HashiCorp Vault Provider - Multiple secrets using `dataFrom` with Vault namespaces

[darren-thomas]

Describe the bug
I’m trying to retrieve multiple secrets using the dataFrom spec against an enterprise version of Vault (Vault v1.15.5) using namespaces. The query fails with a 403 permission denied. This appears to be because the namespace isn't part of the HTTP request and it's trying to list secrets at the root path. The token used is scoped to a namespace.

To Reproduce
Steps to reproduce the behavior:

SecretStore

auth method omitted

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: example-secret-store
  namespace: example-namespace
spec:
  provider:
    vault:
      server: "https://[host]"
      namespace: example-namespace
      path: "secret"
      version: "v2"
      auth:
        jwt:
          ...

ExternalSecret

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test
  namespace: example-namespace
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: example-secret-store
    kind: SecretStore
  target:
    name: foo
  dataFrom:
    - find:
        conversionStrategy: Unicode
        decodingStrategy: None
        name:
          regexp: ".*"
        path: /

Result

The namespace isn't part of the request:

https://[host]/v1/secret/metadata/secret?list=true\nCode: 403. 
Errors:

1 error occurred:
  * permission denied

We see access denied because the token is scoped to a namespace.

Versions

Component	Version
External Secrets Operator Chart	0.9.9
Vault Enterprise	1.15.5
Kubernetes	1.28.5

Expected behavior
I believe the underlying request should contain the namespace? In this example example-namespace

https://[host]/v1/example-namespace/secret/metadata/secret?list=true 

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[jlucktay]

Please don't let it go stale, robot 🙏

[Skarlso]

Is there a way to define a namespace? ( I'm not familiar with enterprise Vault... )

[Skarlso]

Ah okay, so that's all?

Vault API and namespaces
Users can perform API operations under a specific namespace by setting the X-Vault-Namespace header to the absolute or relative namespace path. Relative namespace paths are assumed to be child namespaces of the calling namespace. You can also provide an absolute namespace path without using the X-Vault-Namespace header.

Vault constructs the fully qualified namespace path based on the calling namespace and the X-Vault header to route the request to the appropriate namespace. For example, the following requests all route to the ns1/ns2/secret/foo namespace:

Path: ns1/ns2/secret/foo
Path: secret/foo, Header: X-Vault-Namespace: ns1/ns2/
Path: ns2/secret/foo, Header: X-Vault-Namespace: ns1/

[Skarlso]

I'll take a look at this.

[Skarlso]

Going to try and reproduce it with unit tests first. I can see that the GetSecret test cases are not using namespaces.

[Skarlso]

Okay, this is super weird. But if I understand this right, namespace is not used at all anywhere. :D I'm not sure this ever worked. 🤔

[Skarlso]

So I created a fix, but unsure if that's all that is needed. Could you please test the fork?