Include Vault hostname as default JWT audiences

[terinjokes]

When cert-manager added support for serviceAccountRef in #5502 a decision was made to set the audience to the form of "vault://[<namespace>/]<issuer>" when creating tokens for Vault. This was later extended in #6666 to allow the user to specify additional audiences.

However, this default audience pairs poorly with Vault. The JWT authentication configuration in Vault defines the bound_audiences, which is static and cannot contain dynamic entries. As of Vault 1.17, released after the serviceAccountRef support was added to cert-manager, if bound_audiences is not set, but the JWT contains audiences (which describes all requests from cert-manager), the authentication attempt is forbidden. This makes it difficult for us to use cert-manager with Vault's JWT authentication.

I'm proposing a change to add the Vault hostname (as specified in .spec.vault.server) as one of the default audiences. This retains the per-issuer audience for the use cases that require it, while giving the operators of Vault an audience that isn't dynamic to bind a generic role to. It also allows us to switch to JWT authentication in Vault without requiring changes to every issuer.

Is this a patch the cert-manager project would be interested in accepting upstream?

/kind feature

[maelvls]

Since you are using bound_audiences, I imagine you are using the OIDC/JWT auth method in Vault. It seems like the Kubernetes auth's audience and the OIDC/JWT's bound_audiences behave differently...

• When OIDC/JWT's bound_audiences is omitted but the JWT contains an audience, it will fail.
• When Kubernetes' audience is omitted but the JWT contains an audience, it will succeed.

I wasn't aware of this behavior...

Could you use the Issuer field audiences to add a static audience such as vault, and then configure bound_audiences with vault?

[terinjokes]

I imagine you are using the OIDC/JWT auth method in Vault.

For operational reasons we need to move from the Vault's Kubernetes authentication method to the OIDC/JWT authentication method.

We already have a large number of Issuers deployed by a large number of teams, and we want to make this as seemless as possible.

Could you use the Issuer field audiences to add a static audience such as vault, and then configure bound_audiences with vault?

This works with the JWT auth method. However, I believe the default behavior of cert-manager should include the server the token is for as the audience, as is common with OIDC/JWT. My proposal and patch would not remove the existing vault://[<namespace>/]<issuer> audience.

[erikgb]

We already have a large number of Issuers deployed by a large number of teams, and we want to make this as seemless as possible.

But all the issuers need to change when migrating from the Kubernetes auth to the OIDC/JWT auth, right?

However, I believe the default behavior of cert-manager should include the server the token is for as the audience, as is common with OIDC/JWT.

How would your proposed new default audience value look like, given it's accessing Vault on the hostname secrets.example.com?

[terinjokes]

But all the issuers need to change when migrating from the Kubernetes auth to the OIDC/JWT auth, right?

No, the authentication mount on Vault is being replaced.

How would your proposed new default audience value look like, given it's accessing Vault on the hostname secrets.example.com?

"aud": ["vault://default/example-issuer", "https://secrets.example.com"]

[erikgb]

Thanks! I personally support your suggestion @terinjokes , and think the current "issuer-bound" default audience should be deprecated and eventually removed. WDYT, @maelvls?

[maelvls]

I like the idea, it seems to be a reasonable improvement. I'm in favor of it.

think the current "issuer-bound" default audience should be deprecated and eventually removed

Seems like an unnecessary breakage. I'd rather remove the documentation that talks about this issuer-bound audience (that was super confusing) and instead replace it with a simple fixed audience like vault.

I'd rather keep it as removing it would be another unnecessary breaking change. On top of that, this audience is somewhat valuable (at least to me) as it tells me from which cert-manager issuer the JWT has been issued with. But that's not really a good use-case: the actual reason for not removing it is to avoid an unnecessary breaking change.

[terinjokes]

Great, I'll work on making my patch upstreamable.

[terinjokes]

think the current "issuer-bound" default audience should be deprecated and eventually removed

This proposal does make one of the default audiences the server in .spec.vault.server. This would handle the "using a URL pointing to a malicious server" risk identified in #5502, if Vault is using the Kubernetes authentication method with audiences set or the OIDC/JWT method.

Should we split this discussion out to a separate issue?

[maelvls]

think the current "issuer-bound" default audience should be deprecated and eventually removed

Yes, let's move this to a separate discussion as I'm not in favor of breaking existing users of the issuer-bound audience.

[wallrj-cyberark]

📢 The fix or feature is now available for testing in an alpha release

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.