chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0 (#1547)

* chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.12.3 to 0.13.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.12.3...v0.13.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: remove dependency on crossplane-runtime/pkg/test

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Moritz Johner <beller.moritz@googlemail.com>

e2e/go.mod

@@ -61,7 +61,7 @@ require (
 	k8s.io/apimachinery v0.25.0
 	k8s.io/client-go v1.5.2
 	k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73
-	sigs.k8s.io/controller-runtime v0.12.3
+	sigs.k8s.io/controller-runtime v0.13.0
 	software.sslmate.com/src/go-pkcs12 v0.2.0
 )
 

go.mod

@@ -51,7 +51,6 @@ require (
 	github.com/akeylesslabs/akeyless-go/v2 v2.20.0
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1802
 	github.com/aws/aws-sdk-go v1.44.114
-	github.com/crossplane/crossplane-runtime v0.18.0
 	github.com/go-logr/logr v1.2.3
 	github.com/go-test/deep v1.0.4 // indirect
 	github.com/google/go-cmp v0.5.9
@@ -88,7 +87,7 @@ require (
 	k8s.io/apimachinery v0.25.0
 	k8s.io/client-go v1.5.2
 	k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73
-	sigs.k8s.io/controller-runtime v0.12.3
+	sigs.k8s.io/controller-runtime v0.13.0
 	sigs.k8s.io/controller-tools v0.10.0
 )
 
@@ -121,6 +120,7 @@ require (
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect

go.sum

@@ -207,8 +207,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crossplane/crossplane-runtime v0.18.0 h1:j1VxhKWp3iQKr1XNiMoBKmEvN2Z98E7rR0tyimu7dj4=
-github.com/crossplane/crossplane-runtime v0.18.0/go.mod h1:o9ExoilV6k2M3qzSFoRVX4phuww0mLmjs1WrDTvsR4s=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -242,6 +240,8 @@ github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
+github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
+github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
@@ -1524,8 +1524,8 @@ rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw=
-sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio=
-sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0=
+sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ=
+sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI=
 sigs.k8s.io/controller-tools v0.10.0 h1:0L5DTDTFB67jm9DkfrONgTGmfc/zYow0ZaHyppizU2U=
 sigs.k8s.io/controller-tools v0.10.0/go.mod h1:uvr0EW6IsprfB0jpQq6evtKy+hHyHCXNfdWI5ONPx94=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=

pkg/provider/aws/provider_test.go

@@ -23,12 +23,10 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts/stsiface"
-	"github.com/crossplane/crossplane-runtime/pkg/test"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
-	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -359,14 +357,12 @@ func TestValidRetryInput(t *testing.T) {
 					Auth: esv1beta1.AWSAuth{
 						SecretRef: &esv1beta1.AWSAuthSecretRef{
 							SecretAccessKey: esmeta.SecretKeySelector{
-								Name:      "sak",
-								Namespace: pointer.String("OK"),
-								Key:       "sak",
+								Name: "creds",
+								Key:  "sak",
 							},
 							AccessKeyID: esmeta.SecretKeySelector{
-								Name:      "ak",
-								Namespace: pointer.String("OK"),
-								Key:       "ak",
+								Name: "creds",
+								Key:  "ak",
 							},
 						},
 					},
@@ -381,19 +377,16 @@ func TestValidRetryInput(t *testing.T) {
 	expected := fmt.Sprintf("unable to initialize aws provider: time: invalid duration %q", invalid)
 	ctx := context.TODO()
 
-	kube := &test.MockClient{
-		MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-			if o, ok := obj.(*corev1.Secret); ok {
-				o.Data = map[string][]byte{
-					"sak": []byte("OK"),
-					"ak":  []byte("OK"),
-				}
-				return nil
-			}
-			return nil
-		}),
-	}
-
+	kube := clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "creds",
+			Namespace: "default",
+		},
+		Data: map[string][]byte{
+			"sak": []byte("OK"),
+			"ak":  []byte("OK"),
+		},
+	}).Build()
 	provider := func(*session.Session) stsiface.STSAPI { return nil }
 
