hashicorp · fredouric · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024
@@ -2,6 +2,7 @@
 
 FEATURES:
 
+* Update `vault_kubernetes_auth_backend_role` to support `bound_service_account_namespace_selector`, enabling the use of namespace selectors for allowing Kubernetes namespaces to access roles. ([#2379](https://github.com/hashicorp/terraform-provider-vault/pull/2379))
 * Update `vault_database_secret_backend_connection`to support `password_authentication` for PostgreSQL, allowing to encrypt password before being passed to PostgreSQL ([#2371](https://github.com/hashicorp/terraform-provider-vault/pull/2371))
 * Add support for `external_id` field for the `vault_aws_auth_backend_sts_role` resource ([#2370](https://github.com/hashicorp/terraform-provider-vault/pull/2370))
 * Add support for ACME configuration with the `vault_pki_secret_backend_config_acme` resource. Requires Vault 1.14+ ([#2157](https://github.com/hashicorp/terraform-provider-vault/pull/2157)).

@@ -42,6 +42,12 @@ func kubernetesAuthBackendRoleResource() *schema.Resource {
 			Required:    true,
 			Description: "List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".",
 		},
+		"bound_service_account_namespace_selector": {
+			Type:        schema.TypeString,
+			Elem:        &schema.Schema{Type: schema.TypeString},
+			Optional:    true,
+			Description: "A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed.",
+		},
 		"backend": {
 			Type:     schema.TypeString,
 			Optional: true,
@@ -97,6 +103,10 @@ func kubernetesAuthBackendRoleUpdateFields(d *schema.ResourceData, data map[stri
 		data["bound_service_account_namespaces"] = boundServiceAccountNamespaces.(*schema.Set).List()
 	}
 
+	if boundServiceAccountNamespaceSelector, ok := d.GetOk("bound_service_account_namespace_selector"); ok {
+		data["bound_service_account_namespace_selector"] = boundServiceAccountNamespaceSelector.(string)
+	}
+
 	params := []string{"audience", "alias_name_source"}
 	for _, k := range params {
 		if create {
@@ -199,7 +209,7 @@ func kubernetesAuthBackendRoleRead(_ context.Context, d *schema.ResourceData, me
 		return diag.FromErr(err)
 	}
 
-	params := []string{"bound_service_account_names", "bound_service_account_namespaces", "audience", "alias_name_source"}
+	params := []string{"bound_service_account_names", "bound_service_account_namespaces", "bound_service_account_namespace_selector", "audience", "alias_name_source"}
 	for _, k := range params {
 		if v, ok := resp.Data[k]; ok {
 			if err := d.Set(k, v); err != nil {

@@ -215,6 +215,8 @@ func TestAccKubernetesAuthBackendRole_full(t *testing.T) {
 						"bound_service_account_namespaces.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.0", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.0", "default"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -269,6 +271,8 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"bound_service_account_namespaces.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.0", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.#", "3"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -304,6 +308,8 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"bound_service_account_namespaces.0", "example"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.#", "1"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.#", "3"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -339,6 +345,8 @@ func TestAccKubernetesAuthBackendRole_fullUpdate(t *testing.T) {
 						"bound_service_account_namespaces.#", "1"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"bound_service_account_namespaces.0", "example"),
+					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
+						"bound_service_account_namespace_selector", "{\"matchLabels\":{\"env\":\"dev\"}}"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
 						"token_policies.#", "3"),
 					resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_role.role",
@@ -510,6 +518,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
   role_name = %q
   bound_service_account_names = ["example"]
   bound_service_account_namespaces = ["example"]
+  bound_service_account_namespace_selector = "{\"matchLabels\":{\"env\":\"dev\"}}"
   token_ttl = %d
   token_max_ttl = %d
   token_period = 900

@@ -43,7 +43,9 @@ The following arguments are supported:
 
 * `bound_service_account_names` - (Required) List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
 
-* `bound_service_account_namespaces` - (Required) List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+* `bound_service_account_namespaces` - (Optional) List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+
+* `bound_service_account_namespace_selector` - (Optional) A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
 
 * `backend` - (Optional) Unique name of the kubernetes backend to configure.