*: Add repo update steps

.github/workflows/main.yaml

@@ -0,0 +1,51 @@
+name: "vault-secrets-operator build"
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '*'
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+      - name: init
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          [[ $GITHUB_REF == refs/tags/* ]] && (echo "VERSION=$(echo ${GITHUB_REF#refs/*/} | sed -e 's/^[[v]]*//')" >> build.env) # if it's a tag, override VERSION variable
+      - name: prepare
+        run: |
+          docker compose up -d --build
+      - name: sanity-check
+        run: |
+          docker compose exec -T vault-secrets-operator make check-fmt
+          docker compose exec -T vault-secrets-operator go mod tidy
+      - name: build
+        run: docker compose exec -T vault-secrets-operator make ci-build ci-docker-build
+      - id: auth
+        name: authentication
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: google-github-actions/auth@v1
+        with:
+          token_format: access_token
+          workload_identity_provider: projects/965526508485/locations/global/workloadIdentityPools/github/providers/openid-connect
+          service_account: [email protected]
+          access_token_lifetime: '600s'
+      - name: release
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          docker compose exec -T vault-secrets-operator bash -c "echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://europe-docker.pkg.dev"
+          docker compose exec -T vault-secrets-operator make docker-push
+      - name: clean
+        run: |
+          docker compose exec -T vault-secrets-operator make clean
+          docker compose down -v

Dockerfile.build

@@ -0,0 +1,7 @@
+FROM saltosystems/go-builder:31c0c2f
+
+ENV PKGPATH github.com/saltosystems/vault-secrets-operator
+
+# copy current workspace
+WORKDIR ${GOPATH}/src/${PKGPATH}
+COPY . ${GOPATH}/src/${PKGPATH}

UPDATE.md

@@ -0,0 +1,74 @@
+To update your forked repository with the latest changes from the original repository (upstream), you can follow these steps using the command line. Make sure you have Git installed on your machine. Here's a step-by-step guide:
+
+### Step 1: Set Up Upstream Remote (if not done previously)
+If you haven't set up the upstream remote, add it:
+
+```bash
+# Add the original repository as the upstream remote
+git remote add upstream https://github.com/hashicorp/vault-secrets-operator.git
+```
+
+### Step 2: Create a Backup Branch
+
+```bash
+# Assuming you are currently on your main branch
+git branch release_<current_version>
+
+# This will create a new branch named 'release_<current_version>' pointing to the same version tag as your current branch
+```
+
+### Step 3: Fetch the Latest tags from Upstream
+
+```bash
+# Fetch the latest tags from upstream
+git fetch upstream --tags
+```
+
+### Step 4: Create branch from tag
+
+```bash
+# Assuming you are currently on your main branch
+git branch upstream/<new_version> <new_version>
+```
+
+### Step 5: Rebase
+
+Perform the rebase:
+
+```bash
+# Rebase your main branch onto the new version tag
+git rebase upstream/<new_version>
+
+# Resolve conflicts (if any) and continue the rebase
+```
+
+
+### Step 6: Update the version tag
+
+```bash
+# Update the version tag to point to the latest commit
+git tag -f <new_version>
+```
+
+### Step 7: Force push
+
+```bash
+# Force push to your forked repository
+git push origin main --force
+```
+
+### Step 8: In Case of Issues, Restore from Backup
+
+If something goes wrong or you need to revert the changes, you can easily switch back to the backup branch:
+
+```bash
+# Switch to the backup branch
+git checkout release_<current_version>
+
+# Force push the backup branch to restore it
+git push origin release_<current_version> --force
+```
+
+This way, you always have a backup branch pointing to the state before the rebase and force push. If anything unexpected happens, you can quickly switch back to the backup branch.
+
+Please note that force-pushing and rewriting history can have implications, especially in a collaborative environment. It's crucial to communicate such actions with your team and follow any established best practices or guidelines. 