 	_, err := newClient(ctx, spec, kube, "default", provider)

pkg/provider/ibm/provider_test.go

@@ -22,10 +22,10 @@ import (
 
 	"github.com/IBM/go-sdk-core/v5/core"
 	sm "github.com/IBM/secrets-manager-go-sdk/secretsmanagerv1"
-	"github.com/crossplane/crossplane-runtime/pkg/test"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilpointer "k8s.io/utils/pointer"
-	kclient "sigs.k8s.io/controller-runtime/pkg/client"
+	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -686,17 +686,15 @@ func TestValidRetryInput(t *testing.T) {
 
 	expected := fmt.Sprintf("cannot setup new ibm client: time: invalid duration %q", invalid)
 	ctx := context.TODO()
-	kube := &test.MockClient{
-		MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-			if o, ok := obj.(*corev1.Secret); ok {
-				o.Data = map[string][]byte{
-					"fake-key": []byte("ImAFakeApiKey"),
-				}
-				return nil
-			}
-			return nil
-		}),
-	}
+	kube := clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "fake-secret",
+			Namespace: "default",
+		},
+		Data: map[string][]byte{
+			"fake-key": []byte("ImAFakeApiKey"),
+		},
+	}).Build()
 
 	_, err := sm.NewClient(ctx, spec, kube, "default")
 

pkg/provider/vault/vault_test.go

@@ -18,10 +18,10 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"reflect"
 	"strings"
 	"testing"
 
-	"github.com/crossplane/crossplane-runtime/pkg/test"
 	"github.com/google/go-cmp/cmp"
 	vault "github.com/hashicorp/vault/api"
 	corev1 "k8s.io/api/core/v1"
@@ -29,6 +29,7 @@ import (
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/utils/pointer"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
+	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -212,24 +213,6 @@ func clientWithLoginMock(c *vault.Config) (Client, error) {
 	return out, nil
 }
 
