Deploy vault into a custom namespace

To deploy Vault into a custom namespace (not into default), you have to:

1. Ensure that you have required permissions:

   export NAMESPACE="<your-custom-namespace>"
   cat <<EOF > kustomization.yaml | kubectl kustomize | kubectl apply -f -
   apiVersion: kustomize.config.k8s.io/v1beta1
   kind: Kustomization
   resources:
   - https://github.com/bank-vaults/vault-operator/deploy/rbac
   transformers:
   - |-
     apiVersion: builtin
     kind: NamespaceTransformer
     metadata:
       name: vault-namespace-transform
       namespace: $NAMESPACE
     setRoleBindingSubjects: defaultOnly
   EOF
   

2. Use the custom namespace in the following fields in the Vault CR:

   • unsealConfig.kubernetes.secretNamespace
   • config.api_addr
   • auth.roles.bound_service_account_namespaces
   • secrets.configuration.config.issuing_certificates and crl_distribution_points
   • secrets.configuration.root/generate.common_name

   If not using CRDs, you have to use the custom namespace in the following fields of the Vault Helm chart:

   • vault.externalConfig.auth.roles.bound_service_account_namespaces
   • unsealer.args

3. Deploy the Vault CustomResource to the custom namespace. For example:

   kubectl apply --namespace <your-custom-namespace> -f <your-customized-vault-cr>