hashicorp · hc-github-team-consul-core · Jun 8, 2023 · Jun 8, 2023 · Jun 8, 2023 · Jun 8, 2023
diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml
@@ -125,6 +125,9 @@ spec:
         {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }}
         {{- end }}
+        {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
         {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
         "prometheus.io/scrape": "true"

diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml
@@ -150,9 +150,12 @@ spec:
               fieldPath: metadata.name
         # Extract the Vault namespace from the Vault agent annotations.
         {{- if .Values.global.secretsBackend.vault.enabled }}
-        {{- if .Values.global.secretsBackend.vault.agentAnnotations }}
+        {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }}
         - name: VAULT_NAMESPACE
           value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }}
+        {{- else if .Values.global.secretsBackend.vault.vaultNamespace }}
+        - name: VAULT_NAMESPACE
+          value: {{ .Values.global.secretsBackend.vault.vaultNamespace }}
         {{- end }}
         {{- end }}
         {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}

diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml
@@ -94,6 +94,9 @@ spec:
         {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }}
         {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }}
         {{- end }}
+        {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
+        "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}"
+        {{- end }}
         {{- end }}
         {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
         "prometheus.io/scrape": "true"

diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats
@@ -1168,6 +1168,25 @@ key2: value2' \
   [ "${actual}" = "bar" ]
 }
 
+@test "ingressGateway/Deployment: vault namespace annotations can be set when secretsBackend.vault.vaultNamespace is set and .global.secretsBackend.vault.agentAnnotations is not set." {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/ingress-gateways-deployment.yaml  \
+      --set 'ingressGateways.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'global.tls.enabled=true' \
+      --set 'global.secretsBackend.vault.enabled=true' \
+      --set 'global.secretsBackend.vault.consulClientRole=test' \
+      --set 'global.secretsBackend.vault.consulServerRole=foo' \
+      --set 'global.tls.caCert.secretName=foo' \
+      --set 'global.secretsBackend.vault.consulCARole=carole' \
+      --set 'global.secretsBackend.vault.vaultNamespace=vns' \
+       . | tee /dev/stderr |
+      yq -r '.spec.template' | tee /dev/stderr)
+  local actual=$(echo $object | yq -r '.metadata.annotations."vault.hashicorp.com/namespace"')
+  [ "${actual}" = "vns" ]
+}
+
 #--------------------------------------------------------------------
 # terminationGracePeriodSeconds
 

diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats
@@ -1236,6 +1236,25 @@ key2: value2' \
   [ "${actual}" = "bar" ]
 }
 
+@test "terminatingGateways/Deployment: vault namespace annotations can be set when secretsBackend.vault.vaultNamespace is set and .global.secretsBackend.vault.agentAnnotations is not set." {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/terminating-gateways-deployment.yaml  \
+      --set 'terminatingGateways.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'global.tls.enabled=true' \
+      --set 'global.secretsBackend.vault.enabled=true' \
+      --set 'global.secretsBackend.vault.consulClientRole=test' \
+      --set 'global.secretsBackend.vault.consulServerRole=foo' \
+      --set 'global.tls.caCert.secretName=foo' \
+      --set 'global.secretsBackend.vault.consulCARole=carole' \
+      --set 'global.secretsBackend.vault.vaultNamespace=vns' \
+       . | tee /dev/stderr |
+      yq -r '.spec.template' | tee /dev/stderr)
+  local actual=$(echo $object | yq -r '.metadata.annotations."vault.hashicorp.com/namespace"')
+  [ "${actual}" = "vns" ]
+}
+
 #--------------------------------------------------------------------
 # global.cloud