Merge branch 'main' into feature/conversion-webhook

Updated Oracle provider new specs for v1beta1
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

apis/externalsecrets/v1alpha1/secretstore_oracle_types.go

@@ -19,31 +19,33 @@ import (
 // Configures an store to sync secrets using a Oracle Vault
 // backend.
 type OracleProvider struct {
-	// Auth configures how secret-manager authenticates with the Oracle Vault.
-	Auth OracleAuth `json:"auth"`
-
-	// User is an access OCID specific to the account.
-	User string `json:"user,omitempty"`
-
-	// Tenancy is the tenancy OCID where secret is located.
-	Tenancy string `json:"tenancy,omitempty"`
-
-	// Region is the region where secret is located.
-	Region string `json:"region,omitempty"`
+	// Region is the region where vault is located.
+	Region string `json:"region"`
 
 	// Vault is the vault's OCID of the specific vault where secret is located.
-	Vault string `json:"vault,omitempty"`
+	Vault string `json:"vault"`
+
+	// Auth configures how secret-manager authenticates with the Oracle Vault.
+	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
+	// +optional
+	Auth *OracleAuth `json:"auth,omitempty"`
 }
 
 type OracleAuth struct {
+	// Tenancy is the tenancy OCID where user is located.
+	Tenancy string `json:"tenancy"`
+
+	// User is an access OCID specific to the account.
+	User string `json:"user"`
+
 	// SecretRef to pass through sensitive information.
 	SecretRef OracleSecretRef `json:"secretRef"`
 }
 
 type OracleSecretRef struct {
 	// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-	PrivateKey esmeta.SecretKeySelector `json:"privatekey,omitempty"`
+	PrivateKey esmeta.SecretKeySelector `json:"privatekey"`
 
 	// Fingerprint is the fingerprint of the API private key.
-	Fingerprint esmeta.SecretKeySelector `json:"fingerprint,omitempty"`
+	Fingerprint esmeta.SecretKeySelector `json:"fingerprint"`
 }

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -836,7 +836,11 @@ func (in *OracleAuth) DeepCopy() *OracleAuth {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
 	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(OracleAuth)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.

apis/externalsecrets/v1beta1/secretstore_oracle_types.go

@@ -19,31 +19,33 @@ import (
 // Configures an store to sync secrets using a Oracle Vault
 // backend.
 type OracleProvider struct {
-	// Auth configures how secret-manager authenticates with the Oracle Vault.
-	Auth OracleAuth `json:"auth"`
-
-	// User is an access OCID specific to the account.
-	User string `json:"user,omitempty"`
-
-	// Tenancy is the tenancy OCID where secret is located.
-	Tenancy string `json:"tenancy,omitempty"`
-
-	// Region is the region where secret is located.
-	Region string `json:"region,omitempty"`
+	// Region is the region where vault is located.
+	Region string `json:"region"`
 
 	// Vault is the vault's OCID of the specific vault where secret is located.
-	Vault string `json:"vault,omitempty"`
+	Vault string `json:"vault"`
+
+	// Auth configures how secret-manager authenticates with the Oracle Vault.
+	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
+	// +optional
+	Auth *OracleAuth `json:"auth,omitempty"`
 }
 
 type OracleAuth struct {
+	// Tenancy is the tenancy OCID where user is located.
+	Tenancy string `json:"tenancy"`
+
+	// User is an access OCID specific to the account.
+	User string `json:"user"`
+
 	// SecretRef to pass through sensitive information.
 	SecretRef OracleSecretRef `json:"secretRef"`
 }
 
 type OracleSecretRef struct {
 	// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-	PrivateKey esmeta.SecretKeySelector `json:"privatekey,omitempty"`
+	PrivateKey esmeta.SecretKeySelector `json:"privatekey"`
 
 	// Fingerprint is the fingerprint of the API private key.
-	Fingerprint esmeta.SecretKeySelector `json:"fingerprint,omitempty"`
+	Fingerprint esmeta.SecretKeySelector `json:"fingerprint"`
 }

