redhat-cop · sabre1041 · Dec 8, 2023 · Dec 8, 2023
diff --git a/api/v1alpha1/kubernetessecretenginerole_types.go b/api/v1alpha1/kubernetessecretenginerole_types.go
@@ -94,11 +94,17 @@ func (r *KubernetesSecretEngineRole) IsValid() (bool, error) {
 type KubeSERole struct {
 
 	// AllowedKubernetesNamespaces The list of Kubernetes namespaces this role can generate credentials for. If set to "*" all namespaces are allowed.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	// +listType=set
 	// kubebuilder:validation:UniqueItems=true
 	AllowedKubernetesNamespaces []string `json:"allowedKubernetesNamespaces,omitempty"`
 
+	// A label selector for Kubernetes namespaces in which credentials can be generated.
+	// Accepts either a JSON or YAML object. The value should be of type LabelSelector as illustrated: "'{'matchLabels':{'stage':'prod','sa-generator':'vault'}}".
+	// If set with allowed_kubernetes_namespaces, the conditions are ORed.
+	// +kubebuilder:validation:Optional
+	AllowedKubernetesNamespaceSelector string `json:"allowedKubernetesNamespaceSelector,omitempty"`
+
 	// DeafulTTL Specifies the TTL for the leases associated with this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to system/engine default TTL time.
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default="0s"
@@ -109,6 +115,11 @@ type KubeSERole struct {
 	// +kubebuilder:default="0s"
 	MaxTTL metav1.Duration `json:"maxTTL,omitempty"`
 
+	// DefaultAudiences The default intended audiences for generated Kubernetes tokens, specified by a comma separated string. e.g "custom-audience-0,custom-audience-1".
+	// If not set or set to "", the Kubernetes cluster default for audiences of service account tokens will be used.
+	// +kubebuilder:validation:Optional
+	DefaultAudiences string `json:"defaultAudiences,omitempty"`
+
 	// ServiceAccountName The pre-existing service account to generate tokens for. Mutually exclusive with all role parameters. If set, only a Kubernetes token will be created when credentials are requested. See the Kubernetes service account documentation for more details on service accounts.
 	// +kubebuilder:validation:Optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
@@ -143,8 +154,10 @@ type KubeSERole struct {
 func (i *KubeSERole) toMap() map[string]interface{} {
 	payload := map[string]interface{}{}
 	payload["allowed_kubernetes_namespaces"] = i.AllowedKubernetesNamespaces
+	payload["allowed_kubernetes_namespace_selector"] = i.AllowedKubernetesNamespaceSelector
 	payload["token_max_ttl"] = i.DefaultTTL
 	payload["token_default_ttl"] = i.MaxTTL
+	payload["token_default_audiences"] = i.DefaultAudiences
 	payload["service_account_name"] = i.ServiceAccountName
 	payload["kubernetes_role_name"] = i.KubernetesRoleName
 	payload["kubernetes_role_type"] = i.KubernetesRoleType

diff --git a/config/crd/bases/redhatcop.redhat.io_kubernetessecretengineroles.yaml b/config/crd/bases/redhatcop.redhat.io_kubernetessecretengineroles.yaml
@@ -37,6 +37,12 @@ spec:
             description: KubernetesSecretEngineRoleSpec defines the desired state
               of KubernetesSecretEngineRole
             properties:
+              allowedKubernetesNamespaceSelector:
+                description: 'A label selector for Kubernetes namespaces in which
+                  credentials can be generated. Accepts either a JSON or YAML object.
+                  The value should be of type LabelSelector as illustrated: "''{''matchLabels'':{''stage'':''prod'',''sa-generator'':''vault''}}".
+                  If set with allowed_kubernetes_namespaces, the conditions are ORed.'
+                type: string
               allowedKubernetesNamespaces:
                 description: AllowedKubernetesNamespaces The list of Kubernetes namespaces
                   this role can generate credentials for. If set to "*" all namespaces
@@ -128,6 +134,12 @@ spec:
                     description: Timeout Timeout variable. The default value is 60s.
                     type: string
                 type: object
+              defaultAudiences:
+                description: DefaultAudiences The default intended audiences for generated
+                  Kubernetes tokens, specified by a comma separated string. e.g "custom-audience-0,custom-audience-1".
+                  If not set or set to "", the Kubernetes cluster default for audiences
+                  of service account tokens will be used.
+                type: string
               defaultTTL:
                 default: 0s
                 description: DeafulTTL Specifies the TTL for the leases associated