Skip to content

Commit

Permalink
Docs deprecate token issuer validation (#13019)
Browse files Browse the repository at this point in the history
* change default vaule for disable_iss_validation to be true

* mark as deprecated | remove issuer from sample

* deprecation section

* additional informaiton about when fields will be removed

* additional deprecation note under csi provider

* punctuation

* make the deprecation note more noticable

* missing issuer sentence | remove whitespace

* Update website/content/docs/platform/k8s/csi/index.mdx

Co-authored-by: Ben Ash <[email protected]>

* cleanup

* additional deprecation comments

* fix discovery link

* highlight

* no need to configure the issuer

Co-authored-by: Ben Ash <[email protected]>
  • Loading branch information
imthaghost and benashz authored Nov 18, 2021
1 parent 1804ac1 commit bd09f70
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 5 deletions.
13 changes: 9 additions & 4 deletions website/content/api-docs/auth/kubernetes.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,17 @@ access the Kubernetes API.
JWTs. If a certificate is given, its public key will be
extracted. Not every installation of Kubernetes exposes these
keys.
- `issuer` `(string: "")` - Optional JWT issuer. If no issuer is specified, then this plugin will
use `kubernetes/serviceaccount` as the default issuer. See [these instructions](/docs/platform/k8s/csi#setting-issuer-for-kubernetes-authentication) for looking up the issuer for a given Kubernetes cluster.
- `disable_iss_validation` `(bool: false)` - Disable JWT issuer validation. Allows to skip ISS validation.
- `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.

### Deprecated Parameters

-> The following fields have been deprecated and will be removed in a future release:

- `disable_iss_validation` `(bool: true)` **Deprecated** Disable JWT issuer validation. Allows to skip ISS validation.

- `issuer` `(string: "")` **Deprecated** Optional JWT issuer. If no issuer is specified, then this plugin will use `kubernetes/serviceaccount` as the default issuer.
See [these instructions](/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.

### Caveats

If Vault is running in a Kubernetes Pod, the `kubernetes_ca_cert` and
Expand Down Expand Up @@ -97,7 +103,6 @@ $ curl \
"kubernetes_host": "https://192.168.99.100:8443",
"kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
"pem_keys": ["-----BEGIN CERTIFICATE-----.....", .....],
"disable_iss_validation": false,
"disable_local_ca_jwt": false
}
}
Expand Down
2 changes: 2 additions & 0 deletions website/content/docs/auth/kubernetes.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,8 @@ management tool.

### Discovering the service account `issuer`

-> **Deprecated:** The `issuer` parameter has been deprecated as of Vault 1.9 and will be removed in a future release.

Kubernetes 1.21+ clusters may require setting the service account
[`issuer`](/api-docs/auth/kubernetes#issuer) to the same value as
`kube-apiserver`'s `--service-account-issuer` flag. This is because the service
Expand Down
4 changes: 3 additions & 1 deletion website/content/docs/platform/k8s/csi/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,9 @@ account provided to pods if no service account is defined.

### Setting `issuer` for Kubernetes authentication

You will likely need to set [`issuer`](/api-docs/auth/kubernetes#issuer) when
-> **Deprecated:** The `issuer` parameter has been deprecated as of Vault 1.9 and will be removed in a future release.

If running Vault prior to version 1.9, you will likely need to set [`issuer`](/api-docs/auth/kubernetes#issuer) when
configuring Kubernetes authentication for the Vault CSI Provider.
Vault CSI Provider does not use the default token associated with service accounts.
Instead, it creates a token with a short TTL whose lifetime is also bound to the
Expand Down

0 comments on commit bd09f70

Please sign in to comment.