feat(kubernetes_auth_backend_role): support for

'bound_service_account_namespace_selector'
hashicorp · Dec 10, 2024 · d788de9 · d788de9
1 parent fabb0ac
commit d788de9
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 FEATURES:
 
+* Update `vault_kubernetes_auth_backend_role` to support `bound_service_account_namespace_selector`, enabling the use of namespace selectors for allowing Kubernetes namespaces to access roles. ([#1882]())
 * Update `vault_database_secret_backend_connection`to support `password_authentication` for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL ([#2371](https://github.com/hashicorp/terraform-provider-vault/pull/2371))
 * Add support for `external_id` field for the `vault_aws_auth_backend_sts_role` resource ([#2370](https://github.com/hashicorp/terraform-provider-vault/pull/2370))
 * Add support for ACME configuration with the `vault_pki_secret_backend_config_acme` resource. Requires Vault 1.14+ ([#2157](https://github.com/hashicorp/terraform-provider-vault/pull/2157)).

diff --git a/vault/resource_kubernetes_auth_backend_role.go b/vault/resource_kubernetes_auth_backend_role.go
@@ -42,6 +42,12 @@ func kubernetesAuthBackendRoleResource() *schema.Resource {
 			Required:    true,
 			Description: "List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".",
 		},
+		"bound_service_account_namespace_selector": {
+			Type:        schema.TypeString,
+			Elem:        &schema.Schema{Type: schema.TypeString},
+			Optional:    true,
+			Description: "A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed.",
+		},
 		"backend": {
 			Type:     schema.TypeString,
 			Optional: true,
@@ -97,6 +103,10 @@ func kubernetesAuthBackendRoleUpdateFields(d *schema.ResourceData, data map[stri
 		data["bound_service_account_namespaces"] = boundServiceAccountNamespaces.(*schema.Set).List()
 	}
 
+	if boundServiceAccountNamespaceSelector, ok := d.GetOk("bound_service_account_namespace_selector"); ok {
+		data["bound_service_account_namespace_selector"] = boundServiceAccountNamespaceSelector.(string)
+	}
+
 	params := []string{"audience", "alias_name_source"}
 	for _, k := range params {
 		if create {
@@ -199,7 +209,7 @@ func kubernetesAuthBackendRoleRead(_ context.Context, d *schema.ResourceData, me
 		return diag.FromErr(err)
 	}
 
-	params := []string{"bound_service_account_names", "bound_service_account_namespaces", "audience", "alias_name_source"}
+	params := []string{"bound_service_account_names", "bound_service_account_namespaces", "bound_service_account_namespace_selector", "audience", "alias_name_source"}
 	for _, k := range params {
 		if v, ok := resp.Data[k]; ok {
 			if err := d.Set(k, v); err != nil {

diff --git a/vault/resource_kubernetes_auth_backend_role_test.go b/vault/resource_kubernetes_auth_backend_role_test.go
@@ -215,6 +215,8 @@ func TestAccKubernetesAuthBackendRole_full(t *testing.T) {
 						"bound_service_account_namespaces.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.0", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.0", "default"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -269,6 +271,8 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"bound_service_account_namespaces.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.0", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.#", "3"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -304,6 +308,8 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"bound_service_account_namespaces.0", "example"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.#", "1"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.#", "3"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -339,6 +345,8 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"bound_service_account_namespaces.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.0", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.#", "3"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -510,6 +518,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
   role_name = %q
   bound_service_account_names = ["example"]
   bound_service_account_namespaces = ["example"]
+  bound_service_account_namespace_selector = "{\"matchLabels\":{\"env\":\"dev\"}}"
   token_ttl = %d
   token_max_ttl = %d
   token_period = 900

diff --git a/website/docs/r/kubernetes_auth_backend_role.html.md b/website/docs/r/kubernetes_auth_backend_role.html.md
@@ -43,7 +43,9 @@ The following arguments are supported:
 
 * `bound_service_account_names` - (Required) List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
 
-* `bound_service_account_namespaces` - (Required) List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+* `bound_service_account_namespaces` - (Optional) List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+
+* `bound_service_account_namespace_selector` - (Optional) A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed.
 
 * `backend` - (Optional) Unique name of the kubernetes backend to configure.