feat: make vault e2e tests run locally (#5246)

* feat: make vault e2e tests run locally

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: use ginkgo ctx in e2e tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: go mod & use ginkgo ctx in aws tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: helm uninstall should wait, uninstall flux after suite

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: wait for hr to be uninstalled before removing flux

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: use context in new azure tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: port forward handling

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: :broom: conjur naming & fwd close

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

e2e/entrypoint.sh

@@ -35,7 +35,6 @@ ginkgo_args=(
   "-p"
   "-trace"
   "-r"
-  "-v"
   "-timeout=45m"
 )
 

e2e/framework/addon/addon.go

@@ -17,6 +17,9 @@ limitations under the License.
 package addon
 
 import (
+	"os"
+	"path/filepath"
+
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 	"k8s.io/client-go/kubernetes"
@@ -24,6 +27,7 @@ import (
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/external-secrets/external-secrets-e2e/framework/log"
+	"github.com/external-secrets/external-secrets-e2e/framework/util"
 )
 
 var globalAddons []Addon
@@ -50,8 +54,10 @@ type Addon interface {
 	Uninstall() error
 }
 
-func InstallGlobalAddon(addon Addon, cfg *Config) {
+func InstallGlobalAddon(addon Addon) {
 	globalAddons = append(globalAddons, addon)
+	cfg := &Config{}
+	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
 
 	ginkgo.By("installing global addon")
 	err := addon.Setup(cfg)
@@ -69,6 +75,42 @@ func UninstallGlobalAddons() {
 	}
 }
 
+// AssetDir returns the path to the k8s asset directory
+// which holds the helm charts, vault and conjur configuration.
+// It starts at the cwd, and walks its way up to the root.
+// It returns /k8s as a fallback.
+// When running the e2e suite locally, this should return $REPO/e2e/k8s,
+// when ran in CI this returns /k8s because the tests run in a dedicated pod where
+// the assets are copied into the container.
+func AssetDir() string {
+	// Start from current working directory
+	currentDir, err := os.Getwd()
+	if err != nil {
+		return ""
+	}
+
+	// Traverse up the directory tree looking for "k8s" directory
+	for {
+		k8sPath := filepath.Join(currentDir, "k8s")
+
+		// Check if "k8s" directory exists
+		if info, err := os.Stat(k8sPath); err == nil && info.IsDir() {
+			return k8sPath
+		}
+
+		// Get parent directory
+		parentDir := filepath.Dir(currentDir)
+
+		// If we've reached the root directory, stop searching
+		if parentDir == currentDir {
+			break
+		}
+
+		currentDir = parentDir
+	}
+	return "/k8s"
+}
+
 func PrintLogs() {
 	for _, addon := range globalAddons {
 		err := addon.Logs()

e2e/framework/addon/chart.go

@@ -18,10 +18,10 @@ package addon
 
 import (
 	"bytes"
-	"context"
 	"fmt"
 	"os/exec"
 
+	. "github.com/onsi/ginkgo/v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -104,13 +104,13 @@ func (c *HelmChart) Install() error {
 // Uninstall removes the chart aswell as the repo.
 func (c *HelmChart) Uninstall() error {
 	var sout, serr bytes.Buffer
-	args := []string{"delete", "--namespace", c.Namespace, c.ReleaseName}
+	args := []string{"uninstall", "--namespace", c.Namespace, c.ReleaseName, "--wait"}
 	cmd := exec.Command("helm", args...)
 	cmd.Stdout = &sout
 	cmd.Stderr = &serr
 	err := cmd.Run()
 	if err != nil {
-		return fmt.Errorf("unable to delete helm release: %w: %s, %s", err, sout.String(), serr.String())
+		return fmt.Errorf("unable to uninstall helm release: %w: %s, %s", err, sout.String(), serr.String())
 	}
 	return c.removeRepo()
 }
@@ -152,7 +152,7 @@ func (c *HelmChart) removeRepo() error {
 func (c *HelmChart) Logs() error {
 	kc := c.config.KubeClientSet
 	podList, err := kc.CoreV1().Pods(c.Namespace).List(
-		context.TODO(),
+		GinkgoT().Context(),
 		metav1.ListOptions{LabelSelector: "app.kubernetes.io/instance=" + c.ReleaseName})
 	if err != nil {
 		return err
@@ -167,7 +167,7 @@ func (c *HelmChart) Logs() error {
 					Container: con.Name,
 					Previous:  b,
 					TailLines: &tailLines,
-				}).Do(context.TODO())
+				}).Do(GinkgoT().Context())
 
 				err := resp.Error()
 				if err != nil {

e2e/framework/addon/conjur.go

@@ -17,17 +17,21 @@ limitations under the License.
 package addon
 
 import (
-	"context"
 	"crypto/rand"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
+	"errors"
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	// nolint
-	ginkgo "github.com/onsi/ginkgo/v2"
+
+	. "github.com/onsi/ginkgo/v2"
 
 	"github.com/cyberark/conjur-api-go/conjurapi"
 	"github.com/cyberark/conjur-api-go/conjurapi/authn"
@@ -44,17 +48,23 @@ type Conjur struct {
 
 	AdminApiKey    string
 	ConjurServerCA []byte
+	portForwarder  *PortForward
 }
 
-func NewConjur(namespace string) *Conjur {
-	repo := "conjur-" + namespace
+func NewConjur() *Conjur {
+	repo := "conjur-conjur"
 	dataKey := generateConjurDataKey()
 
+	rootPem, rootKeyPEM, serverPem, serverKeyPem, err := genCertificates("conjur", "conjur-conjur-conjur-oss")
+	if err != nil {
+		Fail(err.Error())
+	}
+
 	return &Conjur{
 		dataKey: dataKey,
 		chart: &HelmChart{
-			Namespace:   namespace,
-			ReleaseName: fmt.Sprintf("conjur-%s", namespace), // avoid cluster role collision
+			Namespace:   "conjur",
+			ReleaseName: "conjur-conjur",
 			Chart:       fmt.Sprintf("%s/conjur-oss", repo),
 			// Use latest version of Conjur OSS. To pin to a specific version, uncomment the following line.
 			// ChartVersion: "2.0.7",
@@ -62,7 +72,14 @@ func NewConjur(namespace string) *Conjur {
 				Name: repo,
 				URL:  "https://cyberark.github.io/helm-charts",
 			},
-			Values: []string{"/k8s/conjur.values.yaml"},
+			Values: []string{filepath.Join(AssetDir(), "conjur.values.yaml")},
+			Args: []string{
+				"--create-namespace",
+				"--set", "ssl.caCert=" + base64.StdEncoding.EncodeToString(rootPem),
+				"--set", "ssl.caKey=" + base64.StdEncoding.EncodeToString(rootKeyPEM),
+				"--set", "ssl.cert=" + base64.StdEncoding.EncodeToString(serverPem),
+				"--set", "ssl.key=" + base64.StdEncoding.EncodeToString(serverKeyPem),
+			},
 			Vars: []StringTuple{
 				{
 					Key:   "dataKey",
@@ -70,12 +87,11 @@ func NewConjur(namespace string) *Conjur {
 				},
 			},
 		},
-		Namespace: namespace,
+		Namespace: "conjur",
 	}
 }
 
 func (l *Conjur) Install() error {
-	ginkgo.By("Installing conjur in " + l.Namespace)
 	err := l.chart.Install()
 	if err != nil {
 		return err
@@ -95,7 +111,7 @@ func (l *Conjur) Install() error {
 }
 
 func (l *Conjur) initConjur() error {
-	ginkgo.By("Waiting for conjur pods to be running")
+	By("Waiting for conjur pods to be running")
 	pl, err := util.WaitForPodsRunning(l.chart.config.KubeClientSet, 1, l.Namespace, metav1.ListOptions{
 		LabelSelector: "app=conjur-oss",
 	})
@@ -104,7 +120,7 @@ func (l *Conjur) initConjur() error {
 	}
 	l.PodName = pl.Items[0].Name
 
-	ginkgo.By("Initializing conjur")
+	By("Initializing conjur")
 	// Get the auto generated certificates from the K8s secrets
 	caCertSecret, err := util.GetKubeSecret(l.chart.config.KubeClientSet, l.Namespace, fmt.Sprintf("%s-conjur-ssl-ca-cert", l.chart.ReleaseName))
 	if err != nil {
@@ -134,10 +150,21 @@ func (l *Conjur) initConjur() error {
 	// Therefore we need to split the output and only use the first line.
 	l.AdminApiKey = strings.Split(apiKey, "\n")[0]
 
