plugin/wif: support external plugins (#26384)

* plugin/wif: support external plugins

* changelog

Author: fairclothjm

changelog/26384.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+plugin/wif: fix a bug where the namespace was not set for external plugins using workload identity federation
+```

sdk/plugin/grpc_system.go

@@ -421,7 +421,7 @@ func (s *gRPCSystemViewServer) GenerateIdentityToken(ctx context.Context, req *p
 	})
 	if err != nil {
 		return &pb.GenerateIdentityTokenResponse{}, status.Errorf(codes.Internal,
-			"failed to generate plugin identity token")
+			err.Error())
 	}
 
 	return &pb.GenerateIdentityTokenResponse{

vault/dynamic_system_view.go

@@ -459,12 +459,17 @@ func (d dynamicSystemView) ClusterID(ctx context.Context) (string, error) {
 }
 
 func (d dynamicSystemView) GenerateIdentityToken(ctx context.Context, req *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error) {
-	storage := d.core.router.MatchingStorageByAPIPath(ctx, mountPathIdentity)
+	mountEntry := d.mountEntry
+	if mountEntry == nil {
+		return nil, fmt.Errorf("no mount entry")
+	}
+	nsCtx := namespace.ContextWithNamespace(ctx, mountEntry.Namespace())
+	storage := d.core.router.MatchingStorageByAPIPath(nsCtx, mountPathIdentity)
 	if storage == nil {
 		return nil, fmt.Errorf("failed to find storage entry for identity mount")
 	}
 
-	token, ttl, err := d.core.IdentityStore().generatePluginIdentityToken(ctx, storage, d.mountEntry, req.Audience, req.TTL)
+	token, ttl, err := d.core.IdentityStore().generatePluginIdentityToken(nsCtx, storage, d.mountEntry, req.Audience, req.TTL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate plugin identity token: %w", err)
 	}