hashicorp · tvoran · Jun 24, 2022 · May 12, 2022 · Jun 24, 2022 · Jun 24, 2022
@@ -1,5 +1,8 @@
 ## Unreleased
 
+Improvements:
+* Added support to configure default vault namespace on the agent config [GH-345](https://github.com/hashicorp/vault-k8s/pull/345)
+
 Bugs:
 * Properly return admission errors [GH-363](https://github.com/hashicorp/vault-k8s/pull/363)
 

@@ -278,6 +278,7 @@ type AgentConfig struct {
 	Address                    string
 	AuthType                   string
 	AuthPath                   string
+	VaultNamespace             string
 	Namespace                  string
 	RevokeOnShutdown           bool
 	UserID                     string
@@ -340,6 +341,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 		pod.ObjectMeta.Annotations[AnnotationVaultAuthPath] = cfg.AuthPath
 	}
 
+	if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultNamespace]; !ok {
+		pod.ObjectMeta.Annotations[AnnotationVaultNamespace] = cfg.VaultNamespace
+	}
+
 	if _, ok := pod.ObjectMeta.Annotations[AnnotationProxyAddress]; !ok {
 		pod.ObjectMeta.Annotations[AnnotationProxyAddress] = cfg.ProxyAddress
 	}

@@ -778,14 +778,17 @@ func TestInitEmptyPod(t *testing.T) {
 
 func TestVaultNamespaceAnnotation(t *testing.T) {
 	tests := []struct {
-		key           string
-		value         string
-		expectedValue string
+		key                       string
+		value                     string
+		agentVaultNamespaceConfig string
+		expectedValue             string
 	}{
-		{"", "", ""},
-		{"vault.hashicorp.com/namespace", "", ""},
-		{"vault.hashicorp.com/namespace", "foobar", "foobar"},
-		{"vault.hashicorp.com/namespace", "fooBar", "fooBar"},
+		{"", "", "", ""},
+		{"", "", "test-namespace", "test-namespace"},
+		{"vault.hashicorp.com/namespace", "", "", ""},
+		{"vault.hashicorp.com/namespace", "foobar", "", "foobar"},
+		{"vault.hashicorp.com/namespace", "foobar", "test-namespace", "foobar"},
+		{"vault.hashicorp.com/namespace", "fooBar", "", "fooBar"},
 	}
 
 	for _, tt := range tests {
@@ -796,6 +799,7 @@ func TestVaultNamespaceAnnotation(t *testing.T) {
 		var patches []*jsonpatch.JsonPatchOperation
 
 		agentConfig := basicAgentConfig()
+		agentConfig.VaultNamespace = tt.agentVaultNamespaceConfig
 		err := Init(pod, agentConfig)
 		if err != nil {
 			t.Errorf("got error, shouldn't have: %s", err)

@@ -49,6 +49,7 @@ type Handler struct {
 	VaultAddress               string
 	VaultAuthType              string
 	VaultAuthPath              string
+	VaultNamespace             string
 	ProxyAddress               string
 	ImageVault                 string
 	Clientset                  *kubernetes.Clientset
@@ -184,6 +185,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi
 		Address:                    h.VaultAddress,
 		AuthType:                   h.VaultAuthType,
 		AuthPath:                   h.VaultAuthPath,
+		VaultNamespace:             h.VaultNamespace,
 		ProxyAddress:               h.ProxyAddress,
 		Namespace:                  req.Namespace,
 		RevokeOnShutdown:           h.RevokeOnShutdown,

@@ -54,6 +54,7 @@ type Command struct {
 	flagVaultImage                 string // Name of the Vault Image to use
 	flagVaultAuthType              string // Type of Vault Auth Method to use
 	flagVaultAuthPath              string // Mount path of the Vault Auth Method
+	flagVaultNamespace             string // Vault enterprise namespace
 	flagRevokeOnShutdown           bool   // Revoke Vault Token on pod shutdown
 	flagRunAsUser                  string // User (uid) to run Vault agent as
 	flagRunAsGroup                 string // Group (gid) to run Vault agent as
@@ -186,6 +187,7 @@ func (c *Command) Run(args []string) int {
 		VaultAddress:               c.flagVaultService,
 		VaultAuthType:              c.flagVaultAuthType,
 		VaultAuthPath:              c.flagVaultAuthPath,
+		VaultNamespace:             c.flagVaultNamespace,
 		ProxyAddress:               c.flagProxyAddress,
 		ImageVault:                 c.flagVaultImage,
 		Clientset:                  clientset,

@@ -69,6 +69,9 @@ type Specification struct {
 	// VaultAuthPath is the AGENT_INJECT_VAULT_AUTH_PATH environment variable.
 	VaultAuthPath string `split_words:"true"`
 
+	// VaultNamespace is the AGENT_INJECT_VAULT_NAMESPACE environment variable.
+	VaultNamespace string `split_words:"true"`
+
 	// RevokeOnShutdown is AGENT_INJECT_REVOKE_ON_SHUTDOWN environment variable.
 	RevokeOnShutdown string `split_words:"true"`
 
@@ -147,6 +150,7 @@ func (c *Command) init() {
 		fmt.Sprintf("Type of Vault Auth Method to use. Defaults to %q.", agent.DefaultVaultAuthType))
 	c.flagSet.StringVar(&c.flagVaultAuthPath, "vault-auth-path", agent.DefaultVaultAuthPath,
 		fmt.Sprintf("Mount path of the Vault Auth Method. Defaults to %q.", agent.DefaultVaultAuthPath))
+	c.flagSet.StringVar(&c.flagVaultNamespace, "vault-namespace", "", "Vault enterprise namespace.")
 	c.flagSet.BoolVar(&c.flagRevokeOnShutdown, "revoke-on-shutdown", false,
 		"Automatically revoke Vault Token on Pod termination.")
 	c.flagSet.StringVar(&c.flagRunAsUser, "run-as-user", strconv.Itoa(agent.DefaultAgentRunAsUser),
@@ -282,6 +286,10 @@ func (c *Command) parseEnvs() error {
 		c.flagVaultAuthPath = envs.VaultAuthPath
 	}
 
+	if envs.VaultNamespace != "" {
+		c.flagVaultNamespace = envs.VaultNamespace
+	}
+
 	if envs.RevokeOnShutdown != "" {
 		c.flagRevokeOnShutdown, err = strconv.ParseBool(envs.RevokeOnShutdown)
 		if err != nil {

@@ -116,6 +116,7 @@ func TestCommandEnvs(t *testing.T) {
 		{env: "AGENT_INJECT_PROXY_ADDR", value: "http://proxy:3128", cmdPtr: &cmd.flagProxyAddress},
 		{env: "AGENT_INJECT_VAULT_AUTH_PATH", value: "auth-path-test", cmdPtr: &cmd.flagVaultAuthPath},
 		{env: "AGENT_INJECT_VAULT_IMAGE", value: "hashicorp/vault:1.10.3", cmdPtr: &cmd.flagVaultImage},
+		{env: "AGENT_INJECT_VAULT_NAMESPACE", value: "test-namespace", cmdPtr: &cmd.flagVaultNamespace},
 		{env: "AGENT_INJECT_TLS_KEY_FILE", value: "server.key", cmdPtr: &cmd.flagKeyFile},
 		{env: "AGENT_INJECT_TLS_CERT_FILE", value: "server.crt", cmdPtr: &cmd.flagCertFile},
 		{env: "AGENT_INJECT_TLS_AUTO_HOSTS", value: "foobar.com", cmdPtr: &cmd.flagAutoHosts},