-	l.ConjurURL = fmt.Sprintf("https://conjur-%s-conjur-oss.%s.svc.cluster.local", l.Namespace, l.Namespace)
+	// This e2e test provider uses a local port-forwarded to talk to the vault API instead
+	// of using the kubernetes service. This allows us to run the e2e test suite locally.
+	l.portForwarder, err = NewPortForward(l.chart.config.KubeClientSet, l.chart.config.KubeConfig,
+		"conjur-conjur-conjur-oss", l.chart.Namespace, 9443)
+	if err != nil {
+		return err
+	}
+	if err := l.portForwarder.Start(); err != nil {
+		return err
+	}
+
+	l.ConjurURL = fmt.Sprintf("https://conjur-conjur-conjur-oss.%s.svc.cluster.local", l.Namespace)
 	cfg := conjurapi.Config{
 		Account:      "default",
-		ApplianceURL: l.ConjurURL,
+		ApplianceURL: fmt.Sprintf("https://localhost:%d", l.portForwarder.localPort),
 		SSLCert:      string(l.ConjurServerCA),
 	}
 
@@ -153,7 +180,7 @@ func (l *Conjur) initConjur() error {
 }
 
 func (l *Conjur) configureConjur() error {
-	ginkgo.By("configuring conjur")
+	By("configuring conjur")
 	// Construct Conjur policy for authn-jwt. This uses the token-app-property "sub" to
 	// authenticate the host. This means that Conjur will determine which host is authenticating
 	// based on the "sub" claim in the JWT token, which is provided by the Kubernetes service account.
@@ -219,7 +246,7 @@ func (l *Conjur) fetchJWKSandIssuer() (pubKeysJson string, issuer string, err er
 	kc := l.chart.config.KubeClientSet
 
 	// Fetch the openid-configuration
-	res, err := kc.CoreV1().RESTClient().Get().AbsPath("/.well-known/openid-configuration").DoRaw(context.Background())
+	res, err := kc.CoreV1().RESTClient().Get().AbsPath("/.well-known/openid-configuration").DoRaw(GinkgoT().Context())
 	if err != nil {
 		return "", "", fmt.Errorf("unable to fetch openid-configuration: %w", err)
 	}
@@ -228,7 +255,7 @@ func (l *Conjur) fetchJWKSandIssuer() (pubKeysJson string, issuer string, err er
 	issuer = openidConfig["issuer"].(string)
 
 	// Fetch the jwks
-	jwksJson, err := kc.CoreV1().RESTClient().Get().AbsPath("/openid/v1/jwks").DoRaw(context.Background())
+	jwksJson, err := kc.CoreV1().RESTClient().Get().AbsPath("/openid/v1/jwks").DoRaw(GinkgoT().Context())
 	if err != nil {
 		return "", "", fmt.Errorf("unable to fetch jwks: %w", err)
 	}
@@ -249,12 +276,46 @@ func (l *Conjur) fetchJWKSandIssuer() (pubKeysJson string, issuer string, err er
 	return pubKeysJson, issuer, nil
 }
 
+// nolint:gocritic
+func genCertificates(namespace, serviceName string) ([]byte, []byte, []byte, []byte, error) {
+	// gen server ca + certs
+	rootCert, rootPem, rootKey, err := genCARoot()
+	if err != nil {
+		return nil, nil, nil, nil, fmt.Errorf("unable to generate ca cert: %w", err)
+	}
+	serverPem, serverKey, err := genPeerCert(rootCert, rootKey, "vault", []string{
+		"localhost",
+		serviceName,
+		fmt.Sprintf("%s.%s.svc.cluster.local", serviceName, namespace)})
+	if err != nil {
+		return nil, nil, nil, nil, errors.New("unable to generate vault server cert")
+	}
+	serverKeyPem := pem.EncodeToMemory(&pem.Block{
+		Type:  privatePemType,
+		Bytes: x509.MarshalPKCS1PrivateKey(serverKey)},
+	)
+
+	rootKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  privatePemType,
+		Bytes: x509.MarshalPKCS1PrivateKey(rootKey),
+	})
+
+	return rootPem, rootKeyPEM, serverPem, serverKeyPem, err
+}
+
 func (l *Conjur) Logs() error {
 	return l.chart.Logs()
 }
 
 func (l *Conjur) Uninstall() error {
-	return l.chart.Uninstall()
+	if l.portForwarder != nil {
+		l.portForwarder.Close()
+		l.portForwarder = nil
+	}
+	if err := l.chart.Uninstall(); err != nil {
+		return err
+	}
+	return l.chart.config.KubeClientSet.CoreV1().Namespaces().Delete(GinkgoT().Context(), l.chart.Namespace, metav1.DeleteOptions{})
 }
 
 func (l *Conjur) Setup(cfg *Config) error {

e2e/framework/addon/eso.go

@@ -18,6 +18,7 @@ package addon
 
 import (
 	"os"
+	"path/filepath"
 	"time"
 
 	// nolint
@@ -38,7 +39,7 @@ func NewESO(mutators ...MutationFunc) *ESO {
 		&HelmChart{
 			Namespace:   "default",
 			ReleaseName: "eso",
-			Chart:       "/k8s/deploy/charts/external-secrets",
+			Chart:       filepath.Join(AssetDir(), "deploy/charts/external-secrets"),
 			Vars: []StringTuple{
 				{
 					Key:   "webhook.port",

e2e/framework/addon/eso_argocd_application.go

@@ -25,7 +25,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/ginkgo/v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -119,14 +119,14 @@ func (c *ArgoCDApplication) Install() error {
 	if err != nil {
 		return fmt.Errorf("unable to unmarshal json into unstructured: %w", err)
 	}
-	_, err = c.dc.Resource(argoApp).Namespace(c.Namespace).Create(context.Background(), us, metav1.CreateOptions{})
+	_, err = c.dc.Resource(argoApp).Namespace(c.Namespace).Create(GinkgoT().Context(), us, metav1.CreateOptions{})
 	if err != nil {
 		return fmt.Errorf("unable to create argo app: %w", err)
 	}
 
 	// wait for app to become ready
-	err = wait.PollImmediate(time.Second*5, time.Minute*10, func() (bool, error) {
-		us, err = c.dc.Resource(argoApp).Namespace(c.Namespace).Get(context.Background(), c.Name, metav1.GetOptions{})
+	err = wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second*5, time.Minute*10, true, func(ctx context.Context) (bool, error) {
+		us, err = c.dc.Resource(argoApp).Namespace(c.Namespace).Get(ctx, c.Name, metav1.GetOptions{})
 		if err != nil {
 			return false, err
 		}
@@ -146,7 +146,7 @@ func (c *ArgoCDApplication) Install() error {
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	client := &http.Client{Transport: tr}
-	return wait.PollUntilContextTimeout(context.Background(), time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+	return wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
 		const payload = `{"apiVersion": "admission.k8s.io/v1","kind": "AdmissionReview","request": {"uid": "test","kind": {"group": "external-secrets.io","version": "v1","kind": "ExternalSecret"}, "resource": {"group": "external-secrets.io","version": "v1","kind": "ExternalSecret"},"dryRun": true, "operation": "CREATE", "userInfo":{"username":"test","uid":"test","groups":[],"extra":{}}}}`
 		res, err := client.Post("https://external-secrets-webhook.external-secrets.svc.cluster.local/validate-external-secrets-io-v1-externalsecret", "application/json", bytes.NewBufferString(payload))
 		if err != nil {
@@ -155,14 +155,14 @@ func (c *ArgoCDApplication) Install() error {
 		defer func() {
 			_ = res.Body.Close()
 		}()
-		ginkgo.GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
+		GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
 		return res.StatusCode == http.StatusOK, nil
 	})
 }
 
 // Uninstall removes the chart aswell as the repo.
 func (c *ArgoCDApplication) Uninstall() error {
-	err := c.dc.Resource(argoApp).Namespace(c.Namespace).Delete(context.Background(), c.Name, metav1.DeleteOptions{})
+	err := c.dc.Resource(argoApp).Namespace(c.Namespace).Delete(GinkgoT().Context(), c.Name, metav1.DeleteOptions{})
 	if err != nil {
 		return err
 	}

e2e/framework/addon/eso_flux_helm.go

@@ -26,8 +26,10 @@ import (
 	fluxhelm "github.com/fluxcd/helm-controller/api/v2beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	fluxsrc "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -66,7 +68,7 @@ func (c *FluxHelmRelease) Install() error {
 			URL: c.HelmRepo,
 		},
 	}
-	err := c.config.CRClient.Create(context.Background(), app)
+	err := c.config.CRClient.Create(GinkgoT().Context(), app)
 	if err != nil {
 		return err
 	}
@@ -101,15 +103,15 @@ func (c *FluxHelmRelease) Install() error {
 			},
 		},
 	}
-	err = c.config.CRClient.Create(context.Background(), hr)
+	err = c.config.CRClient.Create(GinkgoT().Context(), hr)
 	if err != nil {
 		return err
 	}
 
