As indicated here, Vault supports string lists as values for the bound_claims map. Looking at the JWTOIDCAuthEngineRole CRD description, it says that "The expected value may be a single string or a list of strings". I tried to apply this descriptor:
error: error validating "jwt_auth_role.yaml": error validating data: ValidationError(JWTOIDCAuthEngineRole.spec.boundClaims./kubernetes.io/namespace): invalid type for io.redhat.redhatcop.v1alpha1.JWTOIDCAuthEngineRole.spec.boundClaims: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false
I also tried to set boundClaims to "/kubernetes.io/namespace": "[namespace1 namespace2]", but while this looked correct when looking at the Vault configuration with vault read auth/jwt-auth/role/tool it still didn't work.
Dis I miss something, or are list of strings not currently supported as values for bound claims?
As indicated here, Vault supports string lists as values for the bound_claims map. Looking at the JWTOIDCAuthEngineRole CRD description, it says that "The expected value may be a single string or a list of strings". I tried to apply this descriptor:
but got
I also tried to set
boundClaims
to"/kubernetes.io/namespace": "[namespace1 namespace2]"
, but while this looked correct when looking at the Vault configuration withvault read auth/jwt-auth/role/tool
it still didn't work.Dis I miss something, or are list of strings not currently supported as values for bound claims?