kubernetes auth doesn't seem to work for openbao

[dvrkl]

Describe the bug
Kubernetes auth doesn't seem to work openbao
Fails with the following error:
{"errors":["permission denied"]}

To Reproduce
Followed steps from here: https://support.hashicorp.com/hc/en-us/articles/4404389946387-Kubernetes-auth-method-Permission-Denied-error
Steps to reproduce the behavior:

1. kubectl create namespace test

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-cloud
  namespace: test
---
apiVersion: v1
kind: Secret
metadata:
 name: test-cloud
 namespace: test
 annotations:
   kubernetes.io/service-account.name: test-cloud
type: kubernetes.io/service-account-token
EOF

3. cat <<EOF | kubectl create -f -

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: vault-auth
  annotations:
    kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: vault-auth
    namespace: default
  - kind: ServiceAccount
    name: test-cloud
    namespace: test
EOF

4. bao auth enable kubernetes
5. TOKEN_REVIEW_JWT=$(kubectl get secret vault-auth -o go-template='{{ .data.token }}' | base64 --decode)
6. KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 --decode)
7. KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')
8. bao write auth/kubernetes/config token_reviewer_jwt="$TOKEN_REVIEW_JWT" kubernetes_host="$KUBE_HOST" kubernetes_ca_cert="$KUBE_CA_CERT" disable_local_ca_jwt="true"
9. Verify with vault read auth/kubernetes/config
10. Create policy

bao policy write devwebapp - <<EOF
path "secret/data/devwebapp/config" {
  capabilities = ["read"]
}
EOF

11. Create role

bao write auth/kubernetes/role/devweb-app \
  bound_service_account_names=test-cloud \
  bound_service_account_namespaces=test \
  policies=devwebapp \
  ttl=24h

12. TOKEN_REVIEW_SJWT=$(kubectl get secret test-cloud -n test -o go-template='{{ .data.token }}' | base64 --decode)
13. Try login
    curl --request POST --data '{"jwt": "'$TOKEN_REVIEW_SJWT'", "role": "devweb-app"}' http:https://127.0.0.1:8200/v1/auth/kubernetes/login

Expected behavior
Success! Data written to: auth/kubernetes/role/devweb-app

Environment:

• OpenBao Server Version (retrieve with bao status):

$ bao status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         2.0.0-alpha20240329
Build Date      2024-05-03T17:07:26Z
Storage Type    inmem
Cluster Name    vault-cluster-2e665ce1
Cluster ID      9b565d27-727e-0671-7fb5-4876bd201768
HA Enabled      false

• OpenBao CLI Version (retrieve with bao version):

$ bao version
OpenBao v2.0.0-alpha20240329 ('a5e299de79465b922076f415e8945efaf0c9eb91'), built 2024-05-03T17:07:26Z

• Server Operating System/Architecture:

OpenBao server configuration file(s):

# Paste your OpenBao config here.
# Be sure to scrub any sensitive values

Additional context
Add any other context about the problem here.