docker-compose.yaml

@@ -0,0 +1,23 @@
+version: "3.4"
+
+services:
+  docker-in-docker:
+    image: docker:dind
+    privileged: true
+    environment:
+      DOCKER_TLS_CERTDIR:
+    expose:
+      - 2375
+
+  vault-secrets-operator:
+    build:
+      context: .
+      dockerfile: Dockerfile.build
+
+    image: vault-secrets-operator:build
+    environment:
+      DOCKER_HOST: tcp://docker-in-docker:2375
+      IMAGE_TAG_BASE: europe-docker.pkg.dev/salto-artifacts/private-docker/vault-secrets-operator 
+    env_file:
+      - build.env
+    tty: true

internal/common/common.go

@@ -402,3 +402,17 @@ func NewSyncableSecretMetaData(obj ctrlclient.Object) (*SyncableSecretMetaData,
 		return nil, fmt.Errorf("unsupported type %T", t)
 	}
 }
+
+// GetKubernetesServiceAccountNamespacedName returns the NamespacedName for the Kubernetes VaultAuth's configured
+// serviceAccount.
+// If the serviceAccount is empty then defaults Namespace and Name will be returned.
+func GetKubernetesServiceAccountNamespacedName(a *secretsv1beta1.VaultAuthConfigKubernetes, providerNamespace string) (types.NamespacedName, error) {
+	if a.ServiceAccount == "" && providerNamespace == "" {
+		return types.NamespacedName{}, fmt.Errorf("provider's default namespace is not set, this is a bug")
+	}
+	saRef, err := parseResourceRef(a.ServiceAccount, providerNamespace)
+	if err != nil {
+		return types.NamespacedName{}, err
+	}
+	return saRef, nil
+}

internal/common/common_test.go

@@ -583,3 +583,60 @@ func TestGetHCPAuthForObj(t *testing.T) {
 		})
 	}
 }
+
+func Test_GetKubernetesServiceAccountNamespacedName(t *testing.T) {
+	tests := []struct {
+		name              string
+		a                 *secretsv1beta1.VaultAuthConfigKubernetes
+		providerNamespace string
+		want              types.NamespacedName
+		wantErr           assert.ErrorAssertionFunc
+		unsetDefaultsNS   bool
+	}{
+		{
+			name: "empty-sa-ref",
+			a: &secretsv1beta1.VaultAuthConfigKubernetes{
+				ServiceAccount: "",
+			},
+			providerNamespace: "test",
+			want: types.NamespacedName{
+				Namespace: OperatorNamespace,
+				Name:      consts.NameDefault,
+			},
+			wantErr: assert.NoError,
+		},
+		{
+			name: "with-sa-ref-with-ns",
+			a: &secretsv1beta1.VaultAuthConfigKubernetes{
+				ServiceAccount: "foo/bar",
+			},
+			providerNamespace: "baz",
+			want: types.NamespacedName{
+				Name:      "bar",
+				Namespace: "foo",
+			},
+			wantErr: assert.NoError,
+		},
+		{
+			name: "with-sa-ref-without-ns",
+			a: &secretsv1beta1.VaultAuthConfigKubernetes{
+				ServiceAccount: "foo",
+			},
+			providerNamespace: "baz",
+			want: types.NamespacedName{
+				Namespace: "baz",
+				Name:      "foo",
+			},
+			wantErr: assert.NoError,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := GetKubernetesServiceAccountNamespacedName(tt.a, tt.providerNamespace)
+			if !tt.wantErr(t, err, fmt.Sprintf("getKubernetesServiceAccountNamespacedName(%v)", tt.a)) {
+				return
+			}
+			assert.Equalf(t, tt.want, got, "getKubernetesServiceAccountNamespacedName(%v)", tt.a)
+		})
+	}
+}

internal/credentials/vault/kubernetes.go

@@ -12,6 +12,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	secretsv1beta1 "github.com/hashicorp/vault-secrets-operator/api/v1beta1"
+	"github.com/hashicorp/vault-secrets-operator/internal/common"
 	"github.com/hashicorp/vault-secrets-operator/internal/helpers"
 )
 
@@ -56,9 +57,13 @@ func (l *KubernetesCredentialProvider) Init(ctx context.Context, client ctrlclie
 }
 
 func (l *KubernetesCredentialProvider) getServiceAccount(ctx context.Context, client ctrlclient.Client) (*corev1.ServiceAccount, error) {
+	a, err := common.GetKubernetesServiceAccountNamespacedName(l.authObj.Spec.Kubernetes, l.providerNamespace)
+	if err != nil {
+		return nil, err
+	}
 	key := ctrlclient.ObjectKey{
-		Namespace: l.providerNamespace,
-		Name:      l.authObj.Spec.Kubernetes.ServiceAccount,
+		Namespace: a.Namespace,
+		Name:      a.Name,
 	}
 	sa := &corev1.ServiceAccount{}
 	if err := client.Get(ctx, key, sa); err != nil {