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -893,7 +893,11 @@ func (in *OracleAuth) DeepCopy() *OracleAuth {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
 	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(OracleAuth)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -558,7 +558,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -605,25 +606,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using
@@ -1703,7 +1711,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -1750,25 +1759,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -561,7 +561,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -608,25 +609,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using
@@ -1709,7 +1717,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -1756,25 +1765,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using

deploy/crds/bundle.yaml

@@ -568,7 +568,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -615,25 +616,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using
@@ -1713,7 +1721,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -1760,25 +1769,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using
@@ -3415,7 +3431,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -3462,25 +3479,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using
@@ -4563,7 +4587,8 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault.
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -4610,25 +4635,32 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
+                            required:
+                            - fingerprint
+                            - privatekey
                             type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
                         required:
                         - secretRef
+                        - tenancy
+                        - user
                         type: object
                       region:
-                        description: Region is the region where secret is located.
-                        type: string
-                      tenancy:
-                        description: Tenancy is the tenancy OCID where secret is located.
-                        type: string
-                      user:
-                        description: User is an access OCID specific to the account.
+                        description: Region is the region where vault is located.
                         type: string
                       vault:
                         description: Vault is the vault's OCID of the specific vault
                           where secret is located.
                         type: string
                     required:
-                    - auth
+                    - region
+                    - vault
                     type: object
                   vault:
                     description: Vault configures this store to sync secrets using

