JWTOIDCAuthEngineRole boundClaims support for string lists values

[Gio-R]

As indicated here, Vault supports string lists as values for the bound_claims map. Looking at the JWTOIDCAuthEngineRole CRD description, it says that "The expected value may be a single string or a list of strings". I tried to apply this descriptor:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: JWTOIDCAuthEngineRole
metadata:
  name: vault-user
  namespace: vault-configurator
spec:
  name: tool
  authentication: 
    path: kubernetes
    role: configurator
    serviceAccount:
      name: vault-configurator
  path: jwt-auth
  userClaim: sub
  tokenPolicies:
    - tool
  roleType: jwt
  boundClaims:
    "/kubernetes.io/namespace": ["namespace1", "namespace2"]
  boundClaimsType: string

but got

error: error validating "jwt_auth_role.yaml": error validating data: ValidationError(JWTOIDCAuthEngineRole.spec.boundClaims./kubernetes.io/namespace): invalid type for io.redhat.redhatcop.v1alpha1.JWTOIDCAuthEngineRole.spec.boundClaims: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false

I also tried to set boundClaims to "/kubernetes.io/namespace": "[namespace1 namespace2]", but while this looked correct when looking at the Vault configuration with vault read auth/jwt-auth/role/tool it still didn't work.

Dis I miss something, or are list of strings not currently supported as values for bound claims?

[erlisb]

Hi @Gio-R, I applied a fix here: #238
Please, check and let me know.

Thanks.

[Gio-R]

Everything seems to work, thanks!