I’m looking into upgrading our Vault to 1.21, and reading through the upgrade notes. I notice the “Important changes” page has a section “Audiences required for Kubernetes authentication roles”, which seems to indicate that we now need to specify an audience in the role configuration. We’re also seeing warnings like this in the logs of our existing Vault:
A role without an audience was used to authenticate into Vault. Vault v1.21+ will require roles to have an audience.
However, reading through the actual changelog, I see no mention of this change. I also don’t see it in the vault-plugin-auth-kubernetes changelog, although there I see a link to a pull request that reverted that log message, and it sounds like audiences might not be required in 1.21 after all: Update audience warning message for Kubernetes auth roles by jaireddjawed · Pull Request #330 · hashicorp/vault-plugin-auth-kubernetes · GitHub
Was this a planned change that ended up being reverted, without the documentation being updated, or do we indeed need to specify an audience in our roles configuration before upgrading to 1.21?