Namespaced Service Accounts #336
Labels
enhancement
New feature or request
Comments
oninugarte
pushed a commit
to saltosystems/vault-secrets-operator
that referenced
this issue
Oct 27, 2023
This commit adds the ability to specify a namespace for the service account used to authenticate to Vault.
This is useful when you want to use a service account in a different namespace than the one the secret (vaultStaticSecret, vaultDynamicSecret) is located.
This change is backwards compatible, so if no namespace is specified, the service account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to Vault is the service account `default` that it is in the namespace "vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
inigohu
added a commit
to inigohu/vault-secrets-operator
that referenced
this issue
Oct 27, 2023
This commit adds the ability to specify a namespace for the service account used to authenticate to Vault. This is useful when you want to use a service account in a different namespace than the one the secret (vaultStaticSecret, vaultDynamicSecret) is located.
This change is backwards compatible, so if no namespace is specified, the service account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to Vault is the service account `default` that it is in the namespace "vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
oninugarte
pushed a commit
to saltosystems/vault-secrets-operator
that referenced
this issue
Jan 4, 2024
This commit adds the ability to specify a namespace for the service account used to authenticate to Vault.
This is useful when you want to use a service account in a different namespace than the one the secret (vaultStaticSecret, vaultDynamicSecret) is located.
This change is backwards compatible, so if no namespace is specified, the service account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to Vault is the service account `default` that it is in the namespace "vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
oninugarte
pushed a commit
to saltosystems/vault-secrets-operator
that referenced
this issue
Jan 4, 2024
This commit adds the ability to specify a namespace for the service account used to authenticate to Vault.
This is useful when you want to use a service account in a different namespace than the one the secret (vaultStaticSecret, vaultDynamicSecret) is located.
This change is backwards compatible, so if no namespace is specified, the service account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to Vault is the service account `default` that it is in the namespace "vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
glerchundi
added a commit
to saltosystems/vault-secrets-operator
that referenced
this issue
Jan 4, 2024
This commit adds the ability to specify a namespace for the service
account used to authenticate to Vault. This is useful when you want to
use a service account in a different namespace than the one the secret
(vaultStaticSecret, vaultDynamicSecret) is located. This change is
backwards compatible, so if no namespace is specified, the service
account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to
Vault is the service account `default` that it is in the namespace
"vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
glerchundi
added a commit
to saltosystems/vault-secrets-operator
that referenced
this issue
Jan 26, 2024
This commit adds the ability to specify a namespace for the service
account used to authenticate to Vault. This is useful when you want to
use a service account in a different namespace than the one the secret
(vaultStaticSecret, vaultDynamicSecret) is located. This change is
backwards compatible, so if no namespace is specified, the service
account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to
Vault is the service account `default` that it is in the namespace
"vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
glerchundi
added a commit
to saltosystems/vault-secrets-operator
that referenced
this issue
Jan 29, 2024
This commit adds the ability to specify a namespace for the service
account used to authenticate to Vault. This is useful when you want to
use a service account in a different namespace than the one the secret
(vaultStaticSecret, vaultDynamicSecret) is located. This change is
backwards compatible, so if no namespace is specified, the service
account will be looked up in the same namespace as the secret.
Example: Here the service account that will be used to authenticate to
Vault is the service account `default` that it is in the namespace
"vault-secrets-operator-system".
```yaml
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: static-auth
namespace: app
spec:
vaultConnectionRef: vault-connection
allowedNamespaces:
- "*"
method: kubernetes
mount: demo-auth-mount
kubernetes:
role: role1
serviceAccount: vault-secrets-operator-system/default
```
Closes hashicorp#336
|
I am seeing this problem as well. Apparently when you fall back to the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Off the back of #291 and #274, should the service account defined in VaultAuth also support namespaces? This will support global default Auth and Connections
If a VaultStaticSecret is located in a namespace which differs to the VaultAuth, the VaultStaticSecret will try to use the service account defined in the VaultAuth from within the VaultStaticSecret namespace.
Observed error in VaultStaticSecret:
Warning VaultClientConfigError 7m5s (x18 over 18m) VaultStaticSecret Failed to get Vault auth login: ServiceAccount "my-vso-sa" not foundPossible solution - as with #291, allow for namespaced values for VaultAuth's spec.kubernetes.serviceAccount. e.g.
spec.kubernetes.serviceAccount: vault-secret-operator-system/my-vso-saThe text was updated successfully, but these errors were encountered: