Vault issuer with Kubernetes auth: claim "iss" is invalid due to the use of default service account tokens #4144
Description
🚧 Update 29 July 2022 🚧 If you are seeing the message "claim
issis invalid", the workaround is to disableissvalidation in Vault as explained in Problem 3: Incohenrent iss.
In Kubernetes v1.20+, kube-apiserver requires the flag --service-account-issuer to be an URI (see documentation).
When I deployed the Vault Issuer with Helm, I got the following error on vault login api:
claim "iss" is invalid
I found in (vault.go)[https://github.com/jetstack/cert-manager/blob/master/pkg/internal/vault/vault.go#L313-L315] that cert-manager sends the JWT token as is, but Vault expects a JWT with an issuer equal to the value of the flag --service-account-issuer.
For example, when kube-apiserver is running with the flag:
--service-account-issuer=https://kubernetes.default.svc.cluster.local
then the JWT token used by cert-manager in the Vault issuer should have a payload that looks like this:
{
"iss": "https://kubernetes.default.svc.cluster.local"
}Instead of this, the JWT token looks like this:
{
"iss": "kubernetes/serviceaccount"
}My current workaround is to disable JWT Issuer Validation on my PKI config in Vault.
Steps to reproduce the bug:
Use latest version of kubernetes
Define service-account-issuer in kube-apiserver config
Setup vault issuer with this doc
use latest vault and create pki with JWT Issuer Validation enabled
try to create vault issuer
Environment details::
- Kubernetes version: v1.21.0
- cert-manager version: v1.4.0
- Install method: e.g. helm
/kind bug