refactor the code to include the type as prefix of the secret name , handle Azure KV keys , simplify certificate management depending on templatng features , and remove the handling of tags

go.mod

@@ -33,6 +33,10 @@ replace (
 
 require (
 	cloud.google.com/go v0.65.0
+	github.com/Azure/azure-sdk-for-go v54.1.0+incompatible
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.7 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/aws/aws-sdk-go v1.38.6
 	github.com/crossplane/crossplane-runtime v0.13.0
 	github.com/fatih/color v1.10.0 // indirect
@@ -43,6 +47,7 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.2.0 // indirect
 	github.com/googleapis/gax-go v1.0.3
+	github.com/google/uuid v1.2.0
 	github.com/googleapis/gnostic v0.5.4 // indirect
 	github.com/hashicorp/go-hclog v0.14.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.6.7 // indirect
@@ -58,7 +63,7 @@ require (
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/prometheus/client_golang v1.10.0
 	github.com/prometheus/client_model v0.2.0
-	github.com/stretchr/testify v1.6.1
+	github.com/stretchr/testify v1.7.0
 	github.com/tidwall/gjson v1.7.5
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad

go.sum

@@ -32,15 +32,34 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/Azure/azure-sdk-for-go v54.1.0+incompatible h1:vCRLxG2d7KIdhVodEk+0ki4lVYr0GvtjOgJaAk6fs9Y=
+github.com/Azure/azure-sdk-for-go v54.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
+github.com/Azure/go-autorest/autorest v0.11.17 h1:2zCdHwNgRH+St1J+ZMf66xI8aLr/5KMy+wWLH97zwYM=
+github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
 github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
 github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
+github.com/Azure/go-autorest/autorest/adal v0.9.11 h1:L4/pmq7poLdsy41Bj1FayKvBhayuWRYkx9HU5i4Ybl0=
+github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.7 h1:8DQB8yl7aLQuP+nuR5e2RO6454OvFlSTXXaNHshc16s=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.7/go.mod h1:AkzUsqkrdmNhfP2i54HqINVQopw0CLDnvHpJ88Zz1eI=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 h1:dMOmEJfkLKW/7JsokJqkyoYSgmR08hi9KrhjZb+JALY=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM=
+github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
+github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
+github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac=
+github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
+github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE=
 github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -123,6 +142,9 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
+github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
+github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -144,6 +166,7 @@ github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL
 github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
@@ -573,13 +596,15 @@ github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3
 github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tidwall/gjson v1.7.5 h1:zmAN/xmX7OtpAkv4Ovfso60r/BiCi5IErCDYGNJu+uc=
 github.com/tidwall/gjson v1.7.5/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk=

pkg/provider/azure/keyvault/keyvault.go

@@ -1,11 +1,14 @@
 package keyvault
 
 import (
+	"bytes"
 	"context"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"math/big"
 	"os"
 	"path"
 	"strings"
@@ -29,11 +32,6 @@ type Azure struct {
 	baseClient *keyvault.BaseClient
 	vaultUrl   string
 	namespace  string
-	iAzure     IAzure
-}
-
-type IAzure interface {
-	getKeyVaultSecrets(ctx context.Context, vaultName string, version string, secretName string, withTags bool) (map[string][]byte, error)
 }
 
 func init() {
@@ -48,7 +46,6 @@ func (a *Azure) New(ctx context.Context, store esv1alpha1.GenericStore, kube cli
 		store:     store,
 		namespace: namespace,
 	}
-	anAzure.iAzure = anAzure
 	azClient, vaultUrl, err := anAzure.newAzureClient(ctx)
 
 	if err != nil {
@@ -60,42 +57,98 @@ func (a *Azure) New(ctx context.Context, store esv1alpha1.GenericStore, kube cli
 	return anAzure, nil
 }
 
