From cc94c0bf69feb6f88237a498026fe6ce655f9d01 Mon Sep 17 00:00:00 2001
From: Jakob Beckmann <jakobbeckmann@pm.me>
Date: Thu, 23 Feb 2023 18:29:47 +0100
Subject: [PATCH] docs(kubernetes-auth): add API documentation for kubernetes
 auth namespace selectors

Relates-to: hashicorp/vault-plugin-auth-kubernetes#182
---
 website/content/api-docs/auth/kubernetes.mdx | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
index 930540176bdf..ee99c53f8b88 100644
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@@ -128,8 +128,13 @@ entities attempting to login.
 - `name` `(string: <required>)` - Name of the role.
 - `bound_service_account_names` `(array: <required>)` - List of service account
   names able to access this role. If set to "\*" all names are allowed.
-- `bound_service_account_namespaces` `(array: <required>)` - List of namespaces
+- `bound_service_account_namespaces` `(array: [])` - List of namespaces
   allowed to access this role. If set to "\*" all namespaces are allowed.
+- `bound_service_account_namespace_selector` `(string: "")` - A label selector for Kubernetes
+  namespaces allowed to acces this role. Accepts either a JSON or YAML object. The value
+  should be of type
+  [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+  If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
 - `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
 - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
   Valid choices are: `serviceaccount_uid`, `serviceaccount_name`
@@ -143,7 +148,7 @@ entities attempting to login.
 
 @include 'tokenfields.mdx'
 
-### Sample Payload
+### Sample Payload 1
 
 ```json
 {
@@ -154,6 +159,17 @@ entities attempting to login.
 }
 ```
 
+### Sample Payload 2
+
+```json
+{
+  "bound_service_account_names": "vault-auth",
+  "bound_service_account_namespace_selector": "\"{\"matchLabels\":{\"stage\":\"dev\",\"vault-role\":\"dev-role\"}}",
+  "policies": ["dev", "prod"],
+  "max_ttl": 1800000
+}
+```
+
 ### Sample Request
 
 ```shell-session