-func kubeMockWithSecretTokenAndServiceAcc(obj kclient.Object) error {
-	if o, ok := obj.(*corev1.ServiceAccount); ok {
-		o.Secrets = []corev1.ObjectReference{
-			{
-				Name: tokenSecretName,
-			},
-		}
-		return nil
-	}
-	if o, ok := obj.(*corev1.Secret); ok {
-		o.Data = map[string][]byte{
-			"token": []byte(secretDataString),
-		}
-		return nil
-	}
-	return nil
-}
-
 func TestNewVault(t *testing.T) {
 	errBoom := errors.New("boom")
 	secretClientKey := []byte(`-----BEGIN PRIVATE KEY-----
@@ -276,11 +259,10 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return error if fetching kubernetes secret fails.",
 			args: args{
 				newClientFunc: clientWithLoginMock,
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(errBoom),
-				},
-				store:  makeSecretStore(),
-				corev1: utilfake.NewCreateTokenMock().WithError(errBoom),
+				ns:            "default",
+				kube:          clientfake.NewClientBuilder().Build(),
+				store:         makeSecretStore(),
+				corev1:        utilfake.NewCreateTokenMock().WithError(errBoom),
 			},
 			want: want{
 				err: fmt.Errorf(errGetKubeSATokenRequest, "example-sa", errBoom),
@@ -289,6 +271,7 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 		"GetKubeSecretError": {
 			reason: "Should return error if fetching kubernetes secret fails.",
 			args: args{
+				ns: "default",
 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
 					s.Spec.Provider.Vault.Auth.Kubernetes.ServiceAccountRef = nil
 					s.Spec.Provider.Vault.Auth.Kubernetes.SecretRef = &esmeta.SecretKeySelector{
@@ -296,30 +279,27 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 						Key:  "key",
 					}
 				}),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(errBoom),
-				},
+				kube: clientfake.NewClientBuilder().Build(),
 			},
 			want: want{
-				err: fmt.Errorf(errGetKubeSecret, "vault-secret", errBoom),
+				err: fmt.Errorf(errGetKubeSecret, "vault-secret", errors.New("secrets \"vault-secret\" not found")),
 			},
 		},
 		"SuccessfulVaultStoreWithCertAuth": {
 			reason: "Should return a Vault provider successfully",
 			args: args{
 				store: makeValidSecretStoreWithCerts(),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-						if o, ok := obj.(*corev1.Secret); ok {
-							o.Data = map[string][]byte{
-								"tls.key": secretClientKey,
-								"tls.crt": clientCrt,
-							}
-							return nil
-						}
-						return nil
-					}),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tls-auth-certs",
+						Namespace: "default",
+					},
+					Data: map[string][]byte{
+						"tls.key": secretClientKey,
+						"tls.crt": clientCrt,
+					},
+				}).Build(),
 				newClientFunc: clientWithLoginMock,
 			},
 			want: want{
@@ -330,18 +310,17 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return a Vault prodvider with the cert from k8s",
 			args: args{
 				store: makeValidSecretStoreWithK8sCerts(true),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-						if o, ok := obj.(*corev1.Secret); ok {
-							o.Data = map[string][]byte{
-								"cert":  clientCrt,
-								"token": secretData,
-							}
-							return nil
-						}
-						return nil
-					}),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "vault-cert",
+						Namespace: "default",
+					},
+					Data: map[string][]byte{
+						"cert":  clientCrt,
+						"token": secretData,
+					},
+				}).Build(),
 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
 				newClientFunc: clientWithLoginMock,
 			},
@@ -353,9 +332,8 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return an error if namespace is missing and is a ClusterSecretStore",
 			args: args{
 				store: makeInvalidClusterSecretStoreWithK8sCerts(),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, kubeMockWithSecretTokenAndServiceAcc),
-				},
+				ns:    "default",
+				kube:  clientfake.NewClientBuilder().Build(),
 			},
 			want: want{
 				err: errors.New(errCANamespace),
@@ -365,9 +343,14 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return an error if the secret key is missing",
 			args: args{
 				store: makeValidSecretStoreWithK8sCerts(true),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, kubeMockWithSecretTokenAndServiceAcc),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "vault-cert",
+						Namespace: "default",
+					},
+					Data: map[string][]byte{},
+				}).Build(),
 				newClientFunc: clientWithLoginMock,
 			},
 			want: want{
@@ -378,18 +361,15 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return a Vault prodvider with the cert from k8s",
 			args: args{
 				store: makeValidSecretStoreWithK8sCerts(false),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-						if o, ok := obj.(*corev1.ConfigMap); ok {
-							o.Data = map[string]string{
-								"cert": string(clientCrt),
-							}
-							return nil
-						}
-
-						return nil
-					}),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "vault-cert",
+					},
+					Data: map[string]string{
+						"cert": string(clientCrt),
+					},
+				}).Build(),
 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
 				newClientFunc: clientWithLoginMock,
 			},