design/001-design-crd-v1beta1.md

@@ -0,0 +1,199 @@
+```yaml
+---
+title: External Secrets CRD promotion
+version: v1beta1
+authors: all of us
+creation-date: 2022-feb-08
+status: draft
+---
+```
+
+# External Secrets Operator CRD
+
+## Table of Contents
+
+<!-- toc -->
+<!-- /toc -->
+
+## Summary
+
+This is a proposal to design the Promoted ExternalSecrets CRD.
+
+## Motivation
+
+The project came up to the point to have grown in users and maturity, hence we are starting to drive efforts to bring it to GA. The promotion of the ExternalSecrets CRD to beta is one of this efforts.
+This design documentation aims to capture some final changes for ExternalSecrets CRD.
+
+### Goals
+
+- Define a beta CRD
+- Define strucutre for getting all provider secrets
+- Define structure for new templating engine
+### Non-Goals
+
+This KEP proposes the CRD Spec and documents the use-cases, not the choice of technology or migration path towards implementing the CRD.
+
+## Terminology
+
+* External Secrets Operator `ESO`: A Application that runs a control loop which syncs secrets
+* ESO `instance`: A single entity that runs a control loop
+* Provider: Is a **source** for secrets. The Provider is external to ESO. It can be a hosted service like Alibaba Cloud SecretsManager, AWS SystemsManager, Azure KeyVault etc
+* SecretStore `ST`: A Custom Resource to authenticate and configure the connection between the ESO instance and the Provider
+* ExternalSecret `ES`: A Custom Resource that declares which secrets should be synced
+* Frontend: A **sink** for the synced secrets, usually a `Secret` resource
+* Secret: Credentials that act as a key to sensitive information
+
+### User Definitions
+* `operator :=` I manage one or multiple `ESO` instances
+* `user :=` I only create `ES`, ESO is managed by someone else
+
+### User Stories
+From that we can derive the following requirements or user stories:
+1. As a ESO operator I want to get all the secrets of a given path from a given provider, if the provider supports it
+2. As a ESO operator I want to handle templating like it is a natural language, not needing to worry about how it is actually implemented.
+
+## Proposal
+
+### External Secret
+
+```yaml
+#only changed fields are commented out.
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: "hello-world"
+  labels:
+    acme.org/owned-by: "q-team"
+  annotations:
+    acme.org/sha: 1234
+
+spec:
+  secretStoreRef:
+    name: secret-store-name
+    kind: SecretStore
+  refreshInterval: "1h"
+  target:
+    name: my-secret
+    creationPolicy: 'Merge'
+    template:
+      engineVersion: v2 #Defaults to v2 in v1beta1
+      type: kubernetes.io/dockerconfigjson 
+      metadata:
+        annotations: {}
+        labels: {}
+      data:
+        config.yml: |
+          endpoints:
+          - https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com
+
+      templateFrom:
+      - configMap:
+          name: alertmanager
+          items:
+          - key: alertmanager.yaml
+  data:
+    - secretKey: secret-key-to-be-managed
+      remoteRef:
+        key: provider-key
+        version: provider-key-version
+        property: provider-key-property
+  dataFrom:
+  - extract: #extract all the keys from one given secret
+      key: provider-key
+      version: provider-key-version
+      property: provider-key-property
+  - find:
+      name:  #find secrets that match a particular pattern
+        regexp: .*pattern.*
+      tags:  #find secrets that match the following labels/tags
+        provider-label: provider-value
+status:
+  refreshTime: "2019-08-12T12:33:02Z"
+  conditions:
+  - type: Ready
+    status: "True"
+    reason: "SecretSynced"
+    message: "Secret was synced"
+    lastTransitionTime: "2019-08-12T12:33:02Z"
+```
+
+#### Behavior
+
+ExternalSecrets now will have a different structure for `dataFrom`, which will allow fetching several provider secrets with only one ExternalSecret definition. It should be possible to fetch secrets based on regular expressions or by a label/tag selector.
+
+If the user desires to rename the secret keys (e.g. because the key name is not a valid secret key name `/foo/bar`) they should use `template` functions to produce a mapping. 
+### Secret Store
+
+SecretStore and ClusterSecretStore do not have any changes from v1alpha1.
+
+```yaml
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: example
+  namespace: example-ns
+spec:
+  controller: dev
+  retrySettings:
+    maxRetries: 5
+    retryInterval: "10s"
+  provider:
+    aws:
+      service: SecretsManager
+      role: iam-role
+      region: eu-central-1
+      auth:
+        secretRef:
+          accessKeyID:
+            name: awssm-secret
+            key: access-key
+          secretAccessKey:
+            name: awssm-secret
+            key: secret-access-key
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+      namespace: "a-team"
+      caBundle: "..."
+      caProvider:
+        type: "Secret"
+        name: "my-cert-secret"
+        key: "cert-key"
+      auth:
+        tokenSecretRef:
+          name: "my-secret"
+          namespace: "secret-admin"
+          key: "vault-token"
+        appRole:
+          path: "approle"
+          roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "vault-token"
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "demo"
+          serviceAccountRef:
+            name: "my-sa"
+            namespace: "secret-admin"
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "vault"
+    gcpsm:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            name: gcpsm-secret
+            key: secret-access-credentials
+      projectID: myproject
+status:
+  conditions:
+  - type: Ready
+    status: "False"
+    reason: "ConfigError"
+    message: "SecretStore validation failed"
+    lastTransitionTime: "2019-08-12T12:33:02Z"
+```

docs/provider-oracle-vault.md

@@ -4,7 +4,10 @@ External Secrets Operator integrates with [OCI API](https://github.com/oracle/oc
 
 ### Authentication
 
-The API requires a userOCID, tenancyOCID, fingerprint, key file and a region. The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.
+If `auth` is not specified, the operator uses the instance principal.
+
+For using a specific user credentials, userOCID, tenancyOCID, fingerprint and private key are required.
+The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.
 