 	// wait for app to become ready
-	err = wait.PollUntilContextTimeout(context.Background(), time.Second*5, time.Minute*3, true, func(ctx context.Context) (bool, error) {
+	err = wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second*5, time.Minute*3, true, func(ctx context.Context) (bool, error) {
 		var hr fluxhelm.HelmRelease
-		err := c.config.CRClient.Get(context.Background(), types.NamespacedName{
+		err := c.config.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
 			Name:      c.Name,
 			Namespace: c.Namespace,
 		}, &hr)
@@ -117,7 +119,7 @@ func (c *FluxHelmRelease) Install() error {
 			return false, nil
 		}
 		for _, cond := range hr.GetConditions() {
-			ginkgo.GinkgoWriter.Printf("check condition: %s=%s: %s\n", cond.Type, cond.Status, cond.Message)
+			GinkgoWriter.Printf("check condition: %s=%s: %s\n", cond.Type, cond.Status, cond.Message)
 			if cond.Type == meta.ReadyCondition && cond.Status == metav1.ConditionTrue {
 				return true, nil
 			}
@@ -134,7 +136,7 @@ func (c *FluxHelmRelease) Install() error {
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	client := &http.Client{Transport: tr}
-	return wait.PollUntilContextTimeout(context.Background(), time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+	return wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
 		const payload = `{"apiVersion": "admission.k8s.io/v1","kind": "AdmissionReview","request": {"uid": "test","kind": {"group": "external-secrets.io","version": "v1","kind": "ExternalSecret"}, "resource": "external-secrets.io/v1.externalsecrets","dryRun": true, "operation": "CREATE", "userInfo":{"username":"test","uid":"test","groups":[],"extra":{}}}}`
 		res, err := client.Post("https://external-secrets-webhook.external-secrets.svc.cluster.local/validate-external-secrets-io-v1-externalsecret", "application/json", bytes.NewBufferString(payload))
 		if err != nil {
@@ -143,7 +145,7 @@ func (c *FluxHelmRelease) Install() error {
 		defer func() {
 			_ = res.Body.Close()
 		}()
-		ginkgo.GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
+		GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
 		return res.StatusCode == http.StatusOK, nil
 	})
 }
@@ -154,21 +156,37 @@ func (c *FluxHelmRelease) Uninstall() error {
 	if err != nil {
 		return err
 	}
-	err = c.config.CRClient.Delete(context.Background(), &fluxhelm.HelmRelease{
+	err = c.config.CRClient.Delete(GinkgoT().Context(), &fluxhelm.HelmRelease{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      c.Name,
 			Namespace: c.Namespace,
 		},
 	})
-	if err != nil {
+	if err != nil && !apierrors.IsNotFound(err) {
 		return err
 	}
-	return c.config.CRClient.Delete(context.Background(), &fluxsrc.HelmRepository{
+
+	Eventually(func() bool {
+		var hr fluxhelm.HelmRelease
+		err = c.config.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
+			Name:      c.Name,
+			Namespace: c.Namespace,
+		}, &hr)
+		if apierrors.IsNotFound(err) {
+			return true
+		}
+		return false
+	}).WithPolling(time.Second).WithTimeout(time.Second * 30).Should(BeTrue())
+
+	if err := c.config.CRClient.Delete(GinkgoT().Context(), &fluxsrc.HelmRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      c.Name,
 			Namespace: fluxNamespace,
 		},
-	})
+	}); err != nil && !apierrors.IsNotFound(err) {
+		return err
+	}
+	return nil
 }
 
 func (c *FluxHelmRelease) Logs() error {

e2e/framework/addon/helmserver.go

@@ -17,12 +17,12 @@ limitations under the License.
 package addon
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"os"
 	"os/exec"
 
+	. "github.com/onsi/ginkgo/v2"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -60,7 +60,7 @@ func (s *HelmServer) Setup(config *Config) error {
 		return fmt.Errorf("unable to create helm index: %w %s", err, string(out))
 	}
 
-	_, err = s.config.KubeClientSet.CoreV1().Services("default").Create(context.Background(), &v1.Service{
+	_, err = s.config.KubeClientSet.CoreV1().Services("default").Create(GinkgoT().Context(), &v1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "e2e-helmserver",
 		},
@@ -95,7 +95,7 @@ func (s *HelmServer) Logs() error {
 }
 
 func (s *HelmServer) Uninstall() error {
-	err := s.config.KubeClientSet.CoreV1().Services("default").Delete(context.Background(), "e2e-helmserver", metav1.DeleteOptions{})
+	err := s.config.KubeClientSet.CoreV1().Services("default").Delete(GinkgoT().Context(), "e2e-helmserver", metav1.DeleteOptions{})
 	if err != nil {
 		return err
 	}

e2e/framework/addon/port_forward.go

@@ -0,0 +1,154 @@
+/*
+Copyright © 2025 ESO Maintainer Team
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package addon
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/external-secrets/external-secrets-e2e/framework/log"
+	. "github.com/onsi/ginkgo/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/portforward"
+	"k8s.io/client-go/transport/spdy"
+)
+
+type PortForward struct {
+	kubeClient       kubernetes.Interface
+	restcfg          *rest.Config
+	serviceName      string
+	serviceNamespace string
+	containerPort    int
+
+	localPort int
+	fwd       *portforward.PortForwarder
+}
+
+func NewPortForward(cl kubernetes.Interface, restcfg *rest.Config, serviceName, serviceNamespace string, containerPort int) (*PortForward, error) {
+	pf := &PortForward{
+		kubeClient:       cl,
+		restcfg:          restcfg,
+		serviceName:      serviceName,
+		serviceNamespace: serviceNamespace,
+		containerPort:    containerPort,
+	}
+
+	return pf, nil
+}
+
+// setupPortForward creates port-forward connections to the vault service
+func (pf *PortForward) Start() error {
+	localPort, err := findAvailablePort()
+	if err != nil {
+		return fmt.Errorf("unable to find available port: %w", err)
+	}
+	pf.localPort = localPort
+
+	svc, err := pf.kubeClient.CoreV1().Services(pf.serviceNamespace).Get(GinkgoT().Context(), pf.serviceName, metav1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("unable to get service %s: %w", pf.serviceName, err)
+	}
+
+	selector := metav1.LabelSelector{MatchLabels: svc.Spec.Selector}
+	pods, err := pf.kubeClient.CoreV1().Pods(pf.serviceNamespace).List(GinkgoT().Context(), metav1.ListOptions{
+		LabelSelector: metav1.FormatLabelSelector(&selector),
+	})
+	if err != nil || len(pods.Items) == 0 {
+		return fmt.Errorf("unable to find pods for service %s: %w", pf.serviceName, err)
+	}
+
+	pod := pods.Items[0]
+
+	// Create port-forward request
+	req := pf.kubeClient.CoreV1().RESTClient().Post().
+		Resource("pods").
+		Name(pod.Name).
+		Namespace(pod.Namespace).
+		SubResource("portforward")
+
+	transport, upgrader, err := spdy.RoundTripperFor(pf.restcfg)
+	if err != nil {
+		return fmt.Errorf("unable to create transport: %w", err)
+	}
+
+	dialer := spdy.NewDialer(upgrader, &http.Client{Transport: transport}, "POST", req.URL())
+	ports := []string{fmt.Sprintf("%d:%d", pf.localPort, pf.containerPort)}
+
+	var fwd *portforward.PortForwarder
+	var stdout, stderr bytes.Buffer
+	stopChan := make(chan struct{})
+	readyChan := make(chan struct{})
+	fwd, err = portforward.New(dialer, ports, stopChan, readyChan, &stdout, &stderr)
+	if err != nil {
+		return fmt.Errorf("unable to create port-forward: %w", err)
+	}
+	pf.fwd = fwd
+
+	// run ForwardPorts in the background and capture the error (if any)
+	errChan := make(chan error, 1)
+	go func() {
+		if err := fwd.ForwardPorts(); err != nil {
+			log.Logf("port-forward error: %v %s %s", err, stdout.String(), stderr.String())
+			errChan <- err
+			return
+		}
+		// signal normal termination (e.g., Close called later)
+		errChan <- nil
+	}()
+
+	// avoid indefinite wait if forwarder fails before signaling ready
+	ctx := GinkgoT().Context()
+	select {
+	case <-readyChan:
+		return nil
+	case err := <-errChan:
+		if err == nil {
+			return fmt.Errorf("port-forward terminated before readiness without error: %s %s", stdout.String(), stderr.String())
+		}
+		return fmt.Errorf("unable to start port-forward: %w: %s %s", err, stdout.String(), stderr.String())
+	case <-time.After(10 * time.Second):
+		close(stopChan)
+		return fmt.Errorf("timeout waiting for port-forward readiness: %s %s", stdout.String(), stderr.String())
+	case <-ctx.Done():
+		close(stopChan)
+		return fmt.Errorf("context canceled waiting for port-forward readiness: %w", ctx.Err())
+	}
+}
+
+func (pf *PortForward) Close() {
+	pf.fwd.Close()
+}
+
+// findAvailablePort finds an available local port
+func findAvailablePort() (int, error) {
+	addr, err := net.ResolveTCPAddr("tcp", "localhost:0")
+	if err != nil {
+		return 0, err
+	}
+
+	l, err := net.ListenTCP("tcp", addr)
+	if err != nil {
+		return 0, err
+	}
+	defer l.Close()
+
+	return l.Addr().(*net.TCPAddr).Port, nil
+}

e2e/framework/addon/uninstall_eso_crds.go

@@ -17,26 +17,26 @@ limitations under the License.
 package addon
 
 import (
-	"context"
+	"strings"
 