@@ -401,27 +381,23 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return an error if the config map key is missing",
 			args: args{
 				store: makeValidSecretStoreWithK8sCerts(false),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-						if o, ok := obj.(*corev1.ServiceAccount); ok {
-							o.Secrets = []corev1.ObjectReference{
-								{
-									Name: tokenSecretName,
-								},
-							}
-							return nil
-						}
-
-						if o, ok := obj.(*corev1.Secret); ok {
-							o.Data = map[string][]byte{
-								"token": secretData,
-							}
-							return nil
-						}
-
-						return nil
-					}),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.ServiceAccount{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "example-sa",
+						Namespace: "default",
+					},
+					Secrets: []corev1.ObjectReference{
+						{
+							Name: tokenSecretName,
+						},
+					},
+				}, &corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "vault-cert",
+					},
+					Data: map[string]string{},
+				}).Build(),
 				newClientFunc: clientWithLoginMock,
 			},
 			want: want{
@@ -432,18 +408,17 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return error if client certificate is in wrong format.",
 			args: args{
 				store: makeValidSecretStoreWithCerts(),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-						if o, ok := obj.(*corev1.Secret); ok {
-							o.Data = map[string][]byte{
-								"tls.key": secretClientKey,
-								"tls.crt": []byte("cert with mistak"),
-							}
-							return nil
-						}
-						return nil
-					}),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tls-auth-certs",
+						Namespace: "default",
+					},
+					Data: map[string][]byte{
+						"tls.key": secretClientKey,
+						"tls.crt": []byte("cert with mistak"),
+					},
+				}).Build(),
 				newClientFunc: clientWithLoginMock,
 			},
 			want: want{
@@ -454,18 +429,17 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return error if client key is in wrong format.",
 			args: args{
 				store: makeValidSecretStoreWithCerts(),
-				kube: &test.MockClient{
-					MockGet: test.NewMockGetFn(nil, func(obj kclient.Object) error {
-						if o, ok := obj.(*corev1.Secret); ok {
-							o.Data = map[string][]byte{
-								"tls.key": []byte("key with mistake"),
-								"tls.crt": clientCrt,
-							}
-							return nil
-						}
-						return nil
-					}),
-				},
+				ns:    "default",
+				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tls-auth-certs",
+						Namespace: "default",
+					},
+					Data: map[string][]byte{
+						"tls.key": []byte("key with mistake"),
+						"tls.crt": clientCrt,
+					},
+				}).Build(),
 				newClientFunc: clientWithLoginMock,
 			},
 			want: want{
@@ -489,7 +463,7 @@ func vaultTest(t *testing.T, name string, tc testCase) {
 		conn.newVaultClient = newVaultClient
 	}
 	_, err := conn.newClient(context.Background(), tc.args.store, tc.args.kube, tc.args.corev1, tc.args.ns)
-	if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
+	if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
 		t.Errorf("\n%s\nvault.New(...): -want error, +got error:\n%s", tc.reason, diff)
 	}
 }
@@ -667,7 +641,7 @@ func TestGetSecret(t *testing.T) {
 				namespace: tc.args.ns,
 			}
 			val, err := vStore.GetSecret(context.Background(), tc.args.data)
-			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
+			if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nvault.GetSecret(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(string(tc.want.val), string(val)); diff != "" {
@@ -877,7 +851,7 @@ func TestGetSecretMap(t *testing.T) {
 				namespace: tc.args.ns,
 			}
 			val, err := vStore.GetSecretMap(context.Background(), tc.args.data)
-			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
+			if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nvault.GetSecretMap(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.val, val); diff != "" {
@@ -1153,7 +1127,7 @@ func TestGetAllSecrets(t *testing.T) {
 				namespace: tc.args.ns,
 			}
 			val, err := vStore.GetAllSecrets(context.Background(), tc.args.data)
-			if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
+			if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
 				t.Errorf("\n%s\nvault.GetSecretMap(...): -want error, +got error:\n%s", tc.reason, diff)
 			}
 			if diff := cmp.Diff(tc.want.val, val); diff != "" {
@@ -1390,3 +1364,27 @@ func TestValidateStore(t *testing.T) {
 		})
 	}
 }
+
+// EquateErrors returns true if the supplied errors are of the same type and
+// produce identical strings. This mirrors the error comparison behavior of
+// https://github.com/go-test/deep, which most Crossplane tests targeted before
+// we switched to go-cmp.
+//
+// This differs from cmpopts.EquateErrors, which does not test for error strings
+// and instead returns whether one error 'is' (in the errors.Is sense) the
+// other.
+func EquateErrors() cmp.Option {
+	return cmp.Comparer(func(a, b error) bool {
+		if a == nil || b == nil {
+			return a == nil && b == nil
+		}
+
+		av := reflect.ValueOf(a)
+		bv := reflect.ValueOf(b)
+		if av.Type() != bv.Type() {
+			return false
+		}
+
+		return a.Error() == b.Error()
+	})
+}