docs make kubernetes_ca_cert optional on kubernetes auth #25963
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
thyton
added
docs
pr/no-changelog
pr/no-milestone
and removed
hashicorp-contributed-pr
|
CI Results: |
|
Build Results: |
peteski22
added
the
hashicorp-contributed-pr
|
|
||
| When Vault is running in a non-Kubernetes environment, either | ||
| `kubernetes_ca_cert` or `pem_keys` must be set by the user. | ||
| If this behavior is disabled by setting `disable_local_ca_jwt` to `true`, |
There was a problem hiding this comment.
Which behavior are you referring to?
There was a problem hiding this comment.
I'm referring to the behavior of kubernetes_ca_cert defaulting to the local CA cert if Vault is running a Kubernetes pod from the previous paragraph.
vault/website/content/api-docs/auth/kubernetes.mdx
Lines 67 to 70 in 77142a9
I can reiterate to make it clearer here. Let me know your thought.
| If this behavior is disabled by setting `disable_local_ca_jwt` to `true`, | |
| If `kubernetes_ca_cert` defaulting to the local CA cert is disabled by setting `disable_local_ca_jwt` to `true`, |
…tes-ca-cert-optional
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
| - `kubernetes_ca_cert` `(string: "")` - Optional PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. | ||
| NOTE: Every line must end with a newline: `\n` |
There was a problem hiding this comment.
| - `kubernetes_ca_cert` `(string: "")` - Optional PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. | |
| NOTE: Every line must end with a newline: `\n` | |
| - `kubernetes_ca_cert` `(string: "")` - Optional PEM encoded CA cert. The TLS | |
| client can use the cert to talk with the Kubernetes API. **Every line in the | |
| cert file must end with a newline character (`\n`) rather than a carriage | |
| return (`\r`)**. |
Added an assumed clarification re: newline vs carriage return, but it prompted a question: do we read CRLF as ending in a newline (\r\n)? Or must it be explicitly LF (\n)?
Style correction: active voice
There was a problem hiding this comment.
I've tested locally. Ending each line in kubernetes_ca_cert with \r\n fails vault-plugin-auth-kubernetes unit tests. Therefore, it must be explicitly LF \n.
Wondering if we should preserve the old NOTE's content and drop "rather than a carriage return (\r)" for simplicity.
| If not set, the local CA cert will be used if running in a Kubernetes pod. | ||
| If not set and `disable_local_ca_jwt` set to true, the system's trust store will be used. |
There was a problem hiding this comment.
| If not set and `disable_local_ca_jwt` set to true, the system's trust store will be used. | |
| If `kubernetes_ca_cert` is unset and `disable_local_ca_jwt` is `true`, Vault uses the Kubernetes trust store. |
What is "the system" in "the system's trust store"? Is it Vault or Kubernetes? (I made an entirely uninformed guess for the sake of editing to provide an example of what I would suggest)
There was a problem hiding this comment.
"the system" here is:
- the operating system if Vault is running on a machine
- the container operating system if Vault is running in a container
There was a problem hiding this comment.
Is it Vault or Kubernetes?
Vault (specifically, the TLS client of the Vault plugin) will use the system's trust store for certificate verification.
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
…-optional' of github.com:hashicorp/vault into VAULT-1729-docs-auth-kubernetes-make-kubernetes-ca-cert-optional
|
Thank you both for the suggestions! |
…-optional' of github.com:hashicorp/vault into VAULT-1729-docs-auth-kubernetes-make-kubernetes-ca-cert-optional
thyton
deleted the
VAULT-1729-docs-auth-kubernetes-make-kubernetes-ca-cert-optional
branch
update kubernetes auth docs and api-docs to indicate
kubernetes_ca_certis not provided anddisable_local_ca_jwtis true if running Vault in a Kubernetes pod.