VaultStaticSecret - Kubernetes secret destination in another namespace

[erdrix]

Is your feature request related to a problem? Please describe.

In our organisation, one team is responsible for managing the roles that have access to the Vault namespace, which can make integration complicated. In this context, we're planning a setup with a controller with the right to consume the entire namespace (aka a single VaultAuth resource).

This means that all the secrets would in theory be accessible by anyone who could create a VaultStaticSecret resource. Knowing that users are admins in their namespace, we'd like to locate the definition of VaultStaticSecret in the controller's namespace, and for k8s secrets (destination) to be deployed in another namespace by the controller.

This way our platform team is responsible for managing the deployed Kubernetes secrets, and users of the namespaces will only be able to read the kubernetes secrets created.

[2martens]

Should be extended to secrets from Vault Secrets with HCP Vault Secrets App. The HCP Auth specifies one project and organization and the service principal always is on project level. Currently, either every application using secrets must be deployed in the same namespace or project-level credentials must be added as secret in each application namespace.

That does not make sense as HCP Auth already contains a field allowedNamespaces which allows restricting the namespaces that can use secrets. It would make thus more sense to have the credentials in the namespace of HCP Auth and then HCP Vault Secret Apps in the application namespaces where the secrets are created.