Ensure that we test all the components against Kubernetes 1.24. We should aim for Kubernetes 1.27 in the future, but this is a good step forward as many behaviour changes are related to this version.
In particular, we are looking at one change that directly impacts Vault. Service Account Tokens in Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.
You need to enable disable_iss_validation=true on those versions for the auth/kubernetes/config configuration.
From Vault 1.9.0, disable_iss_validation and issuer are deprecated, and the default for disable_iss_validation has changed to true for new Kubernetes auth mounts.
Ensure that we test all the components against Kubernetes 1.24. We should aim for Kubernetes 1.27 in the future, but this is a good step forward as many behaviour changes are related to this version.
https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/
In particular, we are looking at one change that directly impacts Vault. Service Account Tokens in Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.
You can read further details here: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24/
How come this is working? without additional changes?
With any vault version before 1.9, this should break all the integration tests because the jwt iss validation will fail.
You can read more details about this here https://developer.hashicorp.com/vault/docs/auth/kubernetes#kubernetes-1-21
You need to enable
disable_iss_validation=trueon those versions for theauth/kubernetes/configconfiguration.From Vault 1.9.0,
disable_iss_validationandissuerare deprecated, and the default fordisable_iss_validationhas changed totruefor new Kubernetes auth mounts.