Update k8s auth docs for new parameter#9992
Conversation
Adds info about the disable_local_ca_jwt parameter.
catsby
left a comment
catsby
left a comment
There was a problem hiding this comment.
I made a suggestion and ask a clarifying question. I believed we discussed this last week so please forgive me if I'm asking you to repeat yourself, I just remember this slightly differently than the documentation says here
| If they aren't specified, Vault will use the local CA cert and service account | ||
| JWT for the `kubernetes_ca_cert` and `token_reviewer_jwt` parameters, | ||
| respectively, when running in a Kubernetes pod. This behavior may be disabled by | ||
| setting `disable_local_ca_jwt` to `true`. |
There was a problem hiding this comment.
If users set this to true do they then also need to specify kubernetes_ca_cert and token_reviewer_jwt as well?
There was a problem hiding this comment.
If they set disable_local_ca_jwt to true, then either kubernetes_ca_cert or pem_keys needs to be specified as well. token_reviewer_jwt is optional.
There was a problem hiding this comment.
I'm not sure if it helped, but I tried to elaborate a little more in 7fe90f0.
Co-authored-by: Clint <catsby@users.noreply.github.com>
|
|
||
| ### Caveats | ||
|
|
||
| Either `kubernetes_ca_cert` or `pem_keys` must be set. |
There was a problem hiding this comment.
This is dependent on the value from disable_local_ca_jwt?
Adds info about the disable_local_ca_jwt parameter. Co-authored-by: Clint <catsby@users.noreply.github.com>
…) (hashicorp#9993) * go: bump .go-version to 1.25.2 * go: handle changes to net/url parsing enforcement in Go 1.25.2 The fixes for CVE-2025-47912 (https://go.dev/issue/75678) change behavior when parsing invalid IPv4 addresses. Update the test to for these changes. Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
3 participants
Adds info about the disable_local_ca_jwt parameter added in hashicorp/vault-plugin-auth-kubernetes#97
To be deployed with 1.5.4.