Vault: document the new field "serviceAccountRef"#1081
Conversation
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
f48cf84 to
072fbe5
Compare
wallrj
left a comment
There was a problem hiding this comment.
Nice start to the documentation for this feature, but please add some narrative and some links to Hashicorp Vault documentation explaining how this style of authentication works.
Shouldn't we also explain how to configure vault for this authentication (both for in-cluster vault and out-of-cluster vault installations) or is that explained elsewhere in this document?
Also please rebase this onto the release-next branch, adding a release note to go with it.
content/docs/configuration/vault.md
Outdated
| Using the field `serviceAccountRef` instead of `secretRef`, you can let | ||
| cert-manager request ephemeral tokens. |
There was a problem hiding this comment.
I think you should elaborate more on what it means to "request ephemeral tokens".
For example: https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#managed-identity-using-aad-workload-identity
There was a problem hiding this comment.
I added a paragraph on "request ephemeral tokens". Hopefully it makes more sense now.
content/docs/configuration/vault.md
Outdated
| mountPath: /v1/auth/kubernetes | ||
| serviceAccountRef: | ||
| name: vault-issuer | ||
| ``` |
There was a problem hiding this comment.
Add a note about Issuer vs ClusterIssuer and how Issuer can only refer to a ServiceAccount in the same namespace while ClusterIssuer must refer to a ServiceAccount in the --cluster-scoped namespace.
There was a problem hiding this comment.
Thanks. I added the following:
Issuer vs. ClusterIssuer: With an Issuer resource, you can only refer to a
service account located in the same namespace as the Issuer. With a
ClusterIssuer, the service account must be located in the namespace that is
configured by the flag--cluster-resource-namespace.
Signed-off-by: Maël Valais <mael@vls.dev>
f405ed8 to
56fd5f0
Compare
9b482ae to
c2748dd
Compare
The only documentation that exists in the page is the |
Signed-off-by: Maël Valais <mael@vls.dev>
c2748dd to
ab117a7
Compare
Co-authored-by: Richard Wall <wallrj@users.noreply.github.com> Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Richard Wall <wallrj@users.noreply.github.com> Signed-off-by: Maël Valais <mael@vls.dev>
|
I addressed the comments and have added a paragraph to the release-notes-1.12.md page. Please take another look. |
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
5224b0e to
c399aae
Compare
Signed-off-by: Maël Valais <mael@vls.dev>
package.json
Outdated
| "export": "next export", | ||
| "start": "next start", | ||
| "check": "concurrently --group --timings npm:check:* # Run all the npm check:* scripts in parallel", | ||
| "check": "npm exec concurrently -y -- --group --timings npm:check:* # Run all the npm check:* scripts in parallel", |
There was a problem hiding this comment.
What's the reason for this change?
All the npm installed executables are installed in .node_modules/.bin by npm ci and are in PATH when these npm run scripts are run, so why do you add the npm exec ... -y here?
There was a problem hiding this comment.
If the documentation in https://github.com/cert-manager/website#website-development-tooling is wrong, we should fix that.
…ool" This reverts commit c399aae. I mistakenly forgot to run "npm i" before running ./scripts/verify. Signed-off-by: Maël Valais <mael@vls.dev>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maelvls, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The feature itself is being developed in
cert-manager/cert-manager#4524cert-manager/cert-manager#5502.