Namespaced Service Accounts

[kcighon]

Off the back of #291 and #274, should the service account defined in VaultAuth also support namespaces? This will support global default Auth and Connections

If a VaultStaticSecret is located in a namespace which differs to the VaultAuth, the VaultStaticSecret will try to use the service account defined in the VaultAuth from within the VaultStaticSecret namespace.

Observed error in VaultStaticSecret:

Warning VaultClientConfigError 7m5s (x18 over 18m) VaultStaticSecret Failed to get Vault auth login: ServiceAccount "my-vso-sa" not found

Possible solution - as with #291, allow for namespaced values for VaultAuth's spec.kubernetes.serviceAccount. e.g. spec.kubernetes.serviceAccount: vault-secret-operator-system/my-vso-sa

[TJM]

I am seeing this problem as well. Apparently when you fall back to the default VaultAuth in the "operators" namespace, it still attempts to find the service account in the local secrets namespace. I would think that it would use the service account that is in the same namespace as the VaultAuth, or as mentioned here, allow for a namespace prefix so that you can specify which one to use. ServiceAccounts do not have the concept of allowedNamespaces, so that might be tricky to support securely.