VaultConnection CRD Namespace Scope Issue

I have been using the Vault Secrets Operator and encountered the following situation.

I deployed a VaultConnection CRD in my “vault” namespace, which specifies how to connect to Vault over HTTPS using the caCertSecretRef.

I also have an application running in another namespace called “test.” I created a VaultAuth CRD in the “test” namespace, which specifies the application’s service account and the appropriate role in Vault for Kubernetes authentication.

The problem I am facing is that I cannot reference my VaultConnection CRD in the VaultAuth CRD’s vaultConnectionRef, since the VaultConnection CRD’s scope is namespaced. The issue is resolved when I deploy the VaultConnection CRD into my “test” namespace, but then I need to copy over the caCertSecret to connect to Vault over HTTPS.

Am I missing something fundamental about how the VaultConnection and VaultAuth CRDs are supposed to be used? My initial impression was that I would only need one VaultConnection CRD in the Vault namespace (or configure the default VaultConnection CRD) and that I would be able to reference it in all my application-specific VaultAuth CRDs in other namespaces. However, I cannot do this since the VaultConnection CRD is namespaced.

I would appreciate any input and help. I’m really looking forward to using this more!

2 Likes

Seems like a reasonable feature request to me.

You’d probably need to reference a different type of CR though, something like ClusterVaultConnection.

1 Like

After further troubleshooting, I found that using the default VaultConnection in my VaultAuth CRD resolves the namespace scoping issue for my use case. However, there is still a requirement to install the caCertSecret in every namespace where VaultAuth and Secret CRDs will be used. So I can see a potential use case for cluster-scoped Auth and Connection CRDs.

1 Like