-// implement store.Client.GetSecret Interface.
-// retrieve a secret with the secret name defined in ref.Property in a specific keyvault with the name ref.Name.
+//Implements store.Client.GetSecret Interface.
+//Retrieves a secret/Key/Certificate with the secret name defined in ref.Name
+//The Object Type is defined as a prefix in the ref.Name , if no prefix is defined , we assume a secret is required
 func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	version := ""
-	var secretBundle []byte
+	objectType := "secret"
+	basicClient := a.baseClient
+	secretValue := ""
 
 	if ref.Version != "" {
 		version = ref.Version
 	}
+
 	secretName := ref.Key
-	nameSplitted := strings.Split(secretName, "_")
-	getTags := false
+	nameSplitted := strings.Split(secretName, "/")
 
-	if nameSplitted[len(nameSplitted)-1] == "TAG" {
-		secretName = nameSplitted[0]
-		getTags = true
+	if len(nameSplitted) > 1 {
+		objectType = nameSplitted[0]
+		secretName = nameSplitted[1]
+		// Shall we neglect any later tokens or raise an error ??
 	}
 
-	secretMap, err := a.iAzure.getKeyVaultSecrets(ctx, a.vaultUrl, version, secretName, getTags)
-	if err != nil {
-		return nil, err
+	switch objectType {
+
+	case "secret":
+		secretResp, err := basicClient.GetSecret(context.Background(), a.vaultUrl, secretName, version)
+		if err != nil {
+			return nil, err
+		}
+		secretValue = *secretResp.Value
+
+	case "cert":
+		secretResp, err := basicClient.GetSecret(context.Background(), a.vaultUrl, secretName, version)
+		if err != nil {
+			return nil, err
+		}
+
+		if secretResp.ContentType != nil && *secretResp.ContentType == "application/x-pkcs12" {
+			secretValue, err = getCertBundleForPKCS(*secretResp.Value)
+			// Do we really need to decode PKCS raw value to PEM ? or will that be achieved by the templating features ?
+		} else {
+			secretValue = *secretResp.Value
+		}
+
+	case "key":
+		keyResp, err := basicClient.GetKey(context.Background(), a.vaultUrl, secretName, version)
+		if err != nil {
+			return nil, err
+		}
+		jwk := *keyResp.Key
+		// Do we really need to decode JWK raw value to PEM ? or will that be achieved by the templating features ?
+		secretValue, err = getPublicKeyFromJwk(jwk)
+
+	default:
+		return nil, fmt.Errorf("Unknown Azure Keyvault object Type for %s", secretName)
 	}
 
-	secretBundle = secretMap[ref.Key]
-	return secretBundle, nil
+	return []byte(secretValue), nil
 }
 
-// implement store.Client.GetSecretMap Interface.
-// retrieve ALL secrets in a specific keyvault with the name ref.Name.
+//Implements store.Client.GetSecretMap Interface.
+//etrieve ALL secrets in a specific keyvault
 func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	secretMap, err := a.iAzure.getKeyVaultSecrets(ctx, a.vaultUrl, ref.Version, "", true)
-	return secretMap, err
+	basicClient := a.baseClient
+	secretsMap := make(map[string][]byte)
+
+	secretListIter, err := basicClient.GetSecretsComplete(context.Background(), a.vaultUrl, nil)
+	if err != nil {
+		return nil, err
+	}
+	for secretListIter.NotDone() {
+		secretList := secretListIter.Response().Value
+		for _, secret := range *secretList {
+			if *secret.Attributes.Enabled {
+				secretName := path.Base(*secret.ID)
+				secretResp, err := basicClient.GetSecret(context.Background(), a.vaultUrl, secretName, "")
+				secretValue := *secretResp.Value
+
+				if err != nil {
+					return nil, err
+				}
+				secretsMap[secretName] = []byte(secretValue)
+
+			}
+		}
+		secretListIter.Next()
+	}
+	return secretsMap, err
 }
 
