feat: Vault namespace support (#403)

* Grab the vault namespace from the environment * Apply the Vault Namespace header * fix: Missing space on if statement * Doc: Adding documentation referencing how to use `VAULT_NAMESPACE`
external-secrets · Jun 18, 2020 · 6bd9570 · 6bd9570
1 parent 7190120
commit 6bd9570
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -345,6 +345,8 @@ spec:
     property: api-key
 ```
 
+If you use Vault Namespaces (a Vault Enterprise feature) you can set the namespace to interact with via the `VAULT_NAMESPACE` environment variable.
+
 If Vault uses a certificate issued by a self-signed CA you will need to provide that certificate:
 
 ```sh

diff --git a/config/environment.js b/config/environment.js
@@ -17,6 +17,9 @@ if (environment === 'development') {
 }
 
 const vaultEndpoint = process.env.VAULT_ADDR || 'http://127.0.0.1:8200'
+// Grab the vault namespace from the environment
+const vaultNamespace = process.env.VAULT_NAMESPACE || null
+
 const pollerIntervalMilliseconds = process.env.POLLER_INTERVAL_MILLISECONDS
   ? Number(process.env.POLLER_INTERVAL_MILLISECONDS) : 10000
 
@@ -32,6 +35,7 @@ const customResourceManagerDisabled = 'DISABLE_CUSTOM_RESOURCE_MANAGER' in proce
 
 module.exports = {
   vaultEndpoint,
+  vaultNamespace,
   environment,
   pollerIntervalMilliseconds,
   metricsPort,

diff --git a/config/index.js b/config/index.js
@@ -54,15 +54,23 @@ const systemManagerBackend = new SystemManagerBackend({
   assumeRole: awsConfig.assumeRole,
   logger
 })
-const vaultClient = vault({
+const vaultOptions = {
   apiVersion: 'v1',
   endpoint: envConfig.vaultEndpoint,
   requestOptions: {
     // When running vault in HA mode, you must follow redirects on PUT/POST/DELETE
     // See: https://github.com/kr1sp1n/node-vault/issues/23
     followAllRedirects: true
   }
-})
+}
+// Include the Vault Namespace header if we have provided it as an env var.
+// See: https://github.com/kr1sp1n/node-vault/pull/137#issuecomment-585309687
+if (envConfig.vaultNamespace) {
+  vaultOptions.headers = {
+    'X-VAULT-NAMESPACE': envConfig.vaultNamespace
+  }
+}
+const vaultClient = vault(vaultOptions)
 const vaultBackend = new VaultBackend({ client: vaultClient, logger })
 const azureKeyVaultBackend = new AzureKeyVaultBackend({
   credential: azureConfig.azureKeyVault(),