-	"github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/ginkgo/v2"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func uninstallCRDs(cfg *Config) error {
-	ginkgo.By("Uninstalling eso CRDs")
+	By("Uninstalling eso CRDs")
 	var crdList apiextensionsv1.CustomResourceDefinitionList
-	if err := cfg.CRClient.List(context.Background(), &crdList); err != nil {
+	if err := cfg.CRClient.List(GinkgoT().Context(), &crdList); err != nil {
 		return err
 	}
 
 	for _, crd := range crdList.Items {
-		if crd.Spec.Group != "external-secrets.io" {
+		if !strings.Contains(crd.Spec.Group, "external-secrets.io") {
 			continue
 		}
-		err := cfg.CRClient.Delete(context.Background(), &crd, &client.DeleteOptions{})
+		err := cfg.CRClient.Delete(GinkgoT().Context(), &crd, &client.DeleteOptions{})
 		if err != nil && !apierrors.IsNotFound(err) {
 			return err
 		}

e2e/framework/addon/vault.go

@@ -17,7 +17,6 @@ limitations under the License.
 package addon
 
 import (
-	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
@@ -30,15 +29,17 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"time"
 
+	rbacv1 "k8s.io/api/rbac/v1"
+
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/golang-jwt/jwt/v4"
 	vault "github.com/hashicorp/vault/api"
-
-	// nolint
-	"github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/ginkgo/v2"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -46,12 +47,13 @@ import (
 )
 
 type Vault struct {
-	chart        *HelmChart
-	Namespace    string
-	PodName      string
-	VaultClient  *vault.Client
-	VaultURL     string
-	VaultMtlsURL string
+	chart         *HelmChart
+	Namespace     string
+	PodName       string
+	VaultClient   *vault.Client
+	VaultURL      string
+	VaultMtlsURL  string
+	portForwarder *PortForward
 
 	RootToken          string
 	VaultServerCA      []byte
@@ -76,21 +78,24 @@ type Vault struct {
 
 const privatePemType = "RSA PRIVATE KEY"
 
-func NewVault(namespace string) *Vault {
-	repo := "hashicorp-" + namespace
+func NewVault() *Vault {
+	repo := "hashicorp-vault"
 	return &Vault{
 		chart: &HelmChart{
-			Namespace:    namespace,
-			ReleaseName:  fmt.Sprintf("vault-%s", namespace), // avoid cluster role collision
+			Namespace:    "vault",
+			ReleaseName:  "vault",
 			Chart:        fmt.Sprintf("%s/vault", repo),
-			ChartVersion: "0.11.0",
+			ChartVersion: "0.30.1",
 			Repo: ChartRepo{
 				Name: repo,
 				URL:  "https://helm.releases.hashicorp.com",
 			},
-			Values: []string{"/k8s/vault.values.yaml"},
+			Args: []string{
+				"--create-namespace",
+			},
+			Values: []string{filepath.Join(AssetDir(), "vault.values.yaml")},
 		},
-		Namespace: namespace,
+		Namespace: "vault",
 	}
 }
 
@@ -100,24 +105,45 @@ type OperatorInitResponse struct {
 }
 
 func (l *Vault) Install() error {
-	ginkgo.By("Installing vault in " + l.Namespace)
-	err := l.chart.Install()
+	// From Kubernetes 1.32+ on the oidc endpoint is not available to unauthenticated clients.
+	// We create this clusterrole to allow vault to access the oidc endpoint.
+	// see: https://github.com/ansible-collections/kubernetes.core/issues/868
+	crb := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "allow-anon-oidc",
+		},
+	}
+	_, err := controllerutil.CreateOrUpdate(GinkgoT().Context(), l.chart.config.CRClient, crb, func() error {
+		crb.Subjects = []rbacv1.Subject{
+			{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "User",
+				Name:     "system:anonymous",
+			},
+		}
+		crb.RoleRef = rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "system:service-account-issuer-discovery",
+		}
+		return nil
+	})
 	if err != nil {
 		return err
 	}
+	if err = l.chart.Install(); err != nil {
+		return err
+	}
 
-	err = l.patchVaultService()
-	if err != nil {
+	if err = l.patchVaultService(); err != nil {
 		return err
 	}
 
-	err = l.initVault()
-	if err != nil {
+	if err = l.initVault(); err != nil {
 		return err
 	}
 
-	err = l.configureVault()
-	if err != nil {
+	if err = l.configureVault(); err != nil {
 		return err
 	}
 
@@ -125,36 +151,17 @@ func (l *Vault) Install() error {
 }
 
 func (l *Vault) patchVaultService() error {
-	serviceName := fmt.Sprintf("vault-%s", l.Namespace)
+	serviceName := l.chart.ReleaseName
 	servicePatch := []byte(`[{"op": "add", "path": "/spec/ports/-", "value": { "name": "https-mtls", "port": 8210, "protocol": "TCP", "targetPort": 8210 }}]`)
 	clientSet := l.chart.config.KubeClientSet
 	_, err := clientSet.CoreV1().Services(l.Namespace).
-		Patch(context.Background(), serviceName, types.JSONPatchType, servicePatch, metav1.PatchOptions{})
+		Patch(GinkgoT().Context(), serviceName, types.JSONPatchType, servicePatch, metav1.PatchOptions{})
 	return err
 }
 
 func (l *Vault) initVault() error {
-	sec := &v1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "vault-tls-config",
-			Namespace: l.Namespace,
-		},
-		Data: map[string][]byte{},
-	}
-
-	// vault-config contains vault init config and policies
-	files, err := os.ReadDir("/k8s/vault-config")
-	if err != nil {
-		return err
-	}
-	for _, f := range files {
-		name := f.Name()
-		data := mustReadFile(fmt.Sprintf("/k8s/vault-config/%s", name))
-		sec.Data[name] = data
-	}
-
 	// gen certificates and put them into the secret
-	serverRootPem, serverPem, serverKeyPem, clientRootPem, clientPem, clientKeyPem, err := genVaultCertificates(l.Namespace)
+	serverRootPem, serverPem, serverKeyPem, clientRootPem, clientPem, clientKeyPem, err := genVaultCertificates(l.Namespace, l.chart.ReleaseName)
 	if err != nil {
 		return fmt.Errorf("unable to gen vault certs: %w", err)
 	}
@@ -163,15 +170,6 @@ func (l *Vault) initVault() error {
 		return fmt.Errorf("unable to generate vault jwt keys: %w", err)
 	}
 
-	// pass certs to secret
-	sec.Data["vault-server-ca.pem"] = serverRootPem
-	sec.Data["server-cert.pem"] = serverPem
-	sec.Data["server-cert-key.pem"] = serverKeyPem
-	sec.Data["vault-client-ca.pem"] = clientRootPem
-	sec.Data["es-client.pem"] = clientPem
-	sec.Data["es-client-key.pem"] = clientKeyPem
-	sec.Data["jwt-pubkey.pem"] = jwtPubkey
-
 	// make certs available to the struct
 	// so it can be used by the provider
 	l.VaultServerCA = serverRootPem
@@ -189,13 +187,39 @@ func (l *Vault) initVault() error {
 	l.KubernetesAuthPath = "mykubernetes"              // see configure-vault.sh
 	l.KubernetesAuthRole = "external-secrets-operator" // see configure-vault.sh
 
-	ginkgo.By("Creating vault TLS secret")
-	err = l.chart.config.CRClient.Create(context.Background(), sec)
+	// vault-config contains vault init config and policies
+	files, err := os.ReadDir(fmt.Sprintf("%s/vault-config", AssetDir()))
+	if err != nil {
+		return err
+	}
+	sec := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "vault-tls-config",
+			Namespace: l.Namespace,
+		},
+		Data: map[string][]byte{},
+	}
+	_, err = controllerutil.CreateOrUpdate(GinkgoT().Context(), l.chart.config.CRClient, sec, func() error {
+		sec.Data = map[string][]byte{}
+		for _, f := range files {
+			name := f.Name()
+			data := mustReadFile(fmt.Sprintf("%s/vault-config/%s", AssetDir(), name))
+			sec.Data[name] = data
+		}
+		sec.Data["vault-server-ca.pem"] = serverRootPem
+		sec.Data["server-cert.pem"] = serverPem
+		sec.Data["server-cert-key.pem"] = serverKeyPem
+		sec.Data["vault-client-ca.pem"] = clientRootPem
+		sec.Data["es-client.pem"] = clientPem
+		sec.Data["es-client-key.pem"] = clientKeyPem
+		sec.Data["jwt-pubkey.pem"] = jwtPubkey
+
+		return nil
+	})
 	if err != nil {
 		return err
 	}
 
