The vault issuer can now be given a serviceAccountRef instead of relying on static service account tokens

[maelvls]

Documentation: https://release-next--cert-manager-website.netlify.app/docs/configuration/vault/#authenticating-with-kubernetes-service-accounts
🌟 The solution that this PR implements Proposed solution: cert-manager requests a token using the Token Request API

tl;dr: With the new serviceAccountRef field available in cert-manager 1.12 and above, cert-manager doesn't requests the token on behalf of the pod in order to authenticate with Vault. Thanks to serviceAccountRef, the Vault issuer will stop relying on insecure static tokens, and use short-lived tokens instead.

apiVersion: cert-manager.io/v1
kind: Issuer
spec:
  vault:
    path: pki/sign/vault-issuer
    server: http://vault.default.svc.cluster.local:8200
    auth:
      kubernetes:
        role: vault-issuer
        mountPath: /v1/auth/kubernetes
        serviceAccount:
          name: vault-issuer     # ✨

The expiration duration and the audience aren't configurable by the user:

• The audience is generated by cert-manager to prevent a malicious user from creating a second issuer with the intent of reusing the existing service account. The format is:

  "vault://<namespace>/<issuer-name>"   (for an Issuer)
  "vault://<issuer-name>"               (for a ClusterIssuer)
  

  Note that this extra security isn't mandatory. You can very well configure the role with an empty audience. That said, we recommend that you use the audience field, e.g.:

  vault write auth/kubernetes/role/vault-issuer \
      bound_service_account_names=vault-issuer \
      bound_service_account_namespaces=default \
      audience="vault://default/vault-issuer" \
      policies=vault-issuer \
      ttl=1m

  Alternative solution considered: we considered using a hard-coded vault audience, but that did not allow to prevent the "Risk 1" (see below table). The UX would have been better, and would correspond to what people expect from an audience (i.e., the audience should be commanded by Vault to cert-manager, not the other way around). But since this is an extra level of security (extra because Vault won't check the audience by default), it should not affect the UX much.

  Risk A	Risk B
  Remediation: Restrict Issuer in Vault Role: Include the issuer name and namespace to the JWT and configure Vault to only accept that issuer name and namespace. For example, use vault://namespace-1/issuer-1 as the audience. URL lock down: Using RBACs, make sure the Issuer and ClusterIssuer can only be edited by administrators. That should prevent the possibility of an actor using a URL pointing to a malicious server.	Remediation: Audience lock down: Use a hardcoded audience such as `vault`, or a hardcoded prefix such as `vault-*`. Forbid sensitive audiences: Refuse the cluster's audience like https://kubernetes.default.svc.cluster.local. URL lock down: Using RBACs, make sure the Issuer and ClusterIssuer can only be edited by administrators. That should prevent the possibility of an actor using a URL pointing to a malicious server. One SA per external service: Enforce that each service account is only ever linked to a single external service. E.g., one service account for Vault, one for GCP, one for AWS. Least privileges: Enforce that the service account attached to that JWT doesn't have any privileges.

  • The expiration duration for the Kubernetes tokens is hard-coded to 10 minutes (that's the minimum accepted). The expiration duration for the Vault tokens is 1 minute. The expiration duration is set to 10 minute because the Kubernetes token will be immediately discarded after authenticating with Vault. No token rotation is done; instead, a new Kubernetes token is requested on every call to Vault. We have discussed this multiple times, and it seems OK as a first iteration.
  • POSSIBLE BREAKING CHANGE: There is now webhook-side validation for the vault.auth field in the Issuer and ClusterIssuer. Previously, the validation was only performed "controller-side". People were able to create a faulty Issuer or ClusterIssuer, and they won't be able anymore. I made sure that the new validation is looser or equal to the existing controller-side validation so that Issuers and ClusterIssuers that were working previously are still working now.

  Work

  • Unit test ("if kubernetes.serviceAccountRef set, request token and exchange it for a vault token"),
  • End-to-end test:

    make e2e GINKGO_FOCUS=".*should be ready with a valid serviceAccountRef"`)

  • Documentation on the website (Vault: document the new field "serviceAccountRef" website#1081)
  • I manually tested the feature on these environments: kind cluster (Kubernetes 1.21) with an internal Vault running as a deployment.
  • Webhook-side validation (eg only one of [secretRef, serviceAccountRef] can be used).
  • Controller-side validation.

  If you want to test this feature, here are the steps:

   make -j e2e-setup-certmanager
  helm upgrade --install vault hashicorp/vault --set server.dev.enabled=true --set server.logLevel=debug --set global.tlsDisable=true --wait
  kubectl wait --for=condition=Ready pod vault-0
  
  kubectl exec vault-0 -i -- vault secrets enable pki
  kubectl exec vault-0 -i -- vault secrets tune -max-lease-ttl=175200h pki
  kubectl exec vault-0 -i -- vault write pki/root/generate/internal common_name=example.com key_type=ec key_bits=256 ttl=175200h
  kubectl exec vault-0 -i -- vault write pki/config/urls \
      issuing_certificates="http://vault.default:8200/v1/pki/ca" \
      url_distribution_points="http://vault.default:8200/v1/pki/crl"
  kubectl exec vault-0 -i -- vault write pki/roles/vault-issuer allowed_domains=cluster.local allow_subdomains=true max_ttl=48h key_type=ec key_bits=256
  
