Merge pull request hashicorp#12793 from hashicorp/jm/vault-ns-auth

Set vault namespaces on vault client prior to logging in
neuvector · Apr 15, 2022 · 25ef2ea · 25ef2ea
2 parents 319a0a0 + 8ad9bf8
commit 25ef2ea
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/.changelog/12793.txt b/.changelog/12793.txt
@@ -0,0 +1,5 @@
+```release-note:bug
+The Connect CA Vault system now sets the Namespace (if present) prior
+to attempting to login to Vault. This means the AuthMethod needs to
+be in the specified namespace. Previously the AuthMethod needed to be
+in the root namespace to work.
diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go
@@ -103,6 +103,14 @@ func (v *VaultProvider) Configure(cfg ProviderConfig) error {
 		return err
 	}
 
+	// We don't want to set the namespace if it's empty to prevent potential
+	// unknown behavior (what does Vault do with an empty namespace). The Vault
+	// client also makes sure the inputs are not empty strings so let's do the
+	// same.
+	if config.Namespace != "" {
+		client.SetNamespace(config.Namespace)
+	}
+
 	if config.AuthMethod != nil {
 		loginResp, err := vaultLogin(client, config.AuthMethod)
 		if err != nil {
@@ -112,13 +120,6 @@ func (v *VaultProvider) Configure(cfg ProviderConfig) error {
 	}
 	client.SetToken(config.Token)
 
-	// We don't want to set the namespace if it's empty to prevent potential
-	// unknown behavior (what does Vault do with an empty namespace). The Vault
-	// client also makes sure the inputs are not empty strings so let's do the
-	// same.
-	if config.Namespace != "" {
-		client.SetNamespace(config.Namespace)
-	}
 	v.config = config
 	v.client = client
 	v.isPrimary = cfg.IsPrimary