VAULT-6936 support bound service account namespace selector

[thyton]

Overview

A high level description of the contribution, including:
What is the change? Support a label selector to define from which namespaces clients are allowed to authenticate with their ServiceAccounts.
Why is the change needed? This will add flexibility to bound namespace specification. A similar feature, allowed_kubernetes_namespace_selector, was also seen in Secret Engine.
How does this change affect the user experience (if at all)? No

Design of Change

How was this change implemented? The change is based on PR #182 and how allowed_kubernetes_namespace_selector was implemented.

Related Issues/Pull Requests

[ ] Issue #155
[ ] PR #182

Contributor Checklist

[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
Docs PR Link
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

make integration-test
cd integrationtest && INTEGRATION_TESTS=true CGO_ENABLED=0 KUBE_CONTEXT="kind-vault-plugin-auth-kubernetes" go test '-test.v' -count=1 -timeout=20m ./...
?   	github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest/k8s	[no test files]
=== RUN   TestSuccess
--- PASS: TestSuccess (0.48s)
=== RUN   TestSuccessWithTokenReviewerJwt
--- PASS: TestSuccessWithTokenReviewerJwt (0.10s)
=== RUN   TestSuccessWithNamespaceLabels
--- PASS: TestSuccessWithNamespaceLabels (0.11s)
=== RUN   TestFailWithBadTokenReviewerJwt
--- PASS: TestFailWithBadTokenReviewerJwt (0.11s)
=== RUN   TestUnauthorizedServiceAccountErrorCode
--- PASS: TestUnauthorizedServiceAccountErrorCode (0.10s)
=== RUN   TestAudienceValidation
=== RUN   TestAudienceValidation/config:_default,_JWT:_default
=== RUN   TestAudienceValidation/config:_default,_JWT:_a
=== RUN   TestAudienceValidation/config:_a,_JWT:_a
=== RUN   TestAudienceValidation/config:_a,_JWT:_b
=== RUN   TestAudienceValidation/config:_unset,_JWT:_default
=== RUN   TestAudienceValidation/config:_unset,_JWT:_a
--- PASS: TestAudienceValidation (0.61s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_default (0.10s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_a (0.09s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_a (0.11s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_b (0.09s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_default (0.09s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_a (0.10s)
PASS
ok  	github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest	2.077s

[ ] Backwards compatible

[benashz]

Gave it a first pass. I think we may want to revisit the approach a bit. I had some questions around request parameter types JSON+YAML, the way that namespaces and namespace selector's are evaluated together.

Overall, it seems like the change is heading in a positive direction.

[benashz]

Re-adding myself as a reviewer.

[thyton]

@benashz @tomhjp I appreciate the detailed first pass! I've addressed/followed up with all comments. It's ready for the next review whenever you have a chance.

[benashz]

Thanks for making the requested changes! I think we are almost there.

[benashz]

Looking good! It would be good to add some tests for the methods provided by namespaceValidatorWrapper{}, as well as what we covered during our sync.

[benashz]

nit: maybe fold on the slice elements.

[benashz]

LGTM! Thanks for making the extra changes.

[mbenson]

When are we likely to see a new release incorporating this change?