  kubectl exec vault-0 -i -- vault auth enable kubernetes
  kubectl exec vault-0 -i -- sh -c 'vault write auth/kubernetes/config \
     token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
     issuer=https://kubernetes.default.svc.cluster.local'
  
  kubectl exec vault-0 -i -- vault policy write vault-issuer - <<EOF
  path "pki*"                 { capabilities = ["read", "list"] }
  path "pki/roles/vault-issuer"   { capabilities = ["create", "update"] }
  path "pki/sign/vault-issuer"    { capabilities = ["create", "update"] }
  path "pki/issue/vault-issuer"   { capabilities = ["create"] }
  EOF
  kubectl exec vault-0 -i -- vault write auth/kubernetes/role/vault-issuer \
     bound_service_account_names=vault-issuer \
     bound_service_account_namespaces=default \
     audience=vault://default/vault-issuer \
     policies=vault-issuer \
     ttl=1m

  Then, create an issuer and a certificate:

  kubectl apply -f- <<EOF
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: vault-issuer
    namespace: default
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: vault-issuer
    namespace: default
  rules:
    - apiGroups: ['']
      resources: ['serviceaccounts/token']
      resourceNames: ['vault-issuer']
      verbs: ['create']
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: vault-issuer
    namespace: default
  subjects:
    - kind: ServiceAccount
      name: cert-manager
      namespace: cert-manager
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: vault-issuer
  ---
  apiVersion: cert-manager.io/v1
  kind: Issuer
  metadata:
    name: vault-issuer
    namespace: default
  spec:
    vault:
      path: pki/sign/vault-issuer
      server: http://vault.default.svc.cluster.local:8200
      auth:
        kubernetes:
          role: vault-issuer
          mountPath: /v1/auth/kubernetes
          serviceAccountRef:
            name: vault-issuer # ✨
  ---
  apiVersion: cert-manager.io/v1
  kind: Certificate
  metadata:
    name: example-com
  spec:
    secretName: example-com-tls
    issuerRef:
      name: vault-issuer
    commonName: example.cluster.local
    dnsNames:
    - example.cluster.local
    privateKey:
      algorithm: ECDSA
  EOF

  If you want to run the new e2e locally:

  make -j e2e-setup-certmanager e2e-setup-vault
  make e2e GINKGO_FOCUS=".*should be ready with a valid serviceAccountRef"

  /kind feature
  /area vault

  The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`.
  

[maelvls]

Update: last Friday, I worked on the end-to-end tests, and it now works! (cf. #5604) I also started the unit tests, but that will require another day of work. I'll plan another day of work soon.

[inteon]

Thank you for all the work you put into this PR
/lgtm
/approve

Please unhold when you agree that this PR can be merged.
/hold

Documentation for this feature will be added here: cert-manager/website#1081

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon, maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [inteon,maelvls]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[maelvls]

/unhold

[maelvls]

Udpate: We just released v1.12.0-alpha.0 with the serviceAccountRef feature! I am particularly eager to hear your feedback.

More specifically, I am unsure about the decision of using an "auto-generated" audience. The consequence is that you need to create one Vault role per Issuer. You can't re-use the same Issuer or ClusterIssuer for a given Vault role. For example, I'll have to create the following role for my Issuer vault-issuer that is located in the namespace sandbox:

vault write auth/kubernetes/role/vault-issuer \
    bound_service_account_names=vault-issuer-sa \
    bound_service_account_namespaces=sandbox \
    audience="vault://sandbox/vault-issuer" \
    policies=vault-issuer

I cannot re-use this one Vault role with multiple Issuers or ClusterIssuers. If I have another team that needs a different ClusterIssuer, I will have to create another Vault role.

My assumption is that people will default to not using any audience (which means less security) so that they can re-use the same service account and Vault role in multiple Issuers or ClusterIssuers. For example, the following role omits audience, which means that Vault won't check the audience, which means the same Vault role can be used in multiple Issuers or ClusterIssuers:

vault write auth/kubernetes/role/vault-issuer \
    bound_service_account_names=team-1-sa \
    bound_service_account_namespaces=sandbox \
    policies=vault-issuer

If most people was to do this, it might be preferable that we switch to a hardcoded audience such as audience=vault.

[TheFutonEng]

@maelvls , without this feature, are users required to deploy both Vault and Cert-Manager in the default namespace together? Is there a supported posture where they can be in their own namespaces? I've been trying separate namespaces for a while without success and the crux of the issue I am running into seems to be the ClusterIssuer is unable to read the service account token (there's no place in the ClusterIssuer definition to declare the namespace where the token lives).

[maelvls]

Without this feature, are users required to deploy both Vault and cert-Manager in the default namespace together? [...] ClusterIssuer is unable to read the service account token.

You are correct, there is no way to specify the "service account lookup namespace" used for Vault in a ClusterIssuer. The "service account lookup namespace" is conflated with the "namespace in which resources get created" and grouped under the global flag --cluster-resource-namespace. That's a bit unfortunate, I agree 😬

[paulcostinean]

The generated audience claim in the token works really well for a deployment with multiple issuers and separate roles. The hardcoded one could be added in case people want to share the same vault role. Both sound sensible. jwt supports an array in the audience claim.

A small nit about this PR: I found that cert-manager needs a create permission on serviceaccounts/token for this to work (in the namespace cert-manager is deployed in)

[Garagoth]

I am having issues with audience in JWT - more details in #6150
Basically kube-api complains that "vault://vault-issuer" is not a proper audience and rejects authentication.