 // getCertBundle returns the certificate bundle.
-func getCertBundleForPKCS(certificateRawVal string, certBundleOnly, certKeyOnly bool) (bundle string, err error) {
+func getCertBundleForPKCS(certificateRawVal string) (bundle string, err error) {
 	pfx, err := base64.StdEncoding.DecodeString(certificateRawVal)
 
 	if err != nil {
@@ -104,10 +157,6 @@ func getCertBundleForPKCS(certificateRawVal string, certBundleOnly, certKeyOnly
 	blocks, _ := pkcs12.ToPEM(pfx, "")
 
 	for _, block := range blocks {
-		// skip the private key if looking for the cert only
-		if block.Type == "PRIVATE KEY" && certBundleOnly {
-			continue
-		}
 		// no headers
 		if block.Type == "PRIVATE KEY" {
 			pkey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
@@ -119,87 +168,53 @@ func getCertBundleForPKCS(certificateRawVal string, certBundleOnly, certKeyOnly
 				Type:  "RSA PRIVATE KEY",
 				Bytes: derStream,
 			}
-			if certKeyOnly {
-				bundle = string(pem.EncodeToMemory(block))
-				break
-			}
 		}
-
 		block.Headers = nil
 		bundle += string(pem.EncodeToMemory(block))
 	}
 	return bundle, nil
 }
 
-// consolidated method to retrieve secret value or secrets list based on whether or not a secret name is passed.
-// if the secret is of type PKCS then this is a cerificate that needs some decoding.
-func (a *Azure) getKeyVaultSecrets(ctx context.Context, vaultUrl, version, secretName string, withTags bool) (map[string][]byte, error) {
-	basicClient := a.baseClient
-	secretsMap := make(map[string][]byte)
-	certBundleOnly := false
-	certKeyOnly := false
-	secretNameinBE := secretName
-
-	if secretName != "" {
-		nameSplitted := strings.Split(secretName, "_")
-		if nameSplitted[len(nameSplitted)-1] == "CRT" {
-			secretNameinBE = nameSplitted[0]
-			certBundleOnly = true
-		}
-		if nameSplitted[len(nameSplitted)-1] == "KEY" {
-			secretNameinBE = nameSplitted[0]
-			certKeyOnly = true
-		}
-
-		secretResp, err := basicClient.GetSecret(context.Background(), vaultUrl, secretNameinBE, version)
-		if err != nil {
-			return nil, err
-		}
-		secretValue := *secretResp.Value
-
-		// Azure currently supports only PKCS#12 or PEM, PEM will be taken as it is, PKCS needs processing
-		if secretResp.ContentType != nil && *secretResp.ContentType == "application/x-pkcs12" {
-			secretValue, err = getCertBundleForPKCS(*secretResp.Value, certBundleOnly, certKeyOnly)
-			if err != nil {
-				return nil, err
-			}
-		}
-		secretsMap[secretName] = []byte(secretValue)
-		if withTags {
-			appendTagsToSecretMap(secretName, secretsMap, secretResp.Tags)
-		}
+func getPublicKeyFromJwk(jwk keyvault.JSONWebKey) (bundle string, err error) {
+	if jwk.Kty != "RSA" {
+		return "", fmt.Errorf("invalid key type: %s", jwk.Kty)
+	}
+	// decode the base64 bytes for n
+	nb, err := base64.RawURLEncoding.DecodeString(*jwk.N)
+	if err != nil {
+		return "", err
+	}
+	e := 0
+	// The default exponent is usually 65537, so just compare the
+	// base64 for [1,0,1] or [0,1,0,1]
+	if *jwk.E == "AQAB" || *jwk.E == "AAEAAQ" {
+		e = 65537
 	} else {
-		secretList, err := basicClient.GetSecrets(context.Background(), vaultUrl, nil)
-		if err != nil {
-			return nil, err
-		}
-		for _, secret := range secretList.Values() {
-			if !*secret.Attributes.Enabled {
-				continue
-			}
-			secretResp, err := basicClient.GetSecret(context.Background(), vaultUrl, path.Base(*secret.ID), "")
-			secretValue := *secretResp.Value
-			// Azure currently supports only PKCS#12 or PEM, PEM will be taken as it is, PKCS needs processing
-			if secretResp.ContentType != nil && *secretResp.ContentType == "application/x-pkcs12" {
-				secretValue, err = getCertBundleForPKCS(*secretResp.Value, certBundleOnly, certKeyOnly)
-			}
-			if err != nil {
-				return nil, err
-			}
-			secretsMap[path.Base(*secret.ID)] = []byte(secretValue)
-			if withTags {
-				appendTagsToSecretMap(path.Base(*secret.ID), secretsMap, secretResp.Tags)
-			}
-		}
+		// need to decode "e" as a big-endian int
+		return "", fmt.Errorf("need to deocde e: %s", *jwk.E)
 	}
-	return secretsMap, nil
-}
 
