Support Vault EE namespaces

Currently the vault integration does not support Vault EE namespaces.
Only the vault server URL, role name and auth path can be configured
with the variables. It is possible to just prefix the engine's path
with the namespace, but it is not possible to specify the namespace
for the authentication - it always uses the root namespace.

This change makes the namespace configurable wiht the VAULT_NAMESPACE
variable (similar to how `VAULT_SERVER_URL`, `VAULT_AUTH_ROLE` and
`VAULT_AUTH_PATH are being used already). It will fall-back to an
empty string in case the variable is not defined by the user.

Fallback to an empty string instead of 'root' when no vault namespace specified by the user.

Changelog: added

doc/ci/secrets/index.md

@@ -9,6 +9,7 @@ type: concepts, howto
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
 > - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
+> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.
 
 Secrets represent sensitive information your CI job needs to complete work. This
 sensitive information can be items like API tokens, database credentials, or private keys.
@@ -90,6 +91,9 @@ To configure your Vault server:
      If no role is specified, Vault uses the [default role](https://www.vaultproject.io/api/auth/jwt#default_role)
      specified when the authentication method was configured.
    - `VAULT_AUTH_PATH` - Optional. The path where the authentication method is mounted, default is `jwt`.
+   - `VAULT_NAMESPACE` - Optional. The [Vault Enterprise namespace](https://www.vaultproject.io/docs/enterprise/namespaces) to use for reading secrets and authentication.
+     If no namespace is specified, Vault uses the `root` ("`/`") namespace. 
+     The setting is ignored by Vault Open Source. 
 
    NOTE:
    Support for providing these values in the user interface [is tracked in this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/218677).

ee/app/presenters/ee/ci/build_runner_presenter.rb

@@ -17,6 +17,7 @@ module EE
       def vault_server
         @vault_server ||= {
           'url' => variable_value('VAULT_SERVER_URL'),
+          'namespace' => variable_value('VAULT_NAMESPACE'),
           'auth' => {
             'name' => 'jwt',
             'path' => variable_value('VAULT_AUTH_PATH', 'jwt'),

ee/spec/presenters/ci/build_runner_presenter_spec.rb

@@ -83,6 +83,24 @@ RSpec.describe Ci::BuildRunnerPresenter do
         end
       end
 
+      context 'Vault namespace' do
+        let(:vault_server) { presenter.secrets_configuration.dig('DATABASE_PASSWORD', 'vault', 'server') }
+
+        context 'VAULT_NAMESPACE CI variable is present' do
+          it 'contains user defined namespace' do
+            create(:ci_variable, project: ci_build.project, key: 'VAULT_NAMESPACE', value: 'custom_namespace')
+
+            expect(vault_server.fetch('namespace')).to eq('custom_namespace')
+          end
+        end
+
+        context 'VAULT_NAMESPACE CI variable is not present' do
+          it 'returns nil' do
+            expect(vault_server.fetch('namespace')).to be_nil
+          end
+        end
+      end
+
       context 'File variable configuration' do
         subject { presenter.secrets_configuration.dig('DATABASE_PASSWORD') }
 

ee/spec/requests/api/ci/runner_spec.rb

@@ -59,6 +59,7 @@ RSpec.describe API::Ci::Runner do
                       'vault' => {
                         'server' => {
                           'url' => 'https://vault.example.com',
+                          'namespace' => nil,
                           'auth' => {
                             'name' => 'jwt',
                             'path' => 'jwt',