Skip to content

Allow resources to reference a Venafi Connection in another namespace

By default, a Venafi Connection resource can only be used by resources that are in the same namespace as that Venafi Connection resource

Alternatively, the allowReferencesFrom field in the Venafi Connection definition allows resources from other namespaces to use the Venafi Connection. The allowReferencesFrom field is a namespace selector that specifies what namespaces this Venafi Connection is allowed to be used from.

  • If not set or set to null, the Venafi Connection can only be used within its namespace.
  • An empty selector {} matches all namespaces.
  • If set to a non-empty selector, the Venafi Connection can only be used from namespaces that match the selector. This possibly excludes the namespace the Venafi Connection is in.

Allow a specific namespace to use the Venafi Connection

The following example shows a label selector that allows resources in the application-team-1 namespace to use the VenafiConnection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchLabels:
      "kubernetes.io/metadata.name": application-team-1

  ...

Allow a Venafi Connection to be used from multiple namespaces

The following example shows a label selector that allows all resources in a specified list of namespaces [application-team-1, application-team-2, application-team-3] to use the Venafi Connection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchExpressions:
      - { key: "kubernetes.io/metadata.name", operator: In, values: [application-team-1, application-team-2, application-team-3] }

  ...

Note

See the Kubernetes documentation for more information about matchExpressions.

Allow all namespaces with a label to use the Venafi Connection

The following example shows a label selector that allows all resources in all namespaces with a specified label value to use the Venafi Connection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchLabels:
      namespace-owner: application-team-1

  ...