From 0c568ea4b0770291f0fe4258493402b68b36aeae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joshua=20M=C3=BChlfort?= <muehlfort@gonicus.de>
Date: Wed, 22 Mar 2023 14:47:57 +0100
Subject: [PATCH 1/2] Add section about client cert authentication for vault
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joshua Mühlfort <muehlfort@gonicus.de>
---
 content/docs/configuration/vault.md | 37 +++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md
index c2dd25aee54..e650d179a0b 100644
--- a/content/docs/configuration/vault.md
+++ b/content/docs/configuration/vault.md
@@ -254,6 +254,43 @@ Kubernetes 1.24 and above.
               key: token
     ```
 
+### Authenticating with TLS Client Certificate
+
+Another way to authenticate against Vault is by presenting a client certificate
+while performing the TLS handshake.
+For information on how to configure this feature in Vault, see
+[their documentation](https://developer.hashicorp.com/vault/docs/auth/cert).
+
+Note that the client certificate configured here will only be presented when
+doing the authentication/login call to get a Vault token. Other, following
+requests will not present it. They will be authenticated using said Vault token.
+
+Configuring a client certificate works by creating a Kubernetes `Secret` of type
+[`kubernetes.io/tls`](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
+(hence containing `tls.crt` and `tls.key`) and referencing it by setting
+`secretName`.
+
+You can also set `name` to match only a specific "certificate role", and `mountPath`
+to override the default mount path of the authentication method, which is `/v1/auth/cert`.
+
+Example:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: sandbox
+spec:
+  vault:
+    path: pki_int/sign/example-dot-com
+    server: https://vault.local
+    caBundle: <base64 encoded caBundle PEM file>
+    auth:
+      clientCertificate:
+        secretName: kubernetes-io-tls-secret
+```
+
 ## Verifying the issuer Deployment
 
 Once the Vault issuer has been deployed, it will be marked as ready if the

From 697486b17b01a6187c66d7118f100c3afc42eb15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joshua=20M=C3=BChlfort?= <muehlfort@gonicus.de>
Date: Wed, 12 Apr 2023 08:25:42 +0200
Subject: [PATCH 2/2] Add "feature state" hint for vault client certificate
 authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Maël Valais <mael@vls.dev>
Signed-off-by: Joshua Mühlfort <muehlfort@gonicus.de>
---
 content/docs/configuration/vault.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md
index e650d179a0b..cd48ace0d3c 100644
--- a/content/docs/configuration/vault.md
+++ b/content/docs/configuration/vault.md
@@ -255,6 +255,7 @@ Kubernetes 1.24 and above.
     ```
 
 ### Authenticating with TLS Client Certificate
+**FEATURE STATE**: This feature is available since cert-manager 1.12.
 
 Another way to authenticate against Vault is by presenting a client certificate
 while performing the TLS handshake.