-	ginkgo.By("Waiting for vault pods to be running")
 	pl, err := util.WaitForPodsRunning(l.chart.config.KubeClientSet, 1, l.Namespace, metav1.ListOptions{
 		LabelSelector: "app.kubernetes.io/name=vault",
 	})
@@ -204,7 +228,6 @@ func (l *Vault) initVault() error {
 	}
 	l.PodName = pl.Items[0].Name
 
-	ginkgo.By("Initializing vault")
 	out, err := util.ExecCmd(
 		l.chart.config.KubeClientSet,
 		l.chart.config.KubeConfig,
@@ -213,7 +236,6 @@ func (l *Vault) initVault() error {
 		return fmt.Errorf("error initializing vault: %w", err)
 	}
 
-	ginkgo.By("Parsing init response")
 	var res OperatorInitResponse
 	err = json.Unmarshal([]byte(out), &res)
 	if err != nil {
@@ -221,7 +243,6 @@ func (l *Vault) initVault() error {
 	}
 	l.RootToken = res.RootToken
 
-	ginkgo.By("Unsealing vault")
 	for _, k := range res.UnsealKeysB64 {
 		_, err = util.ExecCmd(
 			l.chart.config.KubeClientSet,
@@ -239,6 +260,17 @@ func (l *Vault) initVault() error {
 	if err != nil {
 		return fmt.Errorf("error waiting for vault to be ready: %w", err)
 	}
+
+	// This e2e test provider uses a local port-forwarded to talk to the vault API instead
+	// of using the kubernetes service. This allows us to run the e2e test suite locally.
+	l.portForwarder, err = NewPortForward(l.chart.config.KubeClientSet, l.chart.config.KubeConfig, "vault", l.chart.Namespace, 8200)
+	if err != nil {
+		return err
+	}
+	if err := l.portForwarder.Start(); err != nil {
+		return err
+	}
+
 	serverCA := l.VaultServerCA
 	caCertPool := x509.NewCertPool()
 	ok := caCertPool.AppendCertsFromPEM(serverCA)
@@ -246,9 +278,9 @@ func (l *Vault) initVault() error {
 		panic("unable to append server ca cert")
 	}
 	cfg := vault.DefaultConfig()
-	l.VaultURL = fmt.Sprintf("https://vault-%s.%s.svc.cluster.local:8200", l.Namespace, l.Namespace)
-	l.VaultMtlsURL = fmt.Sprintf("https://vault-%s.%s.svc.cluster.local:8210", l.Namespace, l.Namespace)
-	cfg.Address = l.VaultURL
+	l.VaultURL = fmt.Sprintf("https://%s.%s.svc.cluster.local:8200", l.chart.ReleaseName, l.Namespace)
+	l.VaultMtlsURL = fmt.Sprintf("https://%s.%s.svc.cluster.local:8210", l.chart.ReleaseName, l.Namespace)
+	cfg.Address = fmt.Sprintf("https://localhost:%d", l.portForwarder.localPort)
 	cfg.HttpClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = caCertPool
 	l.VaultClient, err = vault.NewClient(cfg)
 	if err != nil {
@@ -260,7 +292,6 @@ func (l *Vault) initVault() error {
 }
 
 func (l *Vault) configureVault() error {
-	ginkgo.By("configuring vault")
 	cmd := `sh /etc/vault-config/configure-vault.sh %s`
 	_, err := util.ExecCmd(
 		l.chart.config.KubeClientSet,
@@ -309,7 +340,14 @@ func (l *Vault) Logs() error {
 }
 
 func (l *Vault) Uninstall() error {
-	return l.chart.Uninstall()
+	if l.portForwarder != nil {
+		l.portForwarder.Close()
+		l.portForwarder = nil
+	}
+	if err := l.chart.Uninstall(); err != nil {
+		return err
+	}
+	return l.chart.config.KubeClientSet.CoreV1().Namespaces().Delete(GinkgoT().Context(), l.chart.Namespace, metav1.DeleteOptions{})
 }
 
 func (l *Vault) Setup(cfg *Config) error {
@@ -317,7 +355,7 @@ func (l *Vault) Setup(cfg *Config) error {
 }
 
 // nolint:gocritic
-func genVaultCertificates(namespace string) ([]byte, []byte, []byte, []byte, []byte, []byte, error) {
+func genVaultCertificates(namespace, serviceName string) ([]byte, []byte, []byte, []byte, []byte, []byte, error) {
 	// gen server ca + certs
 	serverRootCert, serverRootPem, serverRootKey, err := genCARoot()
 	if err != nil {
@@ -325,8 +363,8 @@ func genVaultCertificates(namespace string) ([]byte, []byte, []byte, []byte, []b
 	}
 	serverPem, serverKey, err := genPeerCert(serverRootCert, serverRootKey, "vault", []string{
 		"localhost",
-		"vault-" + namespace,
-		fmt.Sprintf("vault-%s.%s.svc.cluster.local", namespace, namespace)})
+		serviceName,
+		fmt.Sprintf("%s.%s.svc.cluster.local", serviceName, namespace)})
 	if err != nil {
 		return nil, nil, nil, nil, nil, nil, errors.New("unable to generate vault server cert")
 	}

e2e/framework/eso.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	//nolint
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	v1 "k8s.io/api/core/v1"
@@ -39,8 +40,8 @@ import (
 // with the provided values.
 func (f *Framework) WaitForSecretValue(namespace, name string, expected *v1.Secret) (*v1.Secret, error) {
 	secret := &v1.Secret{}
-	err := wait.PollImmediate(time.Second*10, time.Minute, func() (bool, error) {
-		err := f.CRClient.Get(context.Background(), types.NamespacedName{
+	err := wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second*1, time.Minute, true, func(ctx context.Context) (bool, error) {
+		err := f.CRClient.Get(ctx, types.NamespacedName{
 			Namespace: namespace,
 			Name:      name,
 		}, secret)
@@ -55,7 +56,7 @@ func (f *Framework) WaitForSecretValue(namespace, name string, expected *v1.Secr
 func (f *Framework) printESDebugLogs(esName, esNamespace string) {
 	// fetch es and print status condition
 	var es esv1.ExternalSecret
-	err := f.CRClient.Get(context.Background(), types.NamespacedName{
+	err := f.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
 		Name:      esName,
 		Namespace: esNamespace,
 	}, &es)
@@ -65,7 +66,7 @@ func (f *Framework) printESDebugLogs(esName, esNamespace string) {
 		log.Logf("condition: status=%s type=%s reason=%s message=%s", cond.Status, cond.Type, cond.Reason, cond.Message)
 	}
 	// list events for given
-	evs, err := f.KubeClientSet.CoreV1().Events(esNamespace).List(context.Background(), metav1.ListOptions{
+	evs, err := f.KubeClientSet.CoreV1().Events(esNamespace).List(GinkgoT().Context(), metav1.ListOptions{
 		FieldSelector: "involvedObject.name=" + esName + ",involvedObject.kind=ExternalSecret",
 	})
 	Expect(err).ToNot(HaveOccurred())
@@ -75,7 +76,7 @@ func (f *Framework) printESDebugLogs(esName, esNamespace string) {
 
 	// print most recent logs of default eso installation
 	podList, err := f.KubeClientSet.CoreV1().Pods("default").List(
-		context.Background(),
+		GinkgoT().Context(),
 		metav1.ListOptions{LabelSelector: "app.kubernetes.io/instance=eso,app.kubernetes.io/name=external-secrets"})
 	Expect(err).ToNot(HaveOccurred())
 	numLines := int64(60)
@@ -87,7 +88,7 @@ func (f *Framework) printESDebugLogs(esName, esNamespace string) {
 					Container: con.Name,
 					Previous:  b,
 					TailLines: &numLines,
-				}).Do(context.TODO())
+				}).Do(GinkgoT().Context())
 				err := resp.Error()
 				if err != nil {
 					continue

e2e/framework/framework.go

@@ -19,6 +19,7 @@ package framework
 import (
 
 	// nolint
+
 	. "github.com/onsi/ginkgo/v2"
 
 	// nolint
@@ -26,7 +27,9 @@ import (
 	api "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	"github.com/external-secrets/external-secrets-e2e/framework/addon"
 	"github.com/external-secrets/external-secrets-e2e/framework/log"
@@ -96,14 +99,13 @@ func (f *Framework) AfterEach() {
 func (f *Framework) Install(a addon.Addon) {
 	f.Addons = append(f.Addons, a)
 
