(Cluster)Issuer with vault auth and serviceAccountRef is not accepted by cluster due to audience

[Garagoth]

I have kubernetes 1.25, cert-manager 1.12.1, external Vault 1.12 and I am trying to use new feature from cert-manager 1.12: kubernetes auth in Vault without reviewer token.
I followed documentation how to set this up (https://cert-manager.io/docs/configuration/vault/#secretless-authentication-with-a-service-account).

I have ClusterIssuer named vault-issuer and service account name created named cert-manager-vault.
I created all RoleBindings just as in documentation.
Also, I added ClusterRole auth-delegator to cert-manager-vault so it can work without reviewer token configured in Vault. (https://developer.hashicorp.com/vault/docs/auth/kubernetes#use-the-vault-client-s-jwt-as-the-reviewer-jwt)

I am having following errors:

ClusterIssuer: Error initializing issuer: while requesting a Vault token using the Kubernetes auth: error calling Vault server: Error making API request. Code: 403. Errors: * permission denied

So, I captured request to Vault, decoded token, looks fine, maybe except "aud" field, but still this is fine according to docs.
Looks like Vault is trying to call back kubernetes API, lets see:

kube-api: [authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, token audiences ["vault://vault-issuer"] is invalid for the target audiences ["https://kubernetes.default.svc.cluster.my.domain"]]"

And here I am stuck. How to fix this?
By the way, I got same setup working for external-secrets project (https://external-secrets.io/v0.8.3/provider/hashicorp-vault/#kubernetes-authentication) - but there in jwt "aud" field is set to "https://kubernetes.default.svc.cluster.my.domain/" so kube-api accepts it and validates.

I think both Vault validation of audience and API validation could be satisfied if there were two audiences in JWT token:

• vault://namespace/issuer (this is for Vault to validate)
• https://kubernetes.default.svc.cluster.my.domain/ (this is for API to validate).

JWT tokens have "aud" as array, so both would fit.
kube-api docs state that only one of audiences must match cluster audience to be OK.
Not sure how Vault validates this though, but I suspect that only one from list is sufficient as well to pass validation.

@maelvls would this work?

My vault auth config:

    disable_iss_validation:        True
    disable_local_ca_jwt:        False
    issuer:
    kubernetes_ca_cert:
        -----BEGIN CERTIFICATE-----
        (...)
        -----END CERTIFICATE-----
    kubernetes_host:        https://kubernetes.default.svc.cluster.my.domain
    pem_keys: []

Cluster issuer config:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: vault-issuer
  namespace: cert-manager
spec:
  vault:
    server: http://active.vault.service.my.domain:8200
    caBundle: 
    path: pki_int/sign/platform.role
    auth:
      # https://cert-manager.io/docs/configuration/vault/#secretless-authentication-with-a-service-account
      kubernetes:
        role: "k8s-cert-manager-role"
        mountPath: "/v1/auth/k8s-sd"
        serviceAccountRef:
          name: "cert-manager-vault"

[inteon]

@maelvls

[inteon]

@Garagoth could you provide some information explaining why you cannot use https://developer.hashicorp.com/vault/docs/auth/kubernetes#use-local-service-account-token-as-the-reviewer-jwt?

[Garagoth]

Because my Vault is NOT running as a pod in my cluster, it is an external installation.

[duizabojul]

Same issue here, I'm running a vault in a cluster and i try to configure an issuer in another cluster. It is working if I run a fork of cert-manager where I add https://kubernetes.default.svc in audience array.

[Karandash8]

Was fighting with it for the last few days. You can set an additional audience on your kube-apserver. Something like
--api-audiences=https://kubernetes.default.svc.cluster.my.domain,vault://vault-issuer
then it works. It is super inflexible (forget about wildcards, etc., only the exact match) but at least it works.

[Garagoth]

Yes, you can set api audiences - but adding kube-api command line parameters and restarting api every time someone adds new Issuer is, as @Karandash8 wrote, "super inflexible".

[megakid]

I am also struggling with this. Is there a workaround other than customizing my kube-api command?

In the meantime I've reverted to the long lived token approach and not specifying audience on the Vault side which works fine.

[tetofonta]

In my opinion the solution is that cert-manager may add one other audience which will remain static in every token in order to configure it in the api audiences like this answer.
e.g. cert manager may use two audiences like vault://<namespace>/<issuer> and cert-manager.io/jwt where the second one is in the --api-audiences and does not change for other issuers.

I don't know if this is possible, of course this my opinion and it's just an idea, but I think it may solve some problems. I'd like to hear some security considerations about this. When i'll have some time, I'll start preparing a PR.

[inteon]

I'm moving this issue to the milestone of 1.14, we haven't been able to spend enough time investigating this.