tool (cmctl)",
-                "path": "/docs/reference/cmctl.md"
+              "title": "Command Line Tool (cmctl)",
+              "path": "/docs/reference/cmctl.md"
             },
-                {
-                "title": "TLS Terminology",
-                "path": "/docs/reference/tls-terminology.md"
+            {
+              "title": "TLS Terminology",
+              "path": "/docs/reference/tls-terminology.md"
             },
 
+            {
+              "title": "Components / Docker Images",
+              "routes": [
                 {
-                "title": "Components / Docker Images",
-                "routes": [
-                    {
-                    "title": "Introduction",
-                    "path": "/docs/cli/README.md"
+                  "title": "Introduction",
+                  "path": "/docs/cli/README.md"
                 },
-                    {
-                    "title": "acmesolver",
-                    "path": "/docs/cli/acmesolver.md"
+                {
+                  "title": "acmesolver",
+                  "path": "/docs/cli/acmesolver.md"
                 },
-                    {
-                    "title": "cainjector",
-                    "path": "/docs/cli/cainjector.md"
+                {
+                  "title": "cainjector",
+                  "path": "/docs/cli/cainjector.md"
                 },
-                    {
-                    "title": "cmctl",
-                    "path": "/docs/cli/cmctl.md"
+                {
+                  "title": "cmctl",
+                  "path": "/docs/cli/cmctl.md"
                 },
-                    {
-                    "title": "controller",
-                    "path": "/docs/cli/controller.md"
+                {
+                  "title": "controller",
+                  "path": "/docs/cli/controller.md"
                 },
-                    {
-                    "title": "webhook",
-                    "path": "/docs/cli/webhook.md"
+                {
+                  "title": "webhook",
+                  "path": "/docs/cli/webhook.md"
                 }
-                ]
+              ]
             },
-                {
-                "title": "API Reference",
-                "path": "/docs/reference/api-docs.md"
+            {
+              "title": "API Reference",
+              "path": "/docs/reference/api-docs.md"
             }
-            ]
+          ]
         }
       ]
     }

content/docs/release-notes/README.md

@@ -3,6 +3,7 @@ title: Release Notes
 description: 'cert-manager release notes: Overview'
 ---
 
+- [`v1.12`](./release-notes-1.12.md)
 - [`v1.11`](./release-notes-1.11.md)
 - [`v1.10`](./release-notes-1.10.md)
 - [`v1.9`](./release-notes-1.9.md)

content/docs/release-notes/release-notes-1.12.md

@@ -0,0 +1,19 @@
+---
+title: Release 1.12
+description: 'cert-manager release notes: cert-manager 1.12'
+---
+
+## Major Themes
+
+### Support for ephemeral service account tokens in Vault
+
+cert-manager can now authenticate to Vault using ephemeral service account
+tokens. cert-manager already knew to authenticate to Vault using the [Vault
+Kubernetes Auth
+Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes) but relied
+on insecure service account tokens stored in Secrets. You can now configure
+cert-manager in a secretless manner. With this new feature, cert-manager will
+create an ephemeral service account token on your behalf and use that to
+authenticate to Vault.
+
+> 📖 Read about [Secretless Authentication with a Service Account](../configuration/vault.md#secretless-authentication-with-a-service-account).