Closed thyton closed 7 months ago
@benashz @tomhjp I appreciate the detailed first pass! I've addressed/followed up with all comments. It's ready for the next review whenever you have a chance.
When are we likely to see a new release incorporating this change?
Overview
A high level description of the contribution, including: What is the change? Support a label selector to define from which namespaces clients are allowed to authenticate with their ServiceAccounts. Why is the change needed? This will add flexibility to bound namespace specification. A similar feature, allowed_kubernetes_namespace_selector, was also seen in Secret Engine. How does this change affect the user experience (if at all)? No
Design of Change
How was this change implemented? The change is based on PR #182 and how allowed_kubernetes_namespace_selector was implemented.
Related Issues/Pull Requests
[ ] Issue #155 [ ] PR #182
Contributor Checklist
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet Docs PR Link [ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[ ] Backwards compatible