add WithNamespace transit option

Author: hashiblaum

vault/client.go

@@ -489,6 +489,7 @@ func (c *defaultClient) Close(revoke bool) {
 // This will ensure that the auth token is periodically renewed.
 // If the Client's token is not renewable an error will be returned.
 func (c *defaultClient) startLifetimeWatcher(ctx context.Context) error {
+	fmt.Printf("skip renewal: %v\n", c.skipRenewal)
 	if c.skipRenewal {
 		return nil
 	}
@@ -517,12 +518,16 @@ func (c *defaultClient) startLifetimeWatcher(ctx context.Context) error {
 	watcherID := uuid.NewString()
 	wg := sync.WaitGroup{}
 	wg.Add(1)
+	fmt.Println("ready to go go go")
 	go func(ctx context.Context, c *defaultClient, watcher *api.LifetimeWatcher) {
+		fmt.Println("go go go")
 		logger := log.FromContext(ctx).WithName("lifetimeWatcher").WithValues(
 			"id", watcherID, "entityID", c.authSecret.Auth.EntityID,
 			"clientID", c.id, "cacheKey", cacheKey)
 		logger.Info("Starting")
+		fmt.Println("starting")
 		defer func() {
+			fmt.Println("stopping")
 			logger.Info("Stopping")
 			watcher.Stop()
 		}()
@@ -531,12 +536,15 @@ func (c *defaultClient) startLifetimeWatcher(ctx context.Context) error {
 		c.watcher = watcher
 		wg.Done()
 		logger.V(consts.LogLevelDebug).Info("Started")
+		fmt.Println("started")
 		for {
 			select {
 			case result := <-ctx.Done():
+				fmt.Println("context done")
 				logger.V(consts.LogLevelTrace).Info("Context done", "result", result)
 				return
 			case err := <-watcher.DoneCh():
+				fmt.Println("watcher done ch")
 				if err != nil {
 					logger.Error(err, "LifetimeWatcher completed with an error")
 					c.lastWatcherErr = err
@@ -559,6 +567,7 @@ func (c *defaultClient) startLifetimeWatcher(ctx context.Context) error {
 
 				return
 			case renewal := <-watcher.RenewCh():
+				fmt.Println("renew")
 				logger.V(consts.LogLevelDebug).Info("Successfully renewed the client")
 
 				c.authSecret = renewal.Secret
@@ -639,8 +648,11 @@ func (c *defaultClient) Login(ctx context.Context, client ctrlclient.Client) err
 
 	c.id = id
 
+	fmt.Println("hii")
+	fmt.Println(resp.Secret().Auth.Renewable)
 	if resp.Secret().Auth.Renewable {
 		if err := c.startLifetimeWatcher(ctx); err != nil {
+			fmt.Printf("failed to atcher: %v\n", err)
 			errs = err
 			return errs
 		}

vault/transit.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
+	"net/http"
 
 	"k8s.io/apimachinery/pkg/util/json"
 )
@@ -22,25 +23,32 @@ type (
 		Plaintext string `json:"plaintext"`
 	}
 
-	// TransitOption modifies parameters for a Transit Encrypt/Decrypt request.
-	// Individual options may only apply to certain operations.
-	TransitOption func(m map[string]any)
+	TransitRequestOptions struct {
+		Params  map[string]any
+		Headers http.Header
+	}
+
+	// TransitOption modifies parameters and/or headers for a Transit request.
+	TransitOption func(*TransitRequestOptions)
 )
 
 // EncryptWithTransit encrypts data using Vault Transit.
 func EncryptWithTransit(ctx context.Context, vaultClient Client, mount, key string, data []byte, opts ...TransitOption) ([]byte, error) {
 	path := fmt.Sprintf("%s/encrypt/%s", mount, key)
 