 See url for what region you you are accessing.
 ![userOCID-details](./pictures/screenshot_region.png)

docs/snippets/oracle-secret-store.yaml

@@ -1,19 +1,31 @@
 apiVersion: external-secrets.io/v1alpha1
 kind: SecretStore
 metadata:
-  name: example
+  name: example-instance-principal
 spec:
   provider:
-    oracle: #Needs to match value in secretstore_types.go
+    oracle:
       vault: # The vault OCID
-      user:
-      tenancy:
-      region:
+      region: # The vault region
+
+---
+
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: example-auth
+spec:
+  provider:
+    oracle:
+      vault: # The vault OCID
+      region: # The vault region
       auth:
+        user: # A user OCID
+        tenancy: # A user's tenancy
         secretRef:
           privatekey:
             name: oracle-secret
-            key: privateKey #Needs to match stringData val in secret_oracle.yml
+            key: privateKey
           fingerprint:
             name: oracle-secret
             key: fingerprint

e2e/suite/oracle/provider.go

@@ -21,8 +21,8 @@ import (
 
 	// nolint
 	. "github.com/onsi/gomega"
-	"github.com/oracle/oci-go-sdk/v45/common"
-	vault "github.com/oracle/oci-go-sdk/v45/vault"
+	"github.com/oracle/oci-go-sdk/v56/common"
+	vault "github.com/oracle/oci-go-sdk/v56/vault"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilpointer "k8s.io/utils/pointer"
@@ -113,7 +113,11 @@ func (p *oracleProvider) BeforeEach() {
 		Spec: esv1alpha1.SecretStoreSpec{
 			Provider: &esv1alpha1.SecretStoreProvider{
 				Oracle: &esv1alpha1.OracleProvider{
-					Auth: esv1alpha1.OracleAuth{
+					Region: p.region,
+					Vault:  "vaultOCID",
+					Auth: &esv1alpha1.OracleAuth{
+						Tenancy: p.tenancy,
+						User:    p.user,
 						SecretRef: esv1alpha1.OracleSecretRef{
 							Fingerprint: esmeta.SecretKeySelector{
 								Name: "vms-secret",

go.mod

@@ -59,7 +59,7 @@ require (
 	github.com/lestrrat-go/jwx v1.2.1
 	github.com/onsi/ginkgo/v2 v2.1.1
 	github.com/onsi/gomega v1.18.1
-	github.com/oracle/oci-go-sdk/v45 v45.2.0
+	github.com/oracle/oci-go-sdk/v56 v56.1.0
 	github.com/prometheus/client_golang v1.12.1
 	github.com/prometheus/client_model v0.2.0
 	github.com/stretchr/testify v1.7.0
@@ -181,6 +181,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect
 	github.com/spf13/cobra v1.2.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.2.0 // indirect

go.sum

@@ -693,8 +693,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
 github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/oracle/oci-go-sdk/v45 v45.2.0 h1:vCPoQlE+DOrM2heJn66rvPU6fbsc/0Cxtzs2jnFut6U=
-github.com/oracle/oci-go-sdk/v45 v45.2.0/go.mod h1:ZM6LGiRO5TPQJxTlrXbcHMbClE775wnGD5U/EerCsRw=
+github.com/oracle/oci-go-sdk/v56 v56.1.0 h1:HOr9P+MkwgrilEGTJCU7a6GMFrUG/RZAzvh/2JeRXvI=
+github.com/oracle/oci-go-sdk/v56 v56.1.0/go.mod h1:kDJAL3HEAF+4oQR8GfaOkY6rz2kU3/kZ6vYJnJXSCkA=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -772,6 +772,8 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
+github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0=
+github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=

hack/api-docs/mkdocs.yml

@@ -48,7 +48,7 @@ nav:
     - Azure:
       - Key Vault: provider-azure-key-vault.md
     - Google:
-      - Secrets Manager: provider-google-secrets-manager.md
+      - Secret Manager: provider-google-secrets-manager.md
     - IBM:
       - Secrets Manager: provider-ibm-secrets-manager.md
     - Akeyless: provider-akeyless.md

pkg/provider/oracle/fake/fake.go

@@ -16,7 +16,7 @@ package fake
 import (
 	"context"
 
