From bd09f70fa25dd8de276d7615685e6caa6a68ba3e Mon Sep 17 00:00:00 2001
From: Gary Frederick <hello@garyf.dev>
Date: Thu, 18 Nov 2021 15:16:54 -0800
Subject: [PATCH] Docs deprecate token issuer validation (#13019)

* change default vaule for disable_iss_validation to be true

* mark as deprecated | remove issuer from sample

* deprecation section

* additional informaiton about when fields will be removed

* additional deprecation note under csi provider

* punctuation

* make the deprecation note more noticable

* missing issuer sentence | remove whitespace

* Update website/content/docs/platform/k8s/csi/index.mdx

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>

* cleanup

* additional deprecation comments

* fix discovery link

* highlight

* no need to configure the issuer

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
---
 website/content/api-docs/auth/kubernetes.mdx    | 13 +++++++++----
 website/content/docs/auth/kubernetes.mdx        |  2 ++
 website/content/docs/platform/k8s/csi/index.mdx |  4 +++-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
index 5613345d73..76e8bdc89e 100644
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@@ -37,11 +37,17 @@ access the Kubernetes API.
   JWTs. If a certificate is given, its public key will be
   extracted. Not every installation of Kubernetes exposes these
   keys.
-- `issuer` `(string: "")` - Optional JWT issuer. If no issuer is specified, then this plugin will
-  use `kubernetes/serviceaccount` as the default issuer. See [these instructions](/docs/platform/k8s/csi#setting-issuer-for-kubernetes-authentication) for looking up the issuer for a given Kubernetes cluster.
-- `disable_iss_validation` `(bool: false)` - Disable JWT issuer validation. Allows to skip ISS validation.
 - `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
 
+### Deprecated Parameters
+
+-> The following fields have been deprecated and will be removed in a future release:
+
+- `disable_iss_validation` `(bool: true)` **Deprecated** Disable JWT issuer validation. Allows to skip ISS validation.
+
+- `issuer` `(string: "")` **Deprecated** Optional JWT issuer. If no issuer is specified, then this plugin will use `kubernetes/serviceaccount` as the default issuer. 
+See [these instructions](/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.
+
 ### Caveats
 
 If Vault is running in a Kubernetes Pod, the `kubernetes_ca_cert` and
@@ -97,7 +103,6 @@ $ curl \
     "kubernetes_host": "https://192.168.99.100:8443",
     "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
     "pem_keys": ["-----BEGIN CERTIFICATE-----.....", .....],
-    "disable_iss_validation": false,
     "disable_local_ca_jwt": false
   }
 }
diff --git a/website/content/docs/auth/kubernetes.mdx b/website/content/docs/auth/kubernetes.mdx
index 3f273f81ab..e4c4ac3fa5 100644
--- a/website/content/docs/auth/kubernetes.mdx
+++ b/website/content/docs/auth/kubernetes.mdx
@@ -103,6 +103,8 @@ management tool.
 
 ### Discovering the service account `issuer`
 
+-> **Deprecated:** The `issuer` parameter has been deprecated as of Vault 1.9 and will be removed in a future release.
+
 Kubernetes 1.21+ clusters may require setting the service account
 [`issuer`](/api-docs/auth/kubernetes#issuer) to the same value as
 `kube-apiserver`'s `--service-account-issuer` flag. This is because the service
diff --git a/website/content/docs/platform/k8s/csi/index.mdx b/website/content/docs/platform/k8s/csi/index.mdx
index d4d83329b7..bd40208965 100644
--- a/website/content/docs/platform/k8s/csi/index.mdx
+++ b/website/content/docs/platform/k8s/csi/index.mdx
@@ -50,7 +50,9 @@ account provided to pods if no service account is defined.
 
 ### Setting `issuer` for Kubernetes authentication
 
-You will likely need to set [`issuer`](/api-docs/auth/kubernetes#issuer) when
+-> **Deprecated:** The `issuer` parameter has been deprecated as of Vault 1.9 and will be removed in a future release.
+
+If running Vault prior to version 1.9, you will likely need to set [`issuer`](/api-docs/auth/kubernetes#issuer) when
 configuring Kubernetes authentication for the Vault CSI Provider.
 Vault CSI Provider does not use the default token associated with service accounts.
 Instead, it creates a token with a short TTL whose lifetime is also bound to the