Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remote.vault: enhance auth.custom to support namespace switching for authentication #2945

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

remote.vault: enhance auth.custom to support namespace switching for authentication #2945

wants to merge 6 commits into from

Conversation

Notedop
Copy link

@Notedop Notedop commented Mar 10, 2025

PR Description

With Vault Enterprise it is possible to define different namespaces and multi-tenancy support as described here. With this setup it is also possible to have a dedicated authentication namespace, while the kv store exists on a child namespace.

Currently Alloy uses the same client for both the AuthenticationManager and SecretManager; as a result currently it is not possible to define a separate namespace for each client.

This PR addresses the above and will allow you to override the namespace used by the client of the authentication manager.

Which issue(s) this PR fixes

Notes to the Reviewer

PR Checklist

  • [ x ] CHANGELOG.md updated
  • [ x ] Documentation added

@Notedop Notedop requested review from clayton-cornell and a team as code owners March 10, 2025 13:19
Notedop added 4 commits March 10, 2025 15:15
@Notedop
support namespace switching
516866f 
with Vault Enterprise it is possible to define Namespace and secure multi-tenancy.
This means one can create multiple namespaces while maintaining a single Vault instance.
Furthermore, it is possible to separate the authentication namespace from the kv namespace.
For example it is possible to authenticate against "ns1/" while the secret kv's exist under
"ns1/childns1".

Currently, Alloy does not support switching between namespaces while authenticating versus
retrieving the kv secrets. This commit addresses that limitation.
@Notedop
update changelog
86fc5b0
@Notedop
update documentation
2e0ce97
@Notedop
undo variable assignment
9f88ccc
@Notedop Notedop force-pushed the notedop/support_vault_ent_namespace_switching branch from b89e79a to 9f88ccc Compare March 10, 2025 14:18
@Notedop
Copy link
Author

Notedop commented Mar 10, 2025

Rebased on latest main branch to address conflict in CHANGELOG.md

@Notedop
Copy link
Author

Notedop commented Mar 11, 2025

@clayton-cornell could you review this PR for me and let me know if this is fine?

@clayton-cornell clayton-cornell requested a review from a team March 11, 2025 16:55
@Notedop @clayton-cornell
Apply suggestions from code review
7ce2898 
Rephrased documentation by code reviewer

Co-authored-by: Clayton Cornell <[email protected]>
@Notedop
Copy link
Author

Notedop commented Mar 11, 2025

@clayton-cornell thank you for the review. I've committed your suggestions.

@clayton-cornell
Copy link
Contributor

Now over to @grafana/grafana-agent-maintainers for a code review

@clayton-cornell clayton-cornell added the type/docs Docs Squad label across all Grafana Labs repos label Mar 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clayton-cornell clayton-cornell clayton-cornell left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
type/docs Docs Squad label across all Grafana Labs repos
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Notedop @clayton-cornell