ClusterSecretStore serviceAccountRef defaults to the namespace of the referent

[moolen]

@alfredkrohmer i just created this issue to track your problem.

Just discovered this while testing the 0.5.0 release, this change breaks a use case that we have: not specifying the namespace in the secretRef or kubernetesServiceAccountToken sections in the auth spec for certain providers (Vault in our case) in ClusterSecretStores. The namespace of the ExternalSecret referring to the ClusterSecretStore would then be used when authenticating against the provider.

Implementation for secretRef in Vault provider:

external-secrets/pkg/provider/vault/vault.go

Lines 829 to 832 in 787129e

	ref := types.NamespacedName{
	Namespace: v.namespace,
	Name: secretRef.Name,
	}

Implementation for kubernetesServiceAccountToken in Vault provider:

external-secrets/pkg/provider/vault/vault.go

Lines 853 to 861 in 787129e

	tokenRequest := &authenticationv1.TokenRequest{
	ObjectMeta: metav1.ObjectMeta{
	Namespace: v.namespace,
	},
	Spec: authenticationv1.TokenRequestSpec{
	Audiences: audiences,
	ExpirationSeconds: &expirationSeconds,
	},
	}

Originally posted by @alfredkrohmer in #750 (comment)

So, the behavior you describe is not intended. The ClusterSecretStore should point to a single service account in a particular namespace and not use a SA from the namespace the ExternalSecret is in.

I guess it is this line specifically that shouldn't be there.

external-secrets/pkg/provider/vault/vault.go

Line 834 in 787129e

(secretRef.Namespace != nil) {

I'm interested in how your use-case looks in detail, can you provide more information? Do you basically share one ClusterSecretStore that points to a vault and configures things "globally" but the authentication bits lie in each and every namespace?

[alfredkrohmer]

I'm interested in how your use-case looks in detail, can you provide more information? Do you basically share one ClusterSecretStore that points to a vault and configures things "globally" but the authentication bits lie in each and every namespace?

Exactly. That way we can allow access in Vault via ACL path templating that refers to the service account namespace.

[gusfcarvalho]

Should we standardize this behavior across providers?

[moolen]

It's a little to magical/implicit. I'd favor a separate field in the provider crd to make that explicit.

[alfredkrohmer]

Actually the documentation of the Namespace field in these two types already says that it defaults to the namespace of the referent (which I guess is the ExternalSecret?) for cluster-scoped resources:

external-secrets/apis/meta/v1/types.go

Lines 19 to 40 in 4cbf1b8

	type SecretKeySelector struct {
	// The name of the Secret resource being referred to.
	Name string `json:"name,omitempty"`
	// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
	// to the namespace of the referent.
	// +optional
	Namespace *string `json:"namespace,omitempty"`
	// The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
	// defaulted, in others it may be required.
	// +optional
	Key string `json:"key,omitempty"`
	}
	// A reference to a ServiceAccount resource.
	type ServiceAccountSelector struct {
	// The name of the ServiceAccount resource being referred to.
	Name string `json:"name"`
	// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
	// to the namespace of the referent.
	// +optional
	Namespace *string `json:"namespace,omitempty"`
	}

[gusfcarvalho]

I can tell for sure that for the majority of the providers, an error is given if ClusterSecretStore is used with a SecretKeySelector.Namespace == nil, so this comment is not really reflecting the reality here.. I agree with @moolen in the sense that an user might not just understand what is fully going on, leading to some permissions not being handled properly.

[gusfcarvalho]

One question that I have, though: How does the ClusterSecretStore gets Validate()'d in this case?

(If we think about implementing it across all providers, #948 can be a footgun if we do not think of a clear way to Validate the ClusterSecretStore).

[alfredkrohmer]

One question that I have, though: How does the ClusterSecretStore gets Validate()'d in this case?

(If we think about implementing it across all providers, #948 can be a footgun if we do not think of a clear way to Validate the ClusterSecretStore).

It doesn't, it constantly fails validation but the ExternalSecret still syncs.

[moolen]

🤔 I can't come up with a solution i like by changing the CRD (e.g. adding a namespacedServiceAccountRef that does what is described above).

Although defaults to the namespace of the referent is a little magical i think it's the best solution. This shouldn't be a breaking change. Previously it was ignored by most providers or a error was returned. The only exception seems to be vault.

I'd suggest that we actually implement what is documented 😂

WDYT?

[alfredkrohmer]

I guess adding a namespacedServiceAccountRef might get difficult since the ClusterSecretStore uses the same structs as the SecretStore for the provider configuration (or it could just be ignored if configured on a SecretStore, but that also would look kinda weird).

How about a CLI toggle for the behavior?

[gusfcarvalho]

I agree to actually implement it across all the other providers. However, regarding the floodgate that we want to put. It would effectively break this approach completely, as the ClusterSecretStore would never be validated. Besides implementing the feature for the other providers, we could probably make vault's Validate() method use utils.ValidateNetwork instead of checking if the token is valid.