skeleton support for cross-ns secrets

hashicorp · Jan 25, 2024 · 5f16a60 · 5f16a60
1 parent fc09dc3
commit 5f16a60
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 19 deletions.
diff --git a/internal/client/client.go b/internal/client/client.go
@@ -200,6 +200,9 @@ func (c *Client) generateSecretRequest(secret config.Secret) (*api.Request, erro
 			return nil, err
 		}
 	}
+	if secret.SecretNamespace != "" {
+		req.Headers.Add("X-Vault-Namespace", secret.SecretNamespace)
+	}
 
 	return req, nil
 }

diff --git a/internal/client/client_test.go b/internal/client/client_test.go
@@ -224,11 +224,13 @@ func TestEnsureV1Prefix(t *testing.T) {
 }
 
 func TestGenerateRequest(t *testing.T) {
+	defaultHeaders := http.Header{"X-Vault-Request": []string{"true"}}
 	type expected struct {
-		method string
-		path   string
-		params string
-		body   string
+		method  string
+		path    string
+		params  string
+		body    string
+		headers http.Header
 	}
 	client, err := New(hclog.NewNullLogger(), config.Parameters{}, config.FlagsConfig{})
 	require.NoError(t, err)
@@ -242,29 +244,37 @@ func TestGenerateRequest(t *testing.T) {
 			secret: config.Secret{
 				SecretPath: "secret/foo",
 			},
-			expected: expected{http.MethodGet, "/v1/secret/foo", "", ""},
+			expected: expected{http.MethodGet, "/v1/secret/foo", "", "", defaultHeaders},
+		},
+		{
+			name: "with secret namespace specified",
+			secret: config.Secret{
+				SecretPath:      "secret/foo",
+				SecretNamespace: "baz",
+			},
+			expected: expected{http.MethodGet, "/v1/secret/foo", "", "", http.Header{"X-Vault-Namespace": []string{"baz"}, "X-Vault-Request": []string{"true"}}},
 		},
 		{
 			name: "zero-length query string",
 			secret: config.Secret{
 				SecretPath: "secret/foo?",
 			},
-			expected: expected{http.MethodGet, "/v1/secret/foo", "", ""},
+			expected: expected{http.MethodGet, "/v1/secret/foo", "", "", defaultHeaders},
 		},
 		{
 			name: "query string",
 			secret: config.Secret{
 				SecretPath: "secret/foo?bar=true&baz=maybe&zap=0",
 			},
-			expected: expected{http.MethodGet, "/v1/secret/foo", "bar=true&baz=maybe&zap=0", ""},
+			expected: expected{http.MethodGet, "/v1/secret/foo", "bar=true&baz=maybe&zap=0", "", defaultHeaders},
 		},
 		{
 			name: "method specified",
 			secret: config.Secret{
 				SecretPath: "secret/foo",
 				Method:     "PUT",
 			},
-			expected: expected{"PUT", "/v1/secret/foo", "", ""},
+			expected: expected{"PUT", "/v1/secret/foo", "", "", defaultHeaders},
 		},
 		{
 			name: "body specified",
@@ -277,7 +287,7 @@ func TestGenerateRequest(t *testing.T) {
 					"zap": "a string",
 				},
 			},
-			expected: expected{http.MethodPost, "/v1/secret/foo", "", `{"bar":true,"baz":10,"zap":"a string"}`},
+			expected: expected{http.MethodPost, "/v1/secret/foo", "", `{"bar":true,"baz":10,"zap":"a string"}`, defaultHeaders},
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
@@ -287,6 +297,7 @@ func TestGenerateRequest(t *testing.T) {
 			assert.Equal(t, tc.expected.path, req.URL.Path)
 			assert.Equal(t, tc.expected.params, req.Params.Encode())
 			assert.Equal(t, tc.expected.body, string(req.BodyBytes))
+			assert.Equal(t, tc.expected.headers, req.Headers)
 		})
 	}
 }
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -89,13 +89,14 @@ type PodInfo struct {
 }
 
 type Secret struct {
-	ObjectName     string                 `yaml:"objectName,omitempty"`
-	SecretPath     string                 `yaml:"secretPath,omitempty"`
-	SecretKey      string                 `yaml:"secretKey,omitempty"`
-	Method         string                 `yaml:"method,omitempty"`
-	SecretArgs     map[string]interface{} `yaml:"secretArgs,omitempty"`
-	FilePermission os.FileMode            `yaml:"filePermission,omitempty"`
-	Encoding       string                 `yaml:"encoding,omitempty"`
+	ObjectName      string                 `yaml:"objectName,omitempty"`
+	SecretPath      string                 `yaml:"secretPath,omitempty"`
+	SecretNamespace string                 `yaml:"secretNamespace,omitempty"`
+	SecretKey       string                 `yaml:"secretKey,omitempty"`
+	Method          string                 `yaml:"method,omitempty"`
+	SecretArgs      map[string]interface{} `yaml:"secretArgs,omitempty"`
+	FilePermission  os.FileMode            `yaml:"filePermission,omitempty"`
+	Encoding        string                 `yaml:"encoding,omitempty"`
 }
 
 func Parse(parametersStr, targetPath, permissionStr string) (Config, error) {

diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -49,8 +49,9 @@ func NewProvider(logger hclog.Logger, authMethod *auth.KubernetesJWTAuth, hmacGe
 }
 
 type vaultResponseCacheKey struct {
-	secretPath string
-	method     string
+	secretNamespace string
+	secretPath      string
+	method          string
 }
 
 const (
@@ -108,7 +109,7 @@ func decodeValue(data []byte, encoding string) ([]byte, error) {
 func (p *provider) getSecret(ctx context.Context, client *vaultclient.Client, secretConfig config.Secret) ([]byte, error) {
 	var secret *api.Secret
 	var cached bool
-	key := vaultResponseCacheKey{secretPath: secretConfig.SecretPath, method: secretConfig.Method}
+	key := vaultResponseCacheKey{secretPath: secretConfig.SecretPath, secretNamespace: secretConfig.SecretNamespace, method: secretConfig.Method}
 	if secret, cached = p.vaultResponseCache[key]; !cached {
 		var err error
 		secret, err = client.RequestSecret(ctx, p.authMethod, secretConfig)