Merge pull request #530 from ADustyOldMuffin/add-docs-and-fix-ca-vault

Add documentation for CAProvider namespace and fix issue with SecretStore

apis/externalsecrets/v1alpha1/secretstore_vault_types.go

@@ -46,8 +46,8 @@ type CAProvider struct {
 	Key string `json:"key,omitempty"`
 
 	// The namespace the Provider type is in.
-	// +kubebuilder:default:="Default"
-	Namespace string `json:"namespace"`
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
 }
 
 // Configures an store to sync secrets using a HashiCorp Vault

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -282,6 +282,11 @@ func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CAProvider) DeepCopyInto(out *CAProvider) {
 	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
@@ -1230,7 +1235,7 @@ func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
 	if in.CAProvider != nil {
 		in, out := &in.CAProvider, &out.CAProvider
 		*out = new(CAProvider)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 }
 

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -846,7 +846,6 @@ spec:
                               type.
                             type: string
                           namespace:
-                            default: Default
                             description: The namespace the Provider type is in.
                             type: string
                           type:
@@ -858,7 +857,6 @@ spec:
                             type: string
                         required:
                         - name
-                        - namespace
                         - type
                         type: object
                       namespace:

deploy/crds/external-secrets.io_secretstores.yaml

@@ -846,7 +846,6 @@ spec:
                               type.
                             type: string
                           namespace:
-                            default: Default
                             description: The namespace the Provider type is in.
                             type: string
                           type:
@@ -858,7 +857,6 @@ spec:
                             type: string
                         required:
                         - name
-                        - namespace
                         - type
                         type: object
                       namespace:

docs/snippets/full-cluster-secret-store.yaml

@@ -42,7 +42,17 @@ spec:
       version: "v2"
       # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
       namespace: "a-team"
+      # base64 encoded string of certificate
       caBundle: "..."
+      # Instead of caBundle you can also specify a caProvider
+      # this will retrieve the cert from a Secret or ConfigMap
+      caProvider:
+        # Can be Secret or ConfigMap
+        type: "Secret"
+        # This is mandatory for ClusterSecretStore and not relevant for SecretStore
+        namespace: "my-cert-secret-namespace"
+        name: "my-cert-secret"
+        key: "cert-key"
       auth:
         # static token: https://www.vaultproject.io/docs/auth/token
         tokenSecretRef:

docs/snippets/full-secret-store.yaml

@@ -58,8 +58,6 @@ spec:
       caProvider:
         # Can be Secret or ConfigMap
         type: "Secret"
-        # This is optional, if not specified will be 'Default'
-        namespace: "my-cert-secret-namespace"
         name: "my-cert-secret"
         key: "cert-key"
 

pkg/provider/vault/vault.go

@@ -73,6 +73,7 @@ const (
 	errVaultRevokeToken = "error while revoking token: %w"
 
 	errUnknownCAProvider = "unknown caProvider type given"
+	errCANamespace       = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
 )
 
 type Client interface {
@@ -251,6 +252,10 @@ func (v *client) newConfig() (*vault.Config, error) {
 		}
 	}
 
+	if v.store.CAProvider != nil && v.storeKind == esv1alpha1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
+		return nil, errors.New(errCANamespace)
+	}
+
 	if v.store.CAProvider != nil {
 		var cert []byte
 		var err error
@@ -283,10 +288,14 @@ func (v *client) newConfig() (*vault.Config, error) {
 
 func getCertFromSecret(v *client) ([]byte, error) {
 	secretRef := esmeta.SecretKeySelector{
-		Name:      v.store.CAProvider.Name,
-		Namespace: &v.store.CAProvider.Namespace,
-		Key:       v.store.CAProvider.Key,
+		Name: v.store.CAProvider.Name,
+		Key:  v.store.CAProvider.Key,
+	}
+
+	if v.store.CAProvider.Namespace != nil {
+		secretRef.Namespace = v.store.CAProvider.Namespace
 	}
+
 	ctx := context.Background()
 	res, err := v.secretKeyRef(ctx, &secretRef)
 	if err != nil {
@@ -298,8 +307,11 @@ func getCertFromSecret(v *client) ([]byte, error) {
 
 func getCertFromConfigMap(v *client) ([]byte, error) {
 	objKey := types.NamespacedName{
-		Namespace: v.store.CAProvider.Namespace,
-		Name:      v.store.CAProvider.Name,
+		Name: v.store.CAProvider.Name,
+	}
+
+	if v.store.CAProvider.Namespace != nil {
+		objKey.Namespace = *v.store.CAProvider.Namespace
 	}
 
 	configMapRef := &corev1.ConfigMap{}

pkg/provider/vault/vault_test.go

@@ -119,6 +119,41 @@ func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha1.SecretStore {
 	return store
 }
 
+func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore {
+	return &esv1alpha1.ClusterSecretStore{
+		TypeMeta: metav1.TypeMeta{
+			Kind: "ClusterSecretStore",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "vault-store",
+			Namespace: "default",
+		},
+		Spec: esv1alpha1.SecretStoreSpec{
+			Provider: &esv1alpha1.SecretStoreProvider{
+				Vault: &esv1alpha1.VaultProvider{
+					Server:  "vault.example.com",
+					Path:    "secret",
+					Version: "v2",
+					Auth: esv1alpha1.VaultAuth{
+						Kubernetes: &esv1alpha1.VaultKubernetesAuth{
+							Path: "kubernetes",
+							Role: "kubernetes-auth-role",
+							ServiceAccountRef: &esmeta.ServiceAccountSelector{
+								Name: "example-sa",
+							},
+						},
+					},
+					CAProvider: &esv1alpha1.CAProvider{
+						Name: "vault-cert",
+						Key:  "cert",
+						Type: "Secret",
+					},
+				},
+			},
+		},
+	}
+}
+
 type secretStoreTweakFn func(s *esv1alpha1.SecretStore)
 
 func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1alpha1.SecretStore {
@@ -352,6 +387,18 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 				err: nil,
 			},
 		},
+		"GetCertNamespaceMissingError": {
+			reason: "Should return an error if namespace is missing and is a ClusterSecretStore",
+			args: args{
+				store: makeInvalidClusterSecretStoreWithK8sCerts(),
+				kube: &test.MockClient{
+					MockGet: test.NewMockGetFn(nil, kubeMockWithSecretTokenAndServiceAcc),
+				},
+			},
+			want: want{
+				err: errors.New(errCANamespace),
+			},
+		},
 		"GetCertSecretKeyMissingError": {
 			reason: "Should return an error if the secret key is missing",
 			args: args{