search

redhat-cop / vault-config-operator

An operator to support Haschicorp Vault configuration workflows from within Kubernetes
Apache License 2.0
108 stars 49 forks source link

JWTOIDCAuthEngineRole boundClaims support for string lists values #232

Closed Gio-R closed 3 months ago

Gio-R commented 6 months ago

As indicated here, Vault supports string lists as values for the bound_claims map. Looking at the JWTOIDCAuthEngineRole CRD description, it says that "The expected value may be a single string or a list of strings". I tried to apply this descriptor:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: JWTOIDCAuthEngineRole
metadata:
  name: vault-user
  namespace: vault-configurator
spec:
  name: tool
  authentication: 
    path: kubernetes
    role: configurator
    serviceAccount:
      name: vault-configurator
  path: jwt-auth
  userClaim: sub
  tokenPolicies:
    - tool
  roleType: jwt
  boundClaims:
    "/kubernetes.io/namespace": ["namespace1", "namespace2"]
  boundClaimsType: string

but got

error: error validating "jwt_auth_role.yaml": error validating data: ValidationError(JWTOIDCAuthEngineRole.spec.boundClaims./kubernetes.io/namespace): invalid type for io.redhat.redhatcop.v1alpha1.JWTOIDCAuthEngineRole.spec.boundClaims: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false

I also tried to set boundClaims to "/kubernetes.io/namespace": "[namespace1 namespace2]", but while this looked correct when looking at the Vault configuration with vault read auth/jwt-auth/role/tool it still didn't work.

Dis I miss something, or are list of strings not currently supported as values for bound claims?

erlisb commented 3 months ago

Hi @Gio-R, I applied a fix here: https://github.com/redhat-cop/vault-config-operator/pull/238 Please, check and let me know.

Thanks.

Gio-R commented 3 months ago

Everything seems to work, thanks!