feat(vault): add VaultRole attribute for TLS auth (#6160)

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1/secretstore_vault_types.go

@@ -338,6 +338,10 @@ type VaultCertAuth struct {
 	// +optional
 	Path string `json:"path"`
 
+	// VaultRole specifies the Vault role to use for TLS certificate authentication.
+	// +optional
+	VaultRole string `json:"vaultRole,omitempty"`
+
 	// ClientCert is a certificate to authenticate using the Cert Vault
 	// authentication method
 	// +optional

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -4997,6 +4997,10 @@ spec:
                                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                     type: string
                                 type: object
+                              vaultRole:
+                                description: VaultRole specifies the Vault role to
+                                  use for TLS certificate authentication.
+                                type: string
                             type: object
                           gcp:
                             description: |-

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -4997,6 +4997,10 @@ spec:
                                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                     type: string
                                 type: object
+                              vaultRole:
+                                description: VaultRole specifies the Vault role to
+                                  use for TLS certificate authentication.
+                                type: string
                             type: object
                           gcp:
                             description: |-

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -1342,6 +1342,10 @@ spec:
                                         pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                         type: string
                                     type: object
+                                  vaultRole:
+                                    description: VaultRole specifies the Vault role
+                                      to use for TLS certificate authentication.
+                                    type: string
                                 type: object
                               gcp:
                                 description: |-

config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml

@@ -221,6 +221,10 @@ spec:
                                 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                 type: string
                             type: object
+                          vaultRole:
+                            description: VaultRole specifies the Vault role to use
+                              for TLS certificate authentication.
+                            type: string
                         type: object
                       gcp:
                         description: |-

deploy/crds/bundle.yaml

@@ -6907,6 +6907,9 @@ spec:
                                       pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                       type: string
                                   type: object
+                                vaultRole:
+                                  description: VaultRole specifies the Vault role to use for TLS certificate authentication.
+                                  type: string
                               type: object
                             gcp:
                               description: |-
@@ -19008,6 +19011,9 @@ spec:
                                       pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                       type: string
                                   type: object
+                                vaultRole:
+                                  description: VaultRole specifies the Vault role to use for TLS certificate authentication.
+                                  type: string
                               type: object
                             gcp:
                               description: |-
@@ -26033,6 +26039,9 @@ spec:
                                           pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                           type: string
                                       type: object
+                                    vaultRole:
+                                      description: VaultRole specifies the Vault role to use for TLS certificate authentication.
+                                      type: string
                                   type: object
                                 gcp:
                                   description: |-
@@ -28720,6 +28729,9 @@ spec:
                                   pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                   type: string
                               type: object
+                            vaultRole:
+                              description: VaultRole specifies the Vault role to use for TLS certificate authentication.
+                              type: string
                           type: object
                         gcp:
                           description: |-

docs/api/spec.md

@@ -11384,6 +11384,18 @@ in Vault, e.g: &ldquo;cert&rdquo;</p>
 </tr>
 <tr>
 <td>
+<code>vaultRole</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>VaultRole specifies the Vault role to use for TLS certificate authentication.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>clientCert</code></br>
 <em>
 <a href="https://pkg.go.dev/github.com/external-secrets/external-secrets/apis/meta/v1#SecretKeySelector">

providers/v1/vault/auth_cert.go

@@ -77,8 +77,16 @@ func (c *client) requestTokenWithCertAuth(ctx context.Context, certAuth *esv1.Va
 	if path == "" {
 		path = "cert"
 	}
+
+	var loginData map[string]any
+	if certAuth.VaultRole != "" {
+		loginData = map[string]any{
+			"name": certAuth.VaultRole,
+		}
+	}
+
 	url := strings.Join([]string{"auth", path, "login"}, "/")
-	vaultResult, err := c.logical.WriteWithContext(ctx, url, nil)
+	vaultResult, err := c.logical.WriteWithContext(ctx, url, loginData)
 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
 	if err != nil {
 		return fmt.Errorf(errVaultRequest, err)

tests/__snapshot__/clustergenerator-v1alpha1.yaml

@@ -203,6 +203,7 @@ spec:
               key: string
               name: string
               namespace: string
+            vaultRole: string
           gcp:
             location: string
             path: "gcp"

tests/__snapshot__/clustersecretstore-v1.yaml

@@ -751,6 +751,7 @@ spec:
             key: string
             name: string
             namespace: string
+          vaultRole: string
         gcp:
           location: string
           path: "gcp"

tests/__snapshot__/secretstore-v1.yaml

@@ -751,6 +751,7 @@ spec:
             key: string
             name: string
             namespace: string
+          vaultRole: string
         gcp:
           location: string
           path: "gcp"

tests/__snapshot__/vaultdynamicsecret-v1alpha1.yaml

@@ -30,6 +30,7 @@ spec:
           key: string
           name: string
           namespace: string
+        vaultRole: string
       gcp:
         location: string
         path: "gcp"