Allow using bound_service_account_namespace_selector with disable_local_ca_jwt

[phuhung273]

Overview

Who the change affects or is for (stakeholders)?

Users want to use short-lived token by setting disable_local_ca_jwt

What is the change?

Allow using bound_service_account_namespace_selector with disable_local_ca_jwt

Why is the change needed?

Encourage users toward short-lived token for enhanced security

Design of Change

When disable_local_ca_jwt is true: client jwt is used instead of token_reviewer_jwt

Prerequisites:

• Client service account must have view namespace permission

Tradeoff:

• Adds some operational overhead to maintain the cluster role bindings on the set of service accounts. Ref https://developer.hashicorp.com/vault/docs/auth/kubernetes#use-the-vault-client-s-jwt-as-the-reviewer-jwt

Related Issues/Pull Requests

• Issue Kubernetes auth method: namespace selector not working with client-provided login token vault#29055

Contributor Checklist

[x] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
disable_local_ca_jwt works with bound_service_account_namespaces but not bound_service_account_namespace_selector. I think this is a bug fix so no need for docs. Please let me know how do you think.

[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

$ make integration-test
cd integrationtest && INTEGRATION_TESTS=true CGO_ENABLED=0 KUBE_CONTEXT="kind-vault-plugin-auth-kubernetes" go test '-test.v' -count=1 -timeout=20m ./...
?       github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest/k8s   [no test files]
=== RUN   TestSuccess
--- PASS: TestSuccess (0.11s)
=== RUN   TestSuccessWithTokenReviewerJwt
--- PASS: TestSuccessWithTokenReviewerJwt (0.12s)
=== RUN   TestSuccessWithNamespaceLabels
--- PASS: TestSuccessWithNamespaceLabels (0.10s)
=== RUN   TestFailWithMismatchNamespaceLabels
--- PASS: TestFailWithMismatchNamespaceLabels (0.12s)
=== RUN   TestSuccessWithoutTokenReviewerJwtAndDisabledLocalCAJwtAndNamespaceLabels
--- PASS: TestSuccessWithoutTokenReviewerJwtAndDisabledLocalCAJwtAndNamespaceLabels (0.11s)
=== RUN   TestFailWithoutTokenReviewerJwtAndDisabledLocalCAJwtAndMismatchNamespaceLabels
--- PASS: TestFailWithoutTokenReviewerJwtAndDisabledLocalCAJwtAndMismatchNamespaceLabels (0.10s)
=== RUN   TestFailWithBadTokenReviewerJwt
--- PASS: TestFailWithBadTokenReviewerJwt (0.09s)
=== RUN   TestSuccessWithAuthAliasMetadataAssignment
--- PASS: TestSuccessWithAuthAliasMetadataAssignment (0.12s)
=== RUN   TestFailWithAuthAliasMetadataAssignmentOnReservedKeys
--- PASS: TestFailWithAuthAliasMetadataAssignmentOnReservedKeys (0.11s)
=== RUN   TestUnauthorizedServiceAccountErrorCode
--- PASS: TestUnauthorizedServiceAccountErrorCode (0.10s)
=== RUN   TestAudienceValidation
=== RUN   TestAudienceValidation/config:_a,_JWT:_a
=== RUN   TestAudienceValidation/config:_a,_JWT:_b
=== RUN   TestAudienceValidation/config:_unset,_JWT:_default
=== RUN   TestAudienceValidation/config:_unset,_JWT:_a
=== RUN   TestAudienceValidation/config:_default,_JWT:_default
=== RUN   TestAudienceValidation/config:_default,_JWT:_a
--- PASS: TestAudienceValidation (0.57s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_a (0.10s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_b (0.08s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_default (0.09s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_a (0.10s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_default (0.09s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_a (0.08s)
PASS
ok      github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest       1.705s

[ ] Backwards compatible