remove cacert from client Authentication. It's already in CABundle.

apis/externalsecrets/v1alpha1/secretstore_vault_types.go

@@ -89,12 +89,10 @@ type VaultAuth struct {
 	// +optional
 	Jwt *VaultJwtAuth `json:"jwt,omitempty"`
 
-        // Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+	// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
 	// Cert authentication method
 	// +optional
 	Cert *VaultCertAuth `json:"cert,omitempty"`
-
-	
 }
 
 // VaultAppRole authenticates with Vault using the App Role auth mechanism,
@@ -177,10 +175,6 @@ type VaultCertAuth struct {
 	// +optional
 	ClientCert string `json:"clientCert"`
 
-	// CACert is the Vault TLS Listener CA certificate
-	// +optional
-	CACert string `json:"caCert"`
-
 	// SecretRef to a key in a Secret resource containing client private key to
 	// authenticate with Vault using the Cert authentication method
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -346,9 +346,6 @@ spec:
                               by passing client certificate, private key and ca certificate
                               Cert authentication method
                             properties:
-                              caCert:
-                                description: CACert is the Vault TLS Listener CA certificate
-                                type: string
                               clientCert:
                                 description: ClientCert is a certificate to authenticate
                                   using the Cert Vault authentication method

deploy/crds/external-secrets.io_secretstores.yaml

@@ -346,9 +346,6 @@ spec:
                               by passing client certificate, private key and ca certificate
                               Cert authentication method
                             properties:
-                              caCert:
-                                description: CACert is the Vault TLS Listener CA certificate
-                                type: string
                               clientCert:
                                 description: ClientCert is a certificate to authenticate
                                   using the Cert Vault authentication method

pkg/provider/vault/vault.go

@@ -49,7 +49,6 @@ const (
 
 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
 	errVaultClient    = "cannot setup new vault client: %w"
-	errVaultTLSClient = "cannot setup new TLS vault client: %w"
 	errVaultCert      = "cannot set Vault CA certificate: %w"
 	errReadSecret     = "cannot read secret data from Vault: %w"
 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
@@ -569,15 +568,10 @@ func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, ce
 		return "", fmt.Errorf(errGetCertPath, err)
 	}
 
-	caCertPath, err := getCertPath(certAuth.CACert, "ca.crt")
-	if err != nil {
-		return "", fmt.Errorf(errGetCertPath, err)
-	}
 
 	tlscfg := vault.TLSConfig{
 		ClientCert: clientCertPath,
 		ClientKey:  clientKeyPath,
-		CACert:     caCertPath,
 	}
 
 	err = cfg.ConfigureTLS(&tlscfg)