Kubernetes auth method: namespace selector not working with client-provided login token

[cbarbian-sap]

Describe the bug
Using bound_service_account_namespace_selector in a kubernetes auth role fails if the auth method is configured with disable_local_ca_jwt.

To Reproduce

1. Enable a kubernetes auth method like

   vault auth enable -path=kubernetes-playground kubernetes
   vault write auth/kubernetes-playground/config \
     kubernetes_host=https://playground.kubernetes.internal \
     kubernetes_ca_cert="..." \
     disable_local_ca_jwt="true"

   (leaving out the CA certificate for readability)

2. Create a role using label selector such as

   vault write auth/kubernetes-playground/role/testing \
     bound_service_account_names="*" \
     bound_service_account_namespace_selector="{\"matchLabels\":{\"allow-vault\":\"true\"}}" \
     audience="https://playground.kubernetes.internal" \
     policies="kv-reader" \
     token_ttl=2m

3. In the Kubernetes cluster, create a service account (e.g. vault-test/vault-reader) and give it permission to review tokens and to read namespaces:

   kubectl create namespace vault-test
   kubectl label namespace vault-test allow-vault=true
   kubectl -n vault-test create sa vault-reader
   kubectl create clusterrolebinding vault-reader:token-review \
     --clusterrole system:auth-delegator \
     --serviceaccount vault-test:vault-reader
   kubectl create clusterrolebinding vault-reader:view \
     --clusterrole view \
     --serviceaccount vault-test:vault-reader

   Then create a token for that service account:

   kubectl -n vault-test create token vault-reader

4. Use that token to login to the auth method

   TOKEN=<token from step 3>
   curl --request POST -v \
     --data "{\"role\":\"testing\",\"jwt\":\"$TOKEN\"}" \
     $VAULT_ADDR/v1/auth/kubernetes-playground/login

   Returns 403 with:

   {"errors":["namespace not authorized err=namespace lookup failed: TokenReviewer JWT needs to be configured to use namespace selectors"]}

   Note that the login works well when replacing bound_service_account_namespace_selector by a matching bound_service_account_namespaces.

   Also note that login works with namespace selector (as expected) when setting this (or another sufficiently authorized) token statically as token_reviewer_jwt in the method config.

Expected behavior
Vault probably should use the same token it uses for the token review (in that case, the one presented by the client during login) for the namespace lookup. At least it should not insist to have a static long-living token_reviewer_jwt configured on the method.

Environment:

• Vault Server Version (retrieve with vault status):

  Key             Value
  ---             -----
  Seal Type       shamir
  Initialized     true
  Sealed          false
  Total Shares    1
  Threshold       1
  Version         1.18.2
  Build Date      2024-11-20T11:24:56Z
  Storage Type    consul
  Cluster Name    vault-cluster-69b16021
  Cluster ID      287ca71b-052b-069f-72da-7c76b1a7a862
  HA Enabled      true
  HA Cluster      https://vault-2.vault-internal:8201
  HA Mode         active
  Active Since    2024-11-28T16:55:14.299421551Z
  

• Vault CLI Version (retrieve with vault version):

  Vault v1.14.4 ('ccdd48d1f7b95fc99fd11d67fc1c687576b338de+CHANGES'), built 2023-09-22T21:29:05
  

• Server Operating System/Architecture:
  linux/arm64

Additional context
None.