Add Namespace Support (MySQL)

Signed-off-by: Rudro-25 <rudro@appscode.com>

Author: Rudro-25

api/openapi-spec/swagger.json

@@ -14246,6 +14246,10 @@
         "mysql": {
           "$ref": "#/definitions/dev.kubevault.apimachinery.apis.engine.v1alpha1.MySQLConfiguration"
         },
+        "namespace": {
+          "description": "Namespace specifies the OpenBao namespace for this SecretEngine. Only applicable when using OpenBao distribution. If specified, overrides the namespace from VaultServer. Empty string means use VaultServer's namespace (or root if VaultServer has none). Supports hierarchical namespaces (e.g., \"tenant-1/project-a\").",
+          "type": "string"
+        },
         "pki": {
           "$ref": "#/definitions/dev.kubevault.apimachinery.apis.engine.v1alpha1.PKIConfiguration"
         },

apis/engine/v1alpha1/openapi_generated.go

@@ -55,12 +55,15 @@ func GetDBNameFromAppBindingRef(dbAppRef *appcat.AppReference) string {
 }
 
 func (se SecretEngine) GetSecretEnginePath() string {
-	// Todo: update SecretEngine path
-	//  - k8s.{cluster-name or -}.{se-type}.se-ns.se-name
 	cluster := "-"
 	if clustermeta.ClusterName() != "" {
 		cluster = clustermeta.ClusterName()
 	}
+
+	// Format: k8s.{cluster-name}.{se-type}.{se-ns}.{se-name}
+	// The difference is WHERE this path exists in OpenBao:
+	//   - Root approach: path lives in OpenBao root namespace "/"
+	//   - Namespace approach: path lives in OpenBao namespace (e.g., "tenant-1")
 	return fmt.Sprintf("k8s.%s.%s.%s.%s", cluster, se.GetSecretEngineType(), se.Namespace, se.Name)
 }
 

apis/engine/v1alpha1/secret_engine_helpers.go

@@ -53,6 +53,14 @@ type SecretEngine struct {
 type SecretEngineSpec struct {
 	VaultRef kmapi.ObjectReference `json:"vaultRef"`
 
+	// Namespace specifies the OpenBao namespace for this SecretEngine.
+	// Only applicable when using OpenBao distribution.
+	// If specified, overrides the namespace from VaultServer.
+	// Empty string means use VaultServer's namespace (or root if VaultServer has none).
+	// Supports hierarchical namespaces (e.g., "tenant-1/project-a").
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
 	SecretEngineConfiguration `json:",inline"`
 
 	DefaultLeaseTTL string `json:"defaultLeaseTTL,omitempty"`

apis/engine/v1alpha1/secret_engine_types.go

@@ -505,6 +505,12 @@ func Convert_v1alpha1_AuthMethod_To_v1alpha2_AuthMethod(in *AuthMethod, out *v1a
 	return nil
 }
 
+func Convert_v1alpha1_VaultServerSpec_To_v1alpha2_VaultServerSpec(in *VaultServerSpec, out *v1alpha2.VaultServerSpec, s conversion.Scope) error {
+	// WARNING: in.Namespace requires manual conversion: does not exist in peer-type
+	// The Namespace field is intentionally not converted as it doesn't exist in v1alpha2
+	return autoConvert_v1alpha1_VaultServerSpec_To_v1alpha2_VaultServerSpec(in, out, s)
+}
+
 func Convert_v1alpha2_VaultServerSpec_To_v1alpha1_VaultServerSpec(in *v1alpha2.VaultServerSpec, out *VaultServerSpec, s conversion.Scope) error {
 	return autoConvert_v1alpha2_VaultServerSpec_To_v1alpha1_VaultServerSpec(in, out, s)
 }

apis/kubevault/v1alpha1/conversion.go

@@ -434,6 +434,14 @@ spec:
                 required:
                 - databaseRef
                 type: object
+              namespace:
+                description: |-
+                  Namespace specifies the OpenBao namespace for this SecretEngine.
+                  Only applicable when using OpenBao distribution.
+                  If specified, overrides the namespace from VaultServer.
+                  Empty string means use VaultServer's namespace (or root if VaultServer has none).
+                  Supports hierarchical namespaces (e.g., "tenant-1/project-a").
+                type: string
               pki:
                 description: |-
                   https://developer.hashicorp.com/vault/api-docs/secret/pki#generate-root