Skip to content

Allow resources to reference a Venafi Connection in another namespace

By default, a Venafi Connection resource can only be used by resources that are in the same namespace as that Venafi Connection resource

Alternatively, the allowReferencesFrom field in the Venafi Connection definition allows resources from other namespaces to use the Venafi

Allow a specific namespace to use the Venafi Connection

The following example shows a label selector that allows resources in the application-team-1 namespace to use the VenafiConnection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchLabels:
      "kubernetes.io/metadata.name": application-team-1

  ...

Allow a Venafi Connection to be used from multiple namespaces

The following example shows a label selector that allows all resources in a specified list of namespaces [application-team-1, application-team-2, application-team-3] to use the Venafi Connection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchExpressions:
      - { key: "kubernetes.io/metadata.name", operator: In, values: [application-team-1, application-team-2, application-team-3] }

  ...

Note

See the Kubernetes documentation for more information about matchExpressions.

Allow all namespaces with a label to use the Venafi Connection

The following example shows a label selector that allows all resources in all namespaces with a specified label value to use the Venafi Connection:

apiVersion: jetstack.io/v1alpha1
kind: VenafiConnection
metadata:
  name: application-team-1-connection
  namespace: venafi
spec:
  allowReferencesFrom:
    matchLabels:
      namespace-owner: application-team-1

  ...