k8s auth with PSATs and custom audiecne fails

[riuvshyn]

Hey guys! I was trying to get these changes #70 working and stuck with this:

{
  "errors": [
    "lookup failed: [invalid bearer token, token audiences [\"vault\"] is invalid for the target audiences [\"api\"]]"
  ]
}

while audience on my PSAT is vault:

  "aud": [
    "vault"
  ],
  "exp": 1573731794,
  "iat": 1573724594,
  "iss": "api",

and audience on the role is also vault:

Key                                 Value
---                                 -----
audience                            vault
bound_service_account_names         [default]
bound_service_account_namespaces    [service]
token_bound_cidrs                   []
token_explicit_max_ttl              0s
token_max_ttl                       0s
token_no_default_policy             false
token_num_uses                      0
token_period                        0s
token_policies                      [vault]
token_ttl                           0s
token_type                          default

it work ONLY if I use audience = api on role and on PSAT so this looks like a bug.

[riuvshyn]

it looks like audiences are missing here https://github.com/hashicorp/vault-plugin-auth-kubernetes/blob/master/token_review.go#L66

cc @catsby

[riuvshyn]

this should be fixed by #74