most work done - missing unit tests and path do certs

apis/externalsecrets/v1alpha1/secretstore_vault_types.go

@@ -62,7 +62,7 @@ type VaultProvider struct {
 }
 
 // VaultAuth is the configuration used to authenticate with a Vault server.
-// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap` or `jwt`
+// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `jwt` or `cert`
 // can be specified.
 type VaultAuth struct {
 	// TokenSecretRef authenticates with Vault by presenting a token.
@@ -88,6 +88,13 @@ type VaultAuth struct {
 	// JWT/OIDC authentication method
 	// +optional
 	Jwt *VaultJwtAuth `json:"jwt,omitempty"`
+
+        // Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+	// Cert authentication method
+	// +optional
+	Cert *VaultCertAuth `json:"cert,omitempty"`
+
+	
 }
 
 // VaultAppRole authenticates with Vault using the App Role auth mechanism,
@@ -161,3 +168,21 @@ type VaultJwtAuth struct {
 	// authenticate with Vault using the JWT/OIDC authentication method
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
+
+// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// method, with the role name and token stored in a Kubernetes Secret resource.
+type VaultCertAuth struct {
+	// ClientCert is a certificate to authenticate using the Cert Vault
+	// authentication method
+	// +optional
+	ClientCert string `json:"clientCert"`
+
+	// ClientCert is a certificate to authenticate using the Cert Vault
+	// authentication method
+	// +optional
+	ClientKey string `json:"clientKey"`
+
+	// SecretRef to a key in a Secret resource containing client private key to
+	// authenticate with Vault using the Cert authentication method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -808,6 +808,11 @@ func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
 		*out = new(VaultJwtAuth)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(VaultCertAuth)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
@@ -821,6 +826,22 @@ func (in *VaultAuth) DeepCopy() *VaultAuth {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultCertAuth) DeepCopyInto(out *VaultCertAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultCertAuth.
+func (in *VaultCertAuth) DeepCopy() *VaultCertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultCertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultJwtAuth) DeepCopyInto(out *VaultJwtAuth) {
 	*out = *in
 	in.SecretRef.DeepCopyInto(&out.SecretRef)

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -341,6 +341,44 @@ spec:
                             - roleId
                             - secretRef
                             type: object
+                          cert:
+                            description: Cert authenticates with TLS Certificates
+                              by passing client certificate, private key and ca certificate
+                              Cert authentication method
+                            properties:
+                              clientCert:
+                                description: ClientCert is a certificate to authenticate
+                                  using the Cert Vault authentication method
+                                type: string
+                              clientKey:
+                                description: ClientCert is a certificate to authenticate
+                                  using the Cert Vault authentication method
+                                type: string
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing client private key to authenticate with
+                                  Vault using the Cert authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
                           jwt:
                             description: Jwt authenticates with Vault by passing role
                               and JWT token using the JWT/OIDC authentication method

deploy/crds/external-secrets.io_secretstores.yaml

@@ -341,6 +341,44 @@ spec:
                             - roleId
                             - secretRef
                             type: object
+                          cert:
+                            description: Cert authenticates with TLS Certificates
+                              by passing client certificate, private key and ca certificate
+                              Cert authentication method
+                            properties:
+                              clientCert:
+                                description: ClientCert is a certificate to authenticate
+                                  using the Cert Vault authentication method
+                                type: string
+                              clientKey:
+                                description: ClientCert is a certificate to authenticate
+                                  using the Cert Vault authentication method
+                                type: string
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing client private key to authenticate with
+                                  Vault using the Cert authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
                           jwt:
                             description: Jwt authenticates with Vault by passing role
                               and JWT token using the JWT/OIDC authentication method

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -79,9 +79,6 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	p := client.MergeFrom(externalSecret.DeepCopy())
 	defer func() {
 		err = r.Status().Patch(ctx, &externalSecret, p)
-		if err != nil {
-			log.Error(err, "unable to patch status")
-		}
 	}()
 
 	store, err := r.getStore(ctx, &externalSecret)

pkg/provider/vault/vault.go

@@ -47,6 +47,7 @@ const (
 
 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
 	errVaultClient    = "cannot setup new vault client: %w"
+	errVaultTLSClient = "cannot setup new TLS vault client: %w"
 	errVaultCert      = "cannot set Vault CA certificate: %w"
 	errReadSecret     = "cannot read secret data from Vault: %w"
 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
@@ -111,7 +112,8 @@ func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore
 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
 	}
 
-	cfg, err := vStore.newConfig()
+	cfg, err := vStore.newConfig(ctx)
+
 	if err != nil {
 		return nil, err
 	}
@@ -125,7 +127,7 @@ func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore
 		client.SetNamespace(*vaultSpec.Namespace)
 	}
 
-	if err := vStore.setAuth(ctx, client); err != nil {
+	if err := vStore.setAuth(ctx, client, cfg); err != nil {
 		return nil, err
 	}
 
@@ -209,7 +211,7 @@ func (v *client) readSecret(ctx context.Context, path, version string) (map[stri
 	return byteMap, nil
 }
 
-func (v *client) newConfig() (*vault.Config, error) {
+func (v *client) newConfig(ctx context.Context) (*vault.Config, error) {
 	cfg := vault.DefaultConfig()
 	cfg.Address = v.store.Server
 
@@ -230,7 +232,7 @@ func (v *client) newConfig() (*vault.Config, error) {
 	return cfg, nil
 }
 
-func (v *client) setAuth(ctx context.Context, client Client) error {
+func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
 	tokenRef := v.store.Auth.TokenSecretRef
 	if tokenRef != nil {
 		token, err := v.secretKeyRef(ctx, tokenRef)
@@ -281,6 +283,16 @@ func (v *client) setAuth(ctx context.Context, client Client) error {
 		return nil
 	}
 
+	certAuth := v.store.Auth.Cert
+	if certAuth != nil {
+		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
+		if err != nil {
+			return err
+		}
+		client.SetToken(token)
+		return nil
+	}
+
 	return errors.New(errAuthFormat)
 }
 
@@ -503,7 +515,7 @@ func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwt
 		"role": role,
 		"jwt":  jwt,
 	}
-	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
+	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
 	request := client.NewRequest("POST", url)
 
 	err = request.SetJSONBody(parameters)
@@ -530,3 +542,41 @@ func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwt
 
 	return token, nil
 }
+
+func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
+
+	tlscfg := vault.TLSConfig{
+		ClientCert: "/home/ric/Desktop/temp/certificates/client/client.crt",
+		ClientKey:  "/home/ric/Desktop/temp/certificates/client/client.key",
+		CACert:     "/home/ric/Desktop/temp/certificates/vault.ca",
+	}
+	
+	err := cfg.ConfigureTLS(&tlscfg)
+	
+	if err != nil {
+		return "", fmt.Errorf(errVaultCert, err)
+	}
+
+
+	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
+	request := client.NewRequest("POST", url)
+
+	resp, err := client.RawRequestWithContext(ctx, request)
+	if err != nil {
+		return "", fmt.Errorf(errVaultRequest, err)
+	}
+
+	defer resp.Body.Close()
+
+	vaultResult := vault.Secret{}
+	if err = resp.DecodeJSON(&vaultResult); err != nil {
+		return "", fmt.Errorf(errVaultResponse, err)
+	}
+
+	token, err := vaultResult.TokenID()
+	if err != nil {
+		return "", fmt.Errorf(errVaultToken, err)
+	}
+
+	return token, nil
+}