-	params := map[string]any{
-		"name":      key,
-		"plaintext": base64.StdEncoding.EncodeToString(data),
+	req := &TransitRequestOptions{
+		Params: map[string]any{
+			"name":      key,
+			"plaintext": base64.StdEncoding.EncodeToString(data),
+		},
+		Headers: make(http.Header),
 	}
 
 	for _, opt := range opts {
-		opt(params)
+		opt(req)
 	}
 
-	resp, err := vaultClient.Write(ctx, NewWriteRequest(path, params, nil))
+	resp, err := vaultClient.Write(ctx, NewWriteRequest(path, req.Params, req.Headers))
 	if err != nil {
 		return nil, err
 	}
@@ -63,14 +71,21 @@ func DecryptWithTransit(ctx context.Context, vaultClient Client, mount, key stri
 }
 
 // DecryptCiphertextWithTransit decrypts a ciphertext value using Vault Transit.
-func DecryptCiphertextWithTransit(ctx context.Context, vaultClient Client, mount, key, ciphertext string) ([]byte, error) {
+func DecryptCiphertextWithTransit(ctx context.Context, vaultClient Client, mount, key, ciphertext string, opts ...TransitOption) ([]byte, error) {
 	path := fmt.Sprintf("%s/decrypt/%s", mount, key)
-	params := map[string]interface{}{
-		"name":       key,
-		"ciphertext": ciphertext,
+	req := &TransitRequestOptions{
+		Params: map[string]interface{}{
+			"name":       key,
+			"ciphertext": ciphertext,
+		},
+		Headers: make(http.Header),
+	}
+
+	for _, opt := range opts {
+		opt(req)
 	}
 
-	resp, err := vaultClient.Write(ctx, NewWriteRequest(path, params, nil))
+	resp, err := vaultClient.Write(ctx, NewWriteRequest(path, req.Params, req.Headers))
 	if err != nil {
 		return nil, err
 	}
@@ -95,5 +110,16 @@ func DecryptCiphertextWithTransit(ctx context.Context, vaultClient Client, mount
 // WithKeyVersion sets the key version for EncryptWithTransit.
 // It is ignored when passed to DecryptWithTransit.
 func WithKeyVersion(v uint) TransitOption {
-	return func(m map[string]any) { m["key_version"] = v }
+	return func(opt *TransitRequestOptions) {
+		opt.Params["key_version"] = v
+	}
+}
+
+func WithNamespace(namespace string) TransitOption {
+	return func(opt *TransitRequestOptions) {
+		if namespace == "" {
+			return
+		}
+		opt.Headers.Set("X-Vault-Namespace", namespace)
+	}
 }

vault/transit_test.go

@@ -1,6 +1,7 @@
 package vault
 
 import (
+	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -28,13 +29,56 @@ func TestWithKeyVersion(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			opts := WithKeyVersion(tt.v)
-			m := make(map[string]any)
+			opt := WithKeyVersion(tt.v)
 
-			opts(m)
+			req := &TransitRequestOptions{
+				Params:  make(map[string]any),
+				Headers: make(http.Header),
+			}
 
-			require.Contains(t, m, "key_version")
-			assert.Equal(t, tt.v, m["key_version"])
+			opt(req)
+
+			require.Contains(t, req.Params, "key_version")
+			assert.Equal(t, tt.v, req.Params["key_version"])
+		})
+	}
+}
+
+func TestWithNamespace(t *testing.T) {
+	tests := []struct {
+		name      string
+		namespace string
+		wantSet   bool
+	}{
+		{
+			name:      "sets namespace header",
+			namespace: "foo/namespace",
+			wantSet:   true,
+		},
+		{
+			name:      "empty namespace does nothing",
+			namespace: "",
+			wantSet:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			opt := WithNamespace(tt.namespace)
+
+			req := &TransitRequestOptions{
+				Params:  make(map[string]any),
+				Headers: make(http.Header),
+			}
+
+			opt(req)
+
+			got := req.Headers.Get("X-Vault-Namespace")
+			if tt.wantSet {
+				require.Equal(t, tt.namespace, got)
+			} else {
+				require.Equal(t, "", got)
+			}
 		})
 	}
 }