-func appendTagsToSecretMap(secretName string, secretsMap map[string][]byte, tags map[string]*string) {
-	for tagKey, tagValue := range tags {
-		secretsMap[secretName+"_"+tagKey+"_TAG"] = []byte(*tagValue)
+	pk := &rsa.PublicKey{
+		N: new(big.Int).SetBytes(nb),
+		E: e,
 	}
+
+	der, err := x509.MarshalPKIXPublicKey(pk)
+	if err != nil {
+		return "", err
+	}
+	block := &pem.Block{
+		Type:  "RSA PUBLIC KEY",
+		Bytes: der,
+	}
+	var out bytes.Buffer
+	pem.Encode(&out, block)
+	if err != nil {
+		return "", err
+	}
+	return out.String(), nil
 }
+
 func (a *Azure) newAzureClient(ctx context.Context) (*keyvault.BaseClient, string, error) {
 	spec := *a.store.GetSpec().Provider.AzureKV
 	tenantID := *spec.TenantID

pkg/provider/azure/keyvault/keyvault_test.go

@@ -15,31 +15,10 @@ type azureMock struct {
 	mock.Mock
 }
 
-func (_m *azureMock) getKeyVaultSecrets(ctx context.Context, vaultName, version, secretName string, withTags bool) (map[string][]byte, error) {
-	ret := _m.Called(ctx, vaultName, version, secretName, withTags)
-
-	var r0 map[string][]byte
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool) map[string][]byte); ok {
-		r0 = rf(ctx, vaultName, version, secretName, withTags)
-	} else if ret.Get(0) != nil {
-		r0 = ret.Get(0).(map[string][]byte)
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string, string, string, bool) error); ok {
-		r1 = rf(ctx, vaultName, version, secretName, withTags)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
 func TestGetSecret(t *testing.T) {
 	testAzure := new(Azure)
 	anAzureMock := new(azureMock)
 	ctx := context.Background()
-	testAzure.iAzure = anAzureMock
 	property := "testProperty"
 	version := "v1"
 
@@ -60,7 +39,6 @@ func TestGetSecretMap(t *testing.T) {
 	testAzure := new(Azure)
 	anAzureMock := new(azureMock)
 	ctx := context.Background()
-	testAzure.iAzure = anAzureMock
 	property := "testProperty"
 	version := "v1"
 	rf := esv1alpha1.ExternalSecretDataRemoteRef{
@@ -87,17 +65,8 @@ func TestGetCertBundleForPKCS(t *testing.T) {
 		"0xYVc1NjdORStQYzN5S0RWWlVHdU82UXZ0cExCZkpPS3pZSAowc3F3OElmYjRlN" +
 		"0R6TkJuTmRoVDhzbGdUYkh5K3RzZUtPb0xHNi9rUktmRmRvSmRoeHAzeGNnbm56" +
 		"ZkY0anUvCi9UZTRYaWsxNC9FMAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
-	c, ok := getCertBundleForPKCS(rawCertExample, true, true)
+	c, ok := getCertBundleForPKCS(rawCertExample)
 	bundle := ""
 	tassert.Nil(t, ok)
 	tassert.Equal(t, c, bundle)
 }
-
-func TestAppendTagsToSecretMap(t *testing.T) {
-	var secretsMap map[string][]byte
-	var secretsMapOrigin map[string][]byte
-	secret := "testsecret"
-	var tags map[string]*string
-	appendTagsToSecretMap(secret, secretsMap, tags)
-	tassert.Equal(t, secretsMap, secretsMapOrigin)
-}