diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx index 5613345d73c2..76e8bdc89ece 100644 --- a/website/content/api-docs/auth/kubernetes.mdx +++ b/website/content/api-docs/auth/kubernetes.mdx @@ -37,11 +37,17 @@ access the Kubernetes API. JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. -- `issuer` `(string: "")` - Optional JWT issuer. If no issuer is specified, then this plugin will - use `kubernetes/serviceaccount` as the default issuer. See [these instructions](/docs/platform/k8s/csi#setting-issuer-for-kubernetes-authentication) for looking up the issuer for a given Kubernetes cluster. -- `disable_iss_validation` `(bool: false)` - Disable JWT issuer validation. Allows to skip ISS validation. - `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. +### Deprecated Parameters + +-> The following fields have been deprecated and will be removed in a future release: + +- `disable_iss_validation` `(bool: true)` **Deprecated** Disable JWT issuer validation. Allows to skip ISS validation. + +- `issuer` `(string: "")` **Deprecated** Optional JWT issuer. If no issuer is specified, then this plugin will use `kubernetes/serviceaccount` as the default issuer. +See [these instructions](/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster. + ### Caveats If Vault is running in a Kubernetes Pod, the `kubernetes_ca_cert` and @@ -97,7 +103,6 @@ $ curl \ "kubernetes_host": "https://192.168.99.100:8443", "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----", "pem_keys": ["-----BEGIN CERTIFICATE-----.....", .....], - "disable_iss_validation": false, "disable_local_ca_jwt": false } } diff --git a/website/content/docs/auth/kubernetes.mdx b/website/content/docs/auth/kubernetes.mdx index 3f273f81ab02..e4c4ac3fa5ba 100644 --- a/website/content/docs/auth/kubernetes.mdx +++ b/website/content/docs/auth/kubernetes.mdx @@ -103,6 +103,8 @@ management tool. ### Discovering the service account `issuer` +-> **Deprecated:** The `issuer` parameter has been deprecated as of Vault 1.9 and will be removed in a future release. + Kubernetes 1.21+ clusters may require setting the service account [`issuer`](/api-docs/auth/kubernetes#issuer) to the same value as `kube-apiserver`'s `--service-account-issuer` flag. This is because the service diff --git a/website/content/docs/platform/k8s/csi/index.mdx b/website/content/docs/platform/k8s/csi/index.mdx index d4d83329b7c8..bd4020896556 100644 --- a/website/content/docs/platform/k8s/csi/index.mdx +++ b/website/content/docs/platform/k8s/csi/index.mdx @@ -50,7 +50,9 @@ account provided to pods if no service account is defined. ### Setting `issuer` for Kubernetes authentication -You will likely need to set [`issuer`](/api-docs/auth/kubernetes#issuer) when +-> **Deprecated:** The `issuer` parameter has been deprecated as of Vault 1.9 and will be removed in a future release. + +If running Vault prior to version 1.9, you will likely need to set [`issuer`](/api-docs/auth/kubernetes#issuer) when configuring Kubernetes authentication for the Vault CSI Provider. Vault CSI Provider does not use the default token associated with service accounts. Instead, it creates a token with a short TTL whose lifetime is also bound to the