-	By("installing addon")
 	err := a.Setup(&addon.Config{
 		KubeConfig:    f.KubeConfig,
 		KubeClientSet: f.KubeClientSet,
 		CRClient:      f.CRClient,
 	})
 	Expect(err).NotTo(HaveOccurred())
-
+	defer GinkgoRecover()
 	err = a.Install()
 	Expect(err).NotTo(HaveOccurred())
 }
@@ -124,3 +126,14 @@ func Compose(descAppend string, f *Framework, fn func(f *Framework) (string, fun
 
 	return te
 }
+
+// setup logger in controller-runtime to
+// prevent logging unrelated errors.
+func init() {
+	ginkgoLogger := zap.New(
+		zap.WriteTo(GinkgoWriter),
+		zap.UseDevMode(true),
+	)
+
+	ctrl.SetLogger(ginkgoLogger)
+}

e2e/framework/testcase.go

@@ -17,13 +17,13 @@ limitations under the License.
 package framework
 
 import (
-	"context"
 	"time"
 
 	//nolint
 	"github.com/external-secrets/external-secrets-e2e/framework/log"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -115,7 +115,7 @@ func executeAfterSync(tc *TestCase, f *Framework, prov SecretStoreProvider) {
 func generateAdditionalObjects(tc *TestCase) {
 	if tc.AdditionalObjects != nil {
 		for _, obj := range tc.AdditionalObjects {
-			err := tc.Framework.CRClient.Create(context.Background(), obj)
+			err := tc.Framework.CRClient.Create(GinkgoT().Context(), obj)
 			Expect(err).ToNot(HaveOccurred())
 		}
 	}
@@ -125,7 +125,7 @@ func createProvidedExternalSecret(tc *TestCase) {
 	if tc.ExternalSecret == nil {
 		return
 	}
-	err := tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecret)
+	err := tc.Framework.CRClient.Create(GinkgoT().Context(), tc.ExternalSecret)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -142,14 +142,14 @@ func TableFuncWithPushSecret(f *Framework, prov SecretStoreProvider, pushClient
 		}
 
 		if tc.PushSecretSource != nil {
-			err := tc.Framework.CRClient.Create(context.Background(), tc.PushSecretSource)
+			err := tc.Framework.CRClient.Create(GinkgoT().Context(), tc.PushSecretSource)
 			Expect(err).ToNot(HaveOccurred())
 		}
 
 		// create v1alpha1 push secret, if provided
 		if tc.PushSecret != nil {
 			// create v1beta1 external secret otherwise
-			err = tc.Framework.CRClient.Create(context.Background(), tc.PushSecret)
+			err = tc.Framework.CRClient.Create(GinkgoT().Context(), tc.PushSecret)
 			Expect(err).ToNot(HaveOccurred())
 		}
 

e2e/framework/util/util.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"path/filepath"
 	"time"
 
 	fluxhelm "github.com/fluxcd/helm-controller/api/v2beta1"
@@ -35,9 +36,11 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/remotecommand"
+	"k8s.io/client-go/util/homedir"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	// nolint
@@ -78,23 +81,23 @@ func CreateKubeNamespace(baseName string, kubeClientSet kubernetes.Interface) (*
 		},
 	}
 
-	return kubeClientSet.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
+	return kubeClientSet.CoreV1().Namespaces().Create(GinkgoT().Context(), ns, metav1.CreateOptions{})
 }
 
 // DeleteKubeNamespace will delete a namespace resource.
 func DeleteKubeNamespace(namespace string, kubeClientSet kubernetes.Interface) error {
-	return kubeClientSet.CoreV1().Namespaces().Delete(context.TODO(), namespace, metav1.DeleteOptions{})
+	return kubeClientSet.CoreV1().Namespaces().Delete(GinkgoT().Context(), namespace, metav1.DeleteOptions{})
 }
 
 // WaitForKubeNamespaceNotExist will wait for the namespace with the given name
 // to not exist for up to 2 minutes.
 func WaitForKubeNamespaceNotExist(namespace string, kubeClientSet kubernetes.Interface) error {
-	return wait.PollImmediate(Poll, time.Minute*2, namespaceNotExist(kubeClientSet, namespace))
+	return wait.PollUntilContextTimeout(GinkgoT().Context(), Poll, time.Minute*2, true, namespaceNotExist(kubeClientSet, namespace))
 }
 
-func namespaceNotExist(c kubernetes.Interface, namespace string) wait.ConditionFunc {
-	return func() (bool, error) {
-		_, err := c.CoreV1().Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{})
+func namespaceNotExist(c kubernetes.Interface, namespace string) wait.ConditionWithContextFunc {
+	return func(ctx context.Context) (bool, error) {
+		_, err := c.CoreV1().Namespaces().Get(ctx, namespace, metav1.GetOptions{})
 		if apierrors.IsNotFound(err) {
 			return true, nil
 		}
@@ -159,8 +162,8 @@ func execCmd(client kubernetes.Interface, config *restclient.Config, podName, co
 // WaitForPodsRunning waits for a given amount of time until a group of Pods is running in the given namespace.
 func WaitForPodsRunning(kubeClientSet kubernetes.Interface, expectedReplicas int, namespace string, opts metav1.ListOptions) (*v1.PodList, error) {
 	var pods *v1.PodList
-	err := wait.PollImmediate(1*time.Second, time.Minute*5, func() (bool, error) {
-		pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), opts)
+	err := wait.PollUntilContextTimeout(GinkgoT().Context(), 1*time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+		pl, err := kubeClientSet.CoreV1().Pods(namespace).List(ctx, opts)
 		if err != nil {
 			return false, nil
 		}
@@ -184,8 +187,8 @@ func WaitForPodsRunning(kubeClientSet kubernetes.Interface, expectedReplicas int
 
 // WaitForPodsReady waits for a given amount of time until a group of Pods is running in the given namespace.
 func WaitForPodsReady(kubeClientSet kubernetes.Interface, expectedReplicas int, namespace string, opts metav1.ListOptions) error {
-	return wait.PollImmediate(1*time.Second, time.Minute*5, func() (bool, error) {
-		pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), opts)
+	return wait.PollUntilContextTimeout(GinkgoT().Context(), 1*time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+		pl, err := kubeClientSet.CoreV1().Pods(namespace).List(ctx, opts)
 		if err != nil {
 			return false, nil
 		}
@@ -237,8 +240,8 @@ func isPodReady(p *v1.Pod) bool {
 // WaitForURL tests the provided url. Once a http 200 is returned the func returns with no error.
 // Timeout is 5min.
 func WaitForURL(url string) error {
-	return wait.PollImmediate(2*time.Second, time.Minute*5, func() (bool, error) {
-		req, err := http.NewRequest(http.MethodGet, url, http.NoBody)
+	return wait.PollUntilContextTimeout(GinkgoT().Context(), 2*time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody)
 		if err != nil {
 			return false, nil
 		}
@@ -265,45 +268,65 @@ func UpdateKubeSA(baseName string, kubeClientSet kubernetes.Interface, ns string
 		},
 	}
 
-	return kubeClientSet.CoreV1().ServiceAccounts(ns).Update(context.TODO(), sa, metav1.UpdateOptions{})
+	return kubeClientSet.CoreV1().ServiceAccounts(ns).Update(GinkgoT().Context(), sa, metav1.UpdateOptions{})
 }
 
 // UpdateKubeSA updates a new Kubernetes Service Account for a test.
 func GetKubeSA(baseName string, kubeClientSet kubernetes.Interface, ns string) (*v1.ServiceAccount, error) {
-	return kubeClientSet.CoreV1().ServiceAccounts(ns).Get(context.TODO(), baseName, metav1.GetOptions{})
+	return kubeClientSet.CoreV1().ServiceAccounts(ns).Get(GinkgoT().Context(), baseName, metav1.GetOptions{})
 }
 
 func GetKubeSecret(client kubernetes.Interface, namespace, secretName string) (*v1.Secret, error) {
-	return client.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+	return client.CoreV1().Secrets(namespace).Get(GinkgoT().Context(), secretName, metav1.GetOptions{})
 }
 
 // NewConfig loads and returns the kubernetes credentials from the environment.
-// KUBECONFIG env var takes precedence and falls back to in-cluster config.
+// KUBECONFIG env var takes precedence, falls back to in-cluster config, then to default KUBECONFIG location.
 func NewConfig() (*restclient.Config, *kubernetes.Clientset, crclient.Client) {
-	var kubeConfig *restclient.Config
-	var err error
-	kcPath := os.Getenv("KUBECONFIG")
-	if kcPath != "" {
-		kubeConfig, err = clientcmd.BuildConfigFromFlags("", kcPath)
-		if err != nil {
-			Fail(err.Error())
-		}
-	} else {
-		kubeConfig, err = restclient.InClusterConfig()
-		if err != nil {
-			Fail(err.Error())
-		}
+	cfg, err := BuildKubeConfig()
+	if err != nil {
+		Fail(err.Error())
 	}
 
-	kubeClientSet, err := kubernetes.NewForConfig(kubeConfig)
+	kubeClientSet, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
 		Fail(err.Error())
 	}
 
-	CRClient, err := crclient.New(kubeConfig, crclient.Options{Scheme: scheme})
+	CRClient, err := crclient.New(cfg, crclient.Options{Scheme: scheme})
 	if err != nil {
 		Fail(err.Error())
 	}
 
-	return kubeConfig, kubeClientSet, CRClient
+	return cfg, kubeClientSet, CRClient
+}
+
+func BuildKubeConfig() (*rest.Config, error) {
+	// 1. If KUBECONFIG is explicitly set, use it
+	if kubeconfigEnv := os.Getenv("KUBECONFIG"); kubeconfigEnv != "" {
+		cfg, err := clientcmd.BuildConfigFromFlags("", kubeconfigEnv)
+		if err == nil {
+			return cfg, nil
+		}
+		return nil, fmt.Errorf("failed to load KUBECONFIG=%s: %w", kubeconfigEnv, err)
+	}
+
+	// 2. Try default kubeconfig location (~/.kube/config)
+	if home := homedir.HomeDir(); home != "" {
+		kubeconfigPath := filepath.Join(home, ".kube", "config")
+		if _, err := os.Stat(kubeconfigPath); err == nil {
+			cfg, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)
+			if err == nil {
+				return cfg, nil
+			}
+			return nil, fmt.Errorf("failed to load default kubeconfig: %w", err)
+		}
+	}
+
+	// 3. Fallback to in-cluster config
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load in-cluster config: %w", err)
+	}
+	return cfg, nil
 }

e2e/go.mod

@@ -134,6 +134,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.2 // indirect
 	github.com/go-openapi/jsonpointer v0.22.0 // indirect
@@ -231,6 +232,8 @@ require (
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.41.0 // indirect

e2e/k8s/vault.values.yaml

@@ -12,6 +12,8 @@ server:
     - name: tls-config
       secret:
         secretName: vault-tls-config
+  dataStorage:
+    enabled: false # have ephemeral data
   standalone:
     config: |
       ui = true

e2e/suites/argocd/install.go

@@ -18,6 +18,7 @@ package argocd
 
 import (
 	"os"
+	"path/filepath"
 
 	// nolint
 	. "github.com/onsi/ginkgo/v2"
@@ -29,7 +30,7 @@ const (
 	helmChartRevision = "0.0.0-e2e"
 )
 
-func installArgo(cfg *addon.Config) {
+func installArgo() {
 	By("installing argocd")
 	addon.InstallGlobalAddon(&addon.HelmChart{
 		Namespace:    "argocd",
@@ -47,16 +48,16 @@ func installArgo(cfg *addon.Config) {
 			},
 		},
 		Args: []string{"--create-namespace"},
-	}, cfg)
+	})
 }
 
-func installESO(cfg *addon.Config) {
+func installESO() {
 	By("installing helm http server")
 	tag := os.Getenv("VERSION")
 	addon.InstallGlobalAddon(&addon.HelmServer{
-		ChartDir:      "/k8s/deploy/charts/external-secrets",
+		ChartDir:      filepath.Join(addon.AssetDir(), "deploy/charts/external-secrets"),
 		ChartRevision: helmChartRevision,
-	}, cfg)
+	})
 
 	By("installing eso through argo app")
 	addon.InstallGlobalAddon(&addon.ArgoCDApplication{
@@ -71,5 +72,5 @@ func installESO(cfg *addon.Config) {
 			"webhook.image.tag=" + tag,
 			"certController.image.tag=" + tag,
 		},
-	}, cfg)
+	})
 }

e2e/suites/argocd/suite_test.go

@@ -17,7 +17,6 @@ limitations under the License.
 package argocd
 
 import (
-	"context"
 	"testing"
 
 	// nolint
@@ -32,10 +31,8 @@ import (
 )
 
 var _ = SynchronizedBeforeSuite(func() []byte {
-	cfg := &addon.Config{}
-	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
-	installArgo(cfg)
-	installESO(cfg)
+	installArgo()
+	installESO()
 	return nil
 }, func([]byte) {
 	// noop
@@ -44,14 +41,13 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 var _ = SynchronizedAfterSuite(func() {
 	// noop
 }, func() {
-	cfg := &addon.Config{}
-	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
+	_, _, cl := util.NewConfig()
 	By("Deleting any pending generator states")
 	generatorStates := &genv1alpha1.GeneratorStateList{}
-	err := cfg.CRClient.List(context.Background(), generatorStates)
+	err := cl.List(GinkgoT().Context(), generatorStates)
 	Expect(err).ToNot(HaveOccurred())
 	for _, generatorState := range generatorStates.Items {
-		err = cfg.CRClient.Delete(context.Background(), &generatorState)
+		err = cl.Delete(GinkgoT().Context(), &generatorState)
 		Expect(err).ToNot(HaveOccurred())
 	}
 

e2e/suites/flux/install.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 
 	// nolint
 	. "github.com/onsi/ginkgo/v2"
@@ -32,23 +33,29 @@ import (
 
 const (
 	helmChartRevision = "0.0.0-e2e"
+	fluxManifests     = "https://github.com/fluxcd/flux2/releases/download/v0.29.3/install.yaml"
 )
 
 func installFlux() {
 	By("installing flux")
-	fluxVersion := "v0.29.3"
-	url := fmt.Sprintf("https://github.com/fluxcd/flux2/releases/download/%s/install.yaml", fluxVersion)
-	cmd := exec.Command("kubectl", "apply", "-f", url)
+	cmd := exec.Command("kubectl", "apply", "-f", fluxManifests)
 	out, err := cmd.CombinedOutput()
 	Expect(err).ToNot(HaveOccurred(), string(out))
 }
 
-func installESO(cfg *addon.Config) {
+func uninstallFlux() {
+	By("uninstalling flux")
+	cmd := exec.Command("kubectl", "delete", "-f", fluxManifests)
+	out, err := cmd.CombinedOutput()
+	Expect(err).ToNot(HaveOccurred(), string(out))
+}
+
+func installESO() {
 	By("installing helm http server")
 	addon.InstallGlobalAddon(&addon.HelmServer{
-		ChartDir:      "/k8s/deploy/charts/external-secrets",
+		ChartDir:      filepath.Join(addon.AssetDir(), "deploy/charts/external-secrets"),
 		ChartRevision: helmChartRevision,
-	}, cfg)
+	})
 
 	By("installing eso through flux helmrelease app")
 	tag := os.Getenv("VERSION")
@@ -80,5 +87,5 @@ func installESO(cfg *addon.Config) {
 			  }
 			}
 		  }`, tag, tag, tag),
-	}, cfg)
+	})
 }

e2e/suites/flux/suite_test.go

@@ -17,7 +17,6 @@ limitations under the License.
 package flux
 
 import (
-	"context"
 	"testing"
 
 	// nolint
@@ -32,10 +31,8 @@ import (
 )
 
 var _ = SynchronizedBeforeSuite(func() []byte {
-	cfg := &addon.Config{}
-	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
 	installFlux()
-	installESO(cfg)
+	installESO()
 	return nil
 }, func([]byte) {
 	// noop
@@ -48,10 +45,10 @@ var _ = SynchronizedAfterSuite(func() {
 	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
 	By("Deleting any pending generator states")
 	generatorStates := &genv1alpha1.GeneratorStateList{}
-	err := cfg.CRClient.List(context.Background(), generatorStates)
+	err := cfg.CRClient.List(GinkgoT().Context(), generatorStates)
 	Expect(err).ToNot(HaveOccurred())
 	for _, generatorState := range generatorStates.Items {
-		err = cfg.CRClient.Delete(context.Background(), &generatorState)
+		err = cfg.CRClient.Delete(GinkgoT().Context(), &generatorState)
 		Expect(err).ToNot(HaveOccurred())
 	}
 
@@ -60,6 +57,7 @@ var _ = SynchronizedAfterSuite(func() {
 	if CurrentSpecReport().Failed() {
 		addon.PrintLogs()
 	}
+	uninstallFlux()
 })
 
 func TestE2E(t *testing.T) {

e2e/suites/generator/ecr.go

@@ -17,7 +17,6 @@ limitations under the License.
 package generator
 
 import (
-	"context"
 	"os"
 
 	//nolint
@@ -40,7 +39,7 @@ var _ = Describe("ecr generator", Label("ecr"), func() {
 	const awsCredsSecretName = "aws-creds"
 
 	injectGenerator := func(tc *testCase) {
-		err := f.CRClient.Create(context.Background(), &v1.Secret{
+		err := f.CRClient.Create(GinkgoT().Context(), &v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      awsCredsSecretName,
 				Namespace: f.Namespace.Name,

e2e/suites/generator/grafana.go

@@ -17,7 +17,6 @@ limitations under the License.
 package generator
 
 import (
-	"context"
 	"os"
 	"strings"
 	"time"
@@ -73,7 +72,7 @@ var _ = Describe("grafana generator", Label("grafana"), func() {
 	})
 
 	setupGenerator := func(tc *testCase) {
-		err := f.CRClient.Create(context.Background(), &v1.Secret{
+		err := f.CRClient.Create(GinkgoT().Context(), &v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      grafanaCredsSecretName,
 				Namespace: f.Namespace.Name,
@@ -120,14 +119,14 @@ var _ = Describe("grafana generator", Label("grafana"), func() {
 
 	ensureExternalSecretPurgesGeneratorState := func(tc *testCase) {
 		// delete ES to trigger cleanup of generator state
-		err := f.CRClient.Delete(context.Background(), tc.ExternalSecret)
+		err := f.CRClient.Delete(GinkgoT().Context(), tc.ExternalSecret)
 		Expect(err).ToNot(HaveOccurred())
 
 		By("waiting for generator state to be cleaned up")
 		// wait for generator state to be cleaned up
 		Eventually(func() int {
 			generatorStates := &genv1alpha1.GeneratorStateList{}
-			err := f.CRClient.List(context.Background(), generatorStates, client.InNamespace(f.Namespace.Name))
+			err := f.CRClient.List(GinkgoT().Context(), generatorStates, client.InNamespace(f.Namespace.Name))
 			if err != nil {
 				return -1
 			}
@@ -158,7 +157,7 @@ var _ = Describe("grafana generator", Label("grafana"), func() {
 			// after the generator is deleted.
 			Eventually(func() bool {
 				generatorStates := &genv1alpha1.GeneratorStateList{}
-				err := f.CRClient.List(context.Background(), generatorStates, client.InNamespace(f.Namespace.Name))
+				err := f.CRClient.List(GinkgoT().Context(), generatorStates, client.InNamespace(f.Namespace.Name))
 				Expect(err).ToNot(HaveOccurred())
 				GinkgoLogr.Info("generator states", "states", generatorStates.Items)
 				return len(generatorStates.Items) > 2

e2e/suites/generator/suite_test.go

@@ -17,7 +17,6 @@ limitations under the License.
 package generator
 
 import (
-	"context"
 	"testing"
 
 	// nolint
@@ -35,7 +34,7 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
 
 	By("installing eso")
-	addon.InstallGlobalAddon(addon.NewESO(addon.WithCRDs()), cfg)
+	addon.InstallGlobalAddon(addon.NewESO(addon.WithCRDs()))
 
 	return nil
 }, func([]byte) {
@@ -49,10 +48,10 @@ var _ = SynchronizedAfterSuite(func() {
 	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
 	By("Deleting any pending generator states")
 	generatorStates := &genv1alpha1.GeneratorStateList{}
-	err := cfg.CRClient.List(context.Background(), generatorStates)
+	err := cfg.CRClient.List(GinkgoT().Context(), generatorStates)
 	Expect(err).ToNot(HaveOccurred())
 	for _, generatorState := range generatorStates.Items {
-		err = cfg.CRClient.Delete(context.Background(), &generatorState)
+		err = cfg.CRClient.Delete(GinkgoT().Context(), &generatorState)
 		Expect(err).ToNot(HaveOccurred())
 	}
 	By("Cleaning up global addons")

e2e/suites/generator/testcase.go

@@ -17,10 +17,10 @@ limitations under the License.
 package generator
 
 import (
-	"context"
 	"time"
 
 	//nolint
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	// nolint
@@ -65,15 +65,15 @@ func generatorTableFunc(f *framework.Framework, tweaks ...func(*testCase)) {
 		t(tc)
 	}
 
-	err := f.CRClient.Create(context.Background(), tc.Generator)
+	err := f.CRClient.Create(GinkgoT().Context(), tc.Generator)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = f.CRClient.Create(context.Background(), tc.ExternalSecret)
+	err = f.CRClient.Create(GinkgoT().Context(), tc.ExternalSecret)
 	Expect(err).ToNot(HaveOccurred())
 
 	Eventually(func() bool {
 		var es esv1.ExternalSecret
-		err = f.CRClient.Get(context.Background(), types.NamespacedName{
+		err = f.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
 			Namespace: tc.ExternalSecret.Namespace,
 			Name:      tc.ExternalSecret.Name,
 		}, &es)
@@ -89,7 +89,7 @@ func generatorTableFunc(f *framework.Framework, tweaks ...func(*testCase)) {
 	}).WithTimeout(time.Second * 30).Should(BeTrue())
 
 	var secret v1.Secret
-	err = f.CRClient.Get(context.Background(), types.NamespacedName{
+	err = f.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
 		Namespace: tc.ExternalSecret.Namespace,
 		Name:      tc.ExternalSecret.Spec.Target.Name,
 	}, &secret)

e2e/suites/provider/cases/akeyless/provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package akeyless
 
 import (
-	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -89,14 +88,13 @@ func (a *akeylessProvider) CreateSecret(key string, val framework.SecretEntry) {
 	token, err := a.GetToken()
 	Expect(err).ToNot(HaveOccurred())
 
-	ctx := context.Background()
 	gsvBody := akeyless.CreateSecret{
 		Name:  key,
 		Value: val.Value,
 		Token: &token,
 	}
 
-	_, _, err = a.restAPIClient.CreateSecret(ctx).Body(gsvBody).Execute()
+	_, _, err = a.restAPIClient.CreateSecret(GinkgoT().Context()).Body(gsvBody).Execute()
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -104,13 +102,12 @@ func (a *akeylessProvider) DeleteSecret(key string) {
 	token, err := a.GetToken()
 	Expect(err).ToNot(HaveOccurred())
 
-	ctx := context.Background()
 	gsvBody := akeyless.DeleteItem{
 		Name:  key,
 		Token: &token,
 	}
 
-	_, _, err = a.restAPIClient.DeleteItem(ctx).Body(gsvBody).Execute()
+	_, _, err = a.restAPIClient.DeleteItem(GinkgoT().Context()).Body(gsvBody).Execute()
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -127,7 +124,7 @@ func (a *akeylessProvider) BeforeEach() {
 			"access-type-param": a.accessTypeParam,
 		},
 	}
-	err := a.framework.CRClient.Create(context.Background(), akeylessCreds)
+	err := a.framework.CRClient.Create(GinkgoT().Context(), akeylessCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	// Creating Akeyless secret store
@@ -159,12 +156,11 @@ func (a *akeylessProvider) BeforeEach() {
 			},
 		},
 	}
-	err = a.framework.CRClient.Create(context.Background(), secretStore)
+	err = a.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (a *akeylessProvider) GetToken() (string, error) {
-	ctx := context.Background()
 	authBody := akeyless.NewAuthWithDefaults()
 	authBody.AccessId = akeyless.PtrString(a.accessID)
 
@@ -188,7 +184,7 @@ func (a *akeylessProvider) GetToken() (string, error) {
 		authBody.CloudId = akeyless.PtrString(cloudID)
 	}
 
-	authOut, _, err := a.restAPIClient.Auth(ctx).Body(*authBody).Execute()
+	authOut, _, err := a.restAPIClient.Auth(GinkgoT().Context()).Body(*authBody).Execute()
 	if errors.As(err, &apiErr) {
 		return "", fmt.Errorf("authentication failed: %v", string(apiErr.Body()))
 	}

e2e/suites/provider/cases/alibaba/provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package alibaba
 
 import (
-	"context"
 	"os"
 
 	"github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
@@ -95,7 +94,7 @@ func (s *alibabaProvider) BeforeEach() {
 			secretName: "value",
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), alibabaCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), alibabaCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	// Creating Alibaba secret store
@@ -123,6 +122,6 @@ func (s *alibabaProvider) BeforeEach() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/aws/common.go

@@ -17,9 +17,9 @@ limitations under the License.
 package common
 
 import (
-	"context"
 
 	// nolint
+	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -119,7 +119,7 @@ func SetupSessionTagsStore(f *framework.Framework, access AccessOpts, sessionTag
 			staticySessionToken:   access.ST,
 		},
 	}
-	err := f.CRClient.Create(context.Background(), awsCreds)
+	err := f.CRClient.Create(GinkgoT().Context(), awsCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	secretStore := &esv1.SecretStore{
@@ -131,7 +131,7 @@ func SetupSessionTagsStore(f *framework.Framework, access AccessOpts, sessionTag
 			Provider: newStaticStoreProvider(serviceType, access.Region, credsName, access.Role, "", sessionTags),
 		},
 	}
-	err = f.CRClient.Create(context.Background(), secretStore)
+	err = f.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -150,7 +150,7 @@ func SetupExternalIDStore(f *framework.Framework, access AccessOpts, externalID
 			staticySessionToken:   access.ST,
 		},
 	}
-	err := f.CRClient.Create(context.Background(), awsCreds)
+	err := f.CRClient.Create(GinkgoT().Context(), awsCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	secretStore := &esv1.SecretStore{
@@ -162,7 +162,7 @@ func SetupExternalIDStore(f *framework.Framework, access AccessOpts, externalID
 			Provider: newStