In Kubernetes 1.21+, the default issuer varies depending on the service account token type, and since the token review API is the authority there is no need to pre-validate the token issuer. In addition token issuer validation may cause disruptions during a Kubernetes upgrade e.g. 1.20 -> 1.21.
Design of Change
How was this change implemented?
Change the default value for disable_iss_validation to be true, and deprecate the disable_iss_validation and issuer configuration fields.
Related Issues/Pull Requests
[ ] #125
Contributor Checklist
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR LinkExample
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[X] Backwards compatible
Overview
In Kubernetes 1.21+, the default issuer varies depending on the service account token type, and since the token review API is the authority there is no need to pre-validate the token issuer. In addition token issuer validation may cause disruptions during a Kubernetes upgrade e.g. 1.20 -> 1.21.
Design of Change
How was this change implemented?
Change the default value for
disable_iss_validationto be true, and deprecate thedisable_iss_validationandissuerconfiguration fields.Related Issues/Pull Requests
[ ] #125
Contributor Checklist
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet My Docs PR Link Example [ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests) [X] Backwards compatible