From fd9fee74dec48042c25d6934e5c166ea0e07e253 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Wed, 23 Jun 2021 16:44:56 +0200
Subject: [PATCH] e2e: disable iss validation in Hashicorp Vault

Testing encrypted PVCs does not work anymore since Kubernetes v1.21. It
seems that disabling the iss validation in Hashicorp Vault is a
relatively simple workaround that we can use instead of the more complex
securing of the environment like should be done in production
deployments.

Updates: #1963
See-also: external-secrets/kubernetes-external-secrets#721
Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 examples/kms/vault/vault.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/examples/kms/vault/vault.yaml b/examples/kms/vault/vault.yaml
index 53dd8fba2..d9cf7017a 100644
--- a/examples/kms/vault/vault.yaml
+++ b/examples/kms/vault/vault.yaml
@@ -100,6 +100,13 @@ items:
             bound_service_account_names="${SERVICE_ACCOUNTS}" \
             bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
             policies="${CLUSTER_IDENTIFIER}"
+
+        # disable iss validation
+        # from: external-secrets/kubernetes-external-secrets#721
+        vault write auth/${CLUSTER_IDENTIFIER}/config \
+          token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
+          kubernetes_host="${K8S_HOST}" \
+          disable_iss_validation=true
     kind: ConfigMap
     metadata:
       creationTimestamp: null