feat(vault_kubernetes_auth_backend_role): support for bound_service_account_namespace_selector field

[fredouric]

Description

Permits to use namespace selectors for allowing kubernetes namespaces to access roles.
The bound_service_account_namespace_selector field was implemented in Vault v1.16

Closes #1882

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccKubernetesAuthBackendRole -v'

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestAccKubernetesAuthBackendRole -v -timeout 30m ./...
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/consts   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/group   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/mfa     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/pki      [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/codegen   (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/internal/identity/entity  (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/sync     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/internal/provider (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/testutil  (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/util/mountutil    (cached) [no tests to run]
=== RUN   TestAccKubernetesAuthBackendRoleDataSource_basic
--- PASS: TestAccKubernetesAuthBackendRoleDataSource_basic (0.65s)
=== RUN   TestAccKubernetesAuthBackendRoleDataSource_full
--- PASS: TestAccKubernetesAuthBackendRoleDataSource_full (0.51s)
=== RUN   TestAccKubernetesAuthBackendRole_import
--- PASS: TestAccKubernetesAuthBackendRole_import (0.63s)
=== RUN   TestAccKubernetesAuthBackendRole_basic
--- PASS: TestAccKubernetesAuthBackendRole_basic (0.49s)
=== RUN   TestAccKubernetesAuthBackendRole_update
--- PASS: TestAccKubernetesAuthBackendRole_update (0.88s)
=== RUN   TestAccKubernetesAuthBackendRole_full
--- PASS: TestAccKubernetesAuthBackendRole_full (0.50s)
=== RUN   TestAccKubernetesAuthBackendRole_fullUpdate
--- PASS: TestAccKubernetesAuthBackendRole_fullUpdate (1.98s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     (cached)

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[cbarbian-sap]

Shouldn't bound_service_account_namespaces be made optional? It seems to be allowed to skip bound_service_account_namespaces if bound_service_account_namespace_selector is defined.

However (at least with my vault version, 1.18.1) at least one of the two attributes must be set; I couldn't find an explicit statement about this in the vault docs, but creating a role with none of them fails with

Code: 400. Errors:

* "bound_service_account_namespaces" can not be empty if "bound_service_account_namespace_selector" is not set

However, I am not sure how to model this in the terraform schema definition.

Another question: is it necessary to add bound_service_account_namespace_selector to vault/data_source_kubernetes_auth_backend_role.go as well?

[fredouric]

Shouldn't bound_service_account_namespaces be made optional? It seems to be allowed to skip bound_service_account_namespaces if bound_service_account_namespace_selector is defined.

Another question: is it necessary to add bound_service_account_namespaces to vault/data_source_kubernetes_auth_backend_role.go as well?

Good catch, I made bound_service_account_namespaces optional and added bound_service_account_namespaces to the datasource as well.

However (at least with my vault version, 1.18.1) at least one of the two attributes must be set; I couldn't find an explicit statement about this in the vault docs, but creating a role with none of them fails with

Code: 400. Errors:

* "bound_service_account_namespaces" can not be empty if "bound_service_account_namespace_selector" is not set

However, I am not sure how to model this in the terraform schema definition.

Regarding this, I'm not sure how to model this too. Maybe a reviewer can help on this.