First take on adding namespace support to vault. Aim to close #2806

Signed-off-by: Tiago Alves Macambira <tmacam@burocrata.org>
dapr · Apr 25, 2023 · 15cd838 · 15cd838
1 parent 3fbaad8
commit 15cd838
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/secretstores/hashicorp/vault/metadata.yaml b/secretstores/hashicorp/vault/metadata.yaml
@@ -75,3 +75,12 @@ metadata:
       Vault value type. map means to parse the value into map[string]string, text means to use the value as a string. "map" sets the multipleKeyValuesPerSecret behavior. text makes Vault behave as a secret store with name/value semantics. Defaults to "map"
     example: "map"
     type: string
+  - name: vaultNamespace
+    type: string
+    required: false
+    description: "TBD. Refer to multi-tenancy"
+    example: "map"
+    default: ""
+    url:
+      title: "Vault Enterprise Namespaces"
+      url: "https://developer.hashicorp.com/vault/docs/enterprise/namespaces"
diff --git a/secretstores/hashicorp/vault/vault.go b/secretstores/hashicorp/vault/vault.go
@@ -51,6 +51,7 @@ const (
 	componentVaultKVUsePrefix    string = "vaultKVUsePrefix"
 	defaultVaultKVPrefix         string = "dapr"
 	vaultHTTPHeader              string = "X-Vault-Token"
+	vaultHTTPNamespaceHeader     string = "X-Vault-Namespace"
 	vaultHTTPRequestHeader       string = "X-Vault-Request"
 	vaultEnginePath              string = "enginePath"
 	vaultValueType               string = "vaultValueType"
@@ -83,6 +84,8 @@ type vaultSecretStore struct {
 	vaultKVPrefix       string
 	vaultEnginePath     string
 	vaultValueType      valueType
+	// TBD update tests and certification tests
+	vaultNamespace string
 
 	json jsoniter.API
 
@@ -102,6 +105,7 @@ type VaultMetadata struct {
 	VaultTokenMountPath string
 	EnginePath          string
 	VaultValueType      string
+	VaultNamespace      string
 }
 
 // tlsConfig is TLS configuration to interact with HashiCorp Vault.
@@ -185,6 +189,8 @@ func (v *vaultSecretStore) Init(_ context.Context, meta secretstores.Metadata) e
 	}
 	v.vaultKVPrefix = vaultKVPrefix
 
+	v.vaultNamespace = m.VaultNamespace
+
 	// Generate TLS config
 	tlsConf := metadataToTLSConfig(&m)
 
@@ -231,9 +237,8 @@ func (v *vaultSecretStore) getSecret(ctx context.Context, secret, version string
 		return nil, fmt.Errorf("couldn't generate request: %w", err)
 	}
 	// Set vault token.
-	httpReq.Header.Set(vaultHTTPHeader, v.vaultToken)
 	// Set X-Vault-Request header
-	httpReq.Header.Set(vaultHTTPRequestHeader, "true")
+	v.setHttpRequestHeaders(httpReq)
 
 	httpresp, err := v.client.Do(httpReq)
 	if err != nil {
@@ -277,6 +282,17 @@ func (v *vaultSecretStore) getSecret(ctx context.Context, secret, version string
 	return &d, nil
 }
 
+func (v *vaultSecretStore) setHttpRequestHeaders(httpReq *http.Request) {
+	// Set vault token.
+	httpReq.Header.Set(vaultHTTPHeader, v.vaultToken)
+	// Set X-Vault-Request header
+	httpReq.Header.Set(vaultHTTPRequestHeader, "true")
+	// Set X-Vault-Namespace header if configured to do so
+	if v.vaultNamespace != "" {
+		httpReq.Header.Set(vaultHTTPNamespaceHeader, v.vaultNamespace)
+	}
+}
+
 // GetSecret retrieves a secret using a key and returns a map of decrypted string/string values.
 func (v *vaultSecretStore) GetSecret(ctx context.Context, req secretstores.GetSecretRequest) (secretstores.GetSecretResponse, error) {
 	// version 0 represent for latest version
@@ -349,10 +365,7 @@ func (v *vaultSecretStore) listKeysUnderPath(ctx context.Context, path string) (
 	if err != nil {
 		return nil, fmt.Errorf("couldn't generate request: %s", err)
 	}
-	// Set vault token.
-	httpReq.Header.Set(vaultHTTPHeader, v.vaultToken)
-	// Set X-Vault-Request header
-	httpReq.Header.Set(vaultHTTPRequestHeader, "true")
+	v.setHttpRequestHeaders(httpReq)
 	httpresp, err := v.client.Do(httpReq)
 	if err != nil {
 		return nil, fmt.Errorf("couldn't get secret: %s", err)