Error whenever creating new secretStore (namespaced one)

[pedrocrc]

• Using version ghcr.io/external-secrets/external-secrets:v0.9.18

Every time I try to create a SecretStore (namespaced one), I get the error

admission webhook "validate.secretstore.external-secrets.io" denied the request: namespace not allowed with namespaced SecretStore

As an example, one yaml I've tried to apply was:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: <name>
  namespace: <namespace1>
spec:
  provider:
    kubernetes:
      auth:
        serviceAccount:
          name: external-secrets-sa
          namespace: <namespace1>
      remoteNamespace: <namespace2>
      server:
        caProvider:
          key: ca.crt
          name: kube-root-ca.crt
          namespace: <namespace1>
          type: ConfigMap
        url: 'https://kubernetes.default'

I've checked that it is raised due to the following lines:

external-secrets/pkg/utils/utils.go

Lines 366 to 378 in 06e1342

	// ValidateSecretSelector just checks if the namespace field is present/absent
	// depending on the secret store type.
	// We MUST NOT check the name or key property here. It MAY be defaulted by the provider.
	func ValidateSecretSelector(store esv1beta1.GenericStore, ref esmeta.SecretKeySelector) error {
	clusterScope := store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind
	if clusterScope && ref.Namespace == nil {
	return errRequireNamespace
	}
	if !clusterScope && ref.Namespace != nil {
	return errNamespaceNotAllowed
	}
	return nil
	}

The line 374 seems to me as a bug, since clusterScope will be false whenever the resource type is namespaced, and therefore it should have a related namespace.

[mmdaz]

I have a same issue with Token auth.
My secret store is:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "http://my.vault.server:8200"
      # See https://www.vaultproject.io/docs/enterprise/namespaces
      namespace: "app-team"
      version: "v2"
      auth:
        tokenSecretRef:
          name: "vault-token"
          key: "token"
          namespace: "external-secrets"

And I got this error:

admission webhook "validate.secretstore.external-secrets.io" denied the request: invalid Auth.TokenSecretRef: namespace not allowed with namespaced SecretStore

I saw docs in this section:
https://github.com/external-secrets/external-secrets/blob/main/docs/provider/hashicorp-vault.md#authenticating-into-a-different-namespace
And when I applied this:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "http://my.vault.server:8200"
      # See https://www.vaultproject.io/docs/enterprise/namespaces
      namespace: "app-team"
      version: "v2"
      auth:
        namespace: "external-secrets"
        tokenSecretRef:
          name: "vault-token"
          key: "token"

I got this error:

ValidationError(SecretStore.spec.provider.vault.auth): unknown field "namespace" in io.external-secrets.v1beta1.SecretStore.spec.provider.vault.auth; if you choose to ignore these errors, turn validation off with --validate=false

[shuheiktgw]

Thanks for reporting the issue! For the Kubernetes provider, the workaround should be just removing namespace: <namespace1> from your manifest. I agree that it would be more intuitive if we allowed specifying the same namespace with the secret store. Let me fix this quickly.

For the Vault provider, I'm still not too sure if this is a problem with documentation for implementation, so please give me more time to look into it.

[gusfcarvalho]

Closed as I believe #3555 fixed it. Feel free to reopen if I'm wrong