feat: Add ability to add namespace as a vault role suffix

hashicorp · Apr 9, 2024 · 46ed703 · 46ed703
1 parent 45ebf91
commit 46ed703
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 1 deletion.
diff --git a/api/v1beta1/vaultauth_types.go b/api/v1beta1/vaultauth_types.go
@@ -14,6 +14,10 @@ import (
 type VaultAuthConfigKubernetes struct {
 	// Role to use for authenticating to Vault.
 	Role string `json:"role"`
+	// Add the consuming secret's namespace as a suffix to the role name (e.g. "<role>-kube-system").
+	// Defaults to false.
+	// +kubebuilder:default:=false
+	RoleNamespaceSuffix bool `json:"roleNamespaceSuffix,omitempty"`
 	// ServiceAccount to use when authenticating to Vault's
 	// authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace.
 	ServiceAccount string `json:"serviceAccount"`

diff --git a/chart/crds/secrets.hashicorp.com_vaultauths.yaml b/chart/crds/secrets.hashicorp.com_vaultauths.yaml
@@ -189,6 +189,11 @@ spec:
                   role:
                     description: Role to use for authenticating to Vault.
                     type: string
+                  roleNamespaceSuffix:
+                    default: false
+                    description: Add the consuming secret's namespace as a suffix
+                      to the role name (e.g. "<role>-kube-system"). Defaults to false.
+                    type: boolean
                   serviceAccount:
                     description: ServiceAccount to use when authenticating to Vault's
                       authentication backend. This must reside in the consuming secret's

diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -78,6 +78,9 @@ VaultAuthMethod Spec
   {{- if eq $cur.method "kubernetes" }}
   kubernetes:
     role: {{ $cur.kubernetes.role }}
+    {{- if ne (toString $cur.kubernetes.roleNamespaceSuffix) "<nil>" }}
+    roleNamespaceSuffix: {{ $cur.kubernetes.roleNamespaceSuffix }}
+    {{- end }}
     serviceAccount: {{ $serviceAccount }}
     {{- if $cur.kubernetes.tokenAudiences }}
     audiences: {{ $cur.kubernetes.tokenAudiences | toJson }}

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -492,6 +492,10 @@ defaultAuthMethod:
     # @type: string
     role: ""
 
+    # Add the consuming secret's namespace as a suffix to the role name (e.g. "<role>-kube-system"). Defaults to false.
+    # @type: boolean
+    roleNamespaceSuffix: ~
+
     # Kubernetes ServiceAccount associated with the default Vault Auth Role
     # @type: string
     serviceAccount: default

diff --git a/config/crd/bases/secrets.hashicorp.com_vaultauths.yaml b/config/crd/bases/secrets.hashicorp.com_vaultauths.yaml
@@ -189,6 +189,11 @@ spec:
                   role:
                     description: Role to use for authenticating to Vault.
                     type: string
+                  roleNamespaceSuffix:
+                    default: false
+                    description: Add the consuming secret's namespace as a suffix
+                      to the role name (e.g. "<role>-kube-system"). Defaults to false.
+                    type: boolean
                   serviceAccount:
                     description: ServiceAccount to use when authenticating to Vault's
                       authentication backend. This must reside in the consuming secret's

diff --git a/docs/api/api-reference.md b/docs/api/api-reference.md
@@ -440,6 +440,7 @@ _Appears in:_
 | Field | Description |
 | --- | --- |
 | `role` _string_ | Role to use for authenticating to Vault. |
+| `roleNamespaceSuffix` _boolean_ | Add the consuming secret's namespace as a suffix to the role name (e.g. "<role>-kube-system"). Defaults to false. |
 | `serviceAccount` _string_ | ServiceAccount to use when authenticating to Vault's authentication backend. This must reside in the consuming secret's (VDS/VSS/PKI) namespace. |
 | `audiences` _string array_ | TokenAudiences to include in the ServiceAccount token. |
 | `tokenExpirationSeconds` _integer_ | TokenExpirationSeconds to set the ServiceAccount token. |

diff --git a/internal/credentials/vault/kubernetes.go b/internal/credentials/vault/kubernetes.go
@@ -5,6 +5,7 @@ package vault
 
 import (
 	"context"
+	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -82,9 +83,13 @@ func (l *KubernetesCredentialProvider) GetCreds(ctx context.Context, client ctrl
 		return nil, err
 	}
 
+	role := l.authObj.Spec.Kubernetes.Role
+	if l.authObj.Spec.Kubernetes.RoleNamespaceSuffix {
+		role = fmt.Sprintf("%s-%s", role, l.providerNamespace)
+	}
 	// credentials needed for Kubernetes auth
 	return map[string]interface{}{
-		"role": l.authObj.Spec.Kubernetes.Role,
+		"role": role,
 		"jwt":  tr.Status.Token,
 	}, nil
 }