-	secrets "github.com/oracle/oci-go-sdk/v45/secrets"
+	secrets "github.com/oracle/oci-go-sdk/v56/secrets"
 )
 
 type OracleMockClient struct {

pkg/provider/oracle/oracle.go

@@ -17,14 +17,16 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/oracle/oci-go-sdk/v45/common"
-	"github.com/oracle/oci-go-sdk/v45/secrets"
+	"github.com/oracle/oci-go-sdk/v56/common"
+	"github.com/oracle/oci-go-sdk/v56/common/auth"
+	"github.com/oracle/oci-go-sdk/v56/secrets"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -52,18 +54,6 @@ const (
 	errUnexpectedContent                     = "unexpected secret bundle content"
 )
 
-type client struct {
-	kube        kclient.Client
-	store       *esv1beta1.OracleProvider
-	namespace   string
-	storeKind   string
-	tenancy     string
-	user        string
-	region      string
-	fingerprint string
-	privateKey  string
-}
-
 type VaultManagementService struct {
 	Client VMInterface
 	vault  string
@@ -73,58 +63,6 @@ type VMInterface interface {
 	GetSecretBundleByName(ctx context.Context, request secrets.GetSecretBundleByNameRequest) (secrets.GetSecretBundleByNameResponse, error)
 }
 
-func (c *client) setAuth(ctx context.Context) error {
-	credentialsSecret := &corev1.Secret{}
-	credentialsSecretName := c.store.Auth.SecretRef.PrivateKey.Name
-	if credentialsSecretName == "" {
-		return fmt.Errorf(errORACLECredSecretName)
-	}
-	objectKey := types.NamespacedName{
-		Name:      credentialsSecretName,
-		Namespace: c.namespace,
-	}
-
-	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
-		if c.store.Auth.SecretRef.PrivateKey.Namespace == nil {
-			return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
-		}
-		objectKey.Namespace = *c.store.Auth.SecretRef.PrivateKey.Namespace
-	}
-
-	err := c.kube.Get(ctx, objectKey, credentialsSecret)
-	if err != nil {
-		return fmt.Errorf(errFetchSAKSecret, err)
-	}
-
-	c.privateKey = string(credentialsSecret.Data[c.store.Auth.SecretRef.PrivateKey.Key])
-	if c.privateKey == "" {
-		return fmt.Errorf(errMissingPK)
-	}
-
-	c.fingerprint = string(credentialsSecret.Data[c.store.Auth.SecretRef.Fingerprint.Key])
-	if c.fingerprint == "" {
-		return fmt.Errorf(errMissingFingerprint)
-	}
-
-	c.user = c.store.User
-	if c.user == "" {
-		return fmt.Errorf(errMissingUser)
-	}
-
-	c.tenancy = c.store.Tenancy
-	if c.tenancy == "" {
-		return fmt.Errorf(errMissingTenancy)
-	}
-
-	c.region = c.store.Region
-	if c.region == "" {
-		return fmt.Errorf(errMissingRegion)
-	}
-
-	return nil
-}
-
 // Empty GetAllSecrets.
 func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
 	// TO be implemented
@@ -194,35 +132,91 @@ func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1beta
 		return nil, fmt.Errorf(errMissingVault)
 	}
 
-	oracleStore := &client{
-		kube:      kube,
-		store:     oracleSpec,
-		namespace: namespace,
-		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
-	}
-	if err := oracleStore.setAuth(ctx); err != nil {
-		return nil, err
+	if oracleSpec.Region == "" {
+		return nil, fmt.Errorf(errMissingRegion)
 	}
 
-	oracleTenancy := oracleStore.tenancy
-	oracleUser := oracleStore.user
-	oracleRegion := oracleStore.region
-	oracleFingerprint := oracleStore.fingerprint
-	oraclePrivateKey := oracleStore.privateKey
-
-	configurationProvider := common.NewRawConfigurationProvider(oracleTenancy, oracleUser, oracleRegion, oracleFingerprint, oraclePrivateKey, nil)
+	var (
+		err                   error
+		configurationProvider common.ConfigurationProvider
+	)
+	if oracleSpec.Auth == nil {
+		configurationProvider, err = auth.InstancePrincipalConfigurationProvider()
+	} else {
+		configurationProvider, err = getUserAuthConfigurationProvider(ctx, kube, oracleSpec, namespace, store.GetObjectKind().GroupVersionKind().Kind, oracleSpec.Region)
+	}
+	if err != nil {
+		return nil, fmt.Errorf(errOracleClient, err)
+	}
 
 	secretManagementService, err := secrets.NewSecretsClientWithConfigurationProvider(configurationProvider)
 	if err != nil {
 		return nil, fmt.Errorf(errOracleClient, err)
 	}
 
+	secretManagementService.SetRegion(oracleSpec.Region)
+
 	return &VaultManagementService{
 		Client: secretManagementService,
 		vault:  oracleSpec.Vault,
 	}, nil
 }
 
+func getSecretData(ctx context.Context, kube kclient.Client, namespace, storeKind string, secretRef esmeta.SecretKeySelector) (string, error) {
+	if secretRef.Name == "" {
+		return "", fmt.Errorf(errORACLECredSecretName)
+	}
+
+	objectKey := types.NamespacedName{
+		Name:      secretRef.Name,
+		Namespace: namespace,
+	}
+
+	// only ClusterStore is allowed to set namespace (and then it's required)
+	if storeKind == esv1beta1.ClusterSecretStoreKind {
+		if secretRef.Namespace == nil {
+			return "", fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
+		}
+		objectKey.Namespace = *secretRef.Namespace
+	}
+
+	secret := corev1.Secret{}
+	err := kube.Get(ctx, objectKey, &secret)
+	if err != nil {
+		return "", fmt.Errorf(errFetchSAKSecret, err)
+	}
+
+	return string(secret.Data[secretRef.Key]), nil
+}
+
+func getUserAuthConfigurationProvider(ctx context.Context, kube kclient.Client, store *esv1beta1.OracleProvider, namespace, storeKind, region string) (common.ConfigurationProvider, error) {
+	privateKey, err := getSecretData(ctx, kube, namespace, storeKind, store.Auth.SecretRef.PrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	if privateKey == "" {
+		return nil, fmt.Errorf(errMissingPK)
+	}
+
+	fingerprint, err := getSecretData(ctx, kube, namespace, storeKind, store.Auth.SecretRef.Fingerprint)
+	if err != nil {
+		return nil, err
+	}
+	if fingerprint == "" {
+		return nil, fmt.Errorf(errMissingFingerprint)
+	}
+
+	if store.Auth.User == "" {
+		return nil, fmt.Errorf(errMissingUser)
+	}
+
+	if store.Auth.Tenancy == "" {
+		return nil, fmt.Errorf(errMissingTenancy)
+	}
+
+	return common.NewRawConfigurationProvider(store.Auth.Tenancy, store.Auth.User, region, fingerprint, privateKey, nil), nil
+}
+
 func (vms *VaultManagementService) Close(ctx context.Context) error {
 	return nil
 }

pkg/provider/oracle/oracle_test.go

@@ -19,7 +19,7 @@ import (
 	"strings"
 	"testing"
 
-	secrets "github.com/oracle/oci-go-sdk/v45/secrets"
+	secrets "github.com/oracle/oci-go-sdk/v56/secrets"
 	utilpointer "k8s.io/utils/pointer"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"

pkg/utils/utils_test.go

@@ -17,7 +17,7 @@ package utils
 import (
 	"testing"
 
-	vault "github.com/oracle/oci-go-sdk/v45/vault"
+	vault "github.com/oracle/oci-go-sdk/v56/vault"
 	v1 "k8s.io/api/core/v1"
 )