From a33ebf9100974afa56d534e968ca6013c142cf59 Mon Sep 17 00:00:00 2001
From: TheAlain <43777839+asaintsever@users.noreply.github.com>
Date: Thu, 11 Nov 2021 12:57:50 +0100
Subject: [PATCH] Add issuer on Vault k8s config for Kubernetes 1.21+ (#2)

---
 CHANGELOG.md                         |  6 ++++++
 VERSION_RELEASE                      |  2 +-
 test/vault/init-test-vault-server.sh | 17 ++++++++++++++++-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e87bb08..76b793c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog for Open Vault Agent Injector
 
+## Release v1.0.1 - 2021-11-11
+
+**Added**
+
+- [OVAI #2](https://github.com/asaintsever/open-vault-agent-injector/pull/2) - Add issuer on [vault k8s config](https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer) for Kubernetes 1.21+
+
 ## Release v1.0.0 - 2021-09-21
 
 **Changed**
diff --git a/VERSION_RELEASE b/VERSION_RELEASE
index afaf360..7f20734 100644
--- a/VERSION_RELEASE
+++ b/VERSION_RELEASE
@@ -1 +1 @@
-1.0.0
\ No newline at end of file
+1.0.1
\ No newline at end of file
diff --git a/test/vault/init-test-vault-server.sh b/test/vault/init-test-vault-server.sh
index f7f9eec..b890487 100755
--- a/test/vault/init-test-vault-server.sh
+++ b/test/vault/init-test-vault-server.sh
@@ -27,7 +27,22 @@ export VAULT_SA_NAME=$(kubectl get sa vault -o jsonpath="{.secrets[*]['name']}")
 export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)
 export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
 
-${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/config kubernetes_host=\"https://kubernetes:443\" kubernetes_ca_cert=\"$SA_CA_CRT\" token_reviewer_jwt=\"$SA_JWT_TOKEN\""
+K8S_VER_MAJOR=$(kubectl version --short -o json | jq -r '.serverVersion.major')
+K8S_VER_MINOR=$(kubectl version --short -o json | jq -r '.serverVersion.minor')
+
+if [ $K8S_VER_MAJOR -ge 1 ] && [ $K8S_VER_MINOR -gt 20 ];then
+    echo "Kubernetes 1.21+: get service account issuer"
+    # See ref: https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer
+    kubectl proxy &
+    echo "Wait ..."
+    sleep 10
+    export SA_ISSUER=$(curl -s http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)
+    echo "Get issuer for cluster: $SA_ISSUER"
+
+    ${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/config kubernetes_host=\"https://kubernetes:443\" kubernetes_ca_cert=\"$SA_CA_CRT\" token_reviewer_jwt=\"$SA_JWT_TOKEN\" issuer=\"$SA_ISSUER\""
+else
+    ${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/config kubernetes_host=\"https://kubernetes:443\" kubernetes_ca_cert=\"$SA_CA_CRT\" token_reviewer_jwt=\"$SA_JWT_TOKEN\""
+fi
 
 # Create roles for Vault K8S Auth Method
 ${VAULT_POD} "VAULT_TOKEN=root vault write auth/kubernetes/role/test bound_service_account_names=default,job-sa bound_service_account_namespaces=default policies=test_pol ttl=5m"