plugin/wif: support external plugins (#26384)

* plugin/wif: support external plugins * changelog
2025-10-31 02:28:09 +00:00 · 2024-04-12 16:16:26 -05:00
parent e4f9d024c8
commit 1ee302dfcd
3 changed files with 11 additions and 3 deletions
--- a/changelog/26384.txt
+++ b/changelog/26384.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+plugin/wif: fix a bug where the namespace was not set for external plugins using workload identity federation
+```
--- a/sdk/plugin/grpc_system.go
+++ b/sdk/plugin/grpc_system.go
@@ -421,7 +421,7 @@ func (s *gRPCSystemViewServer) GenerateIdentityToken(ctx context.Context, req *p
 	})
 	if err != nil {
 		return &pb.GenerateIdentityTokenResponse{}, status.Errorf(codes.Internal,
-			"failed to generate plugin identity token")
+			err.Error())
 	}

 	return &pb.GenerateIdentityTokenResponse{
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@@ -459,12 +459,17 @@ func (d dynamicSystemView) ClusterID(ctx context.Context) (string, error) {
 }

 func (d dynamicSystemView) GenerateIdentityToken(ctx context.Context, req *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error) {
-	storage := d.core.router.MatchingStorageByAPIPath(ctx, mountPathIdentity)
+	mountEntry := d.mountEntry
+	if mountEntry == nil {
+		return nil, fmt.Errorf("no mount entry")
+	}
+	nsCtx := namespace.ContextWithNamespace(ctx, mountEntry.Namespace())
+	storage := d.core.router.MatchingStorageByAPIPath(nsCtx, mountPathIdentity)
 	if storage == nil {
 		return nil, fmt.Errorf("failed to find storage entry for identity mount")
 	}

-	token, ttl, err := d.core.IdentityStore().generatePluginIdentityToken(ctx, storage, d.mountEntry, req.Audience, req.TTL)
+	token, ttl, err := d.core.IdentityStore().generatePluginIdentityToken(nsCtx, storage, d.mountEntry, req.Audience, req.TTL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate plugin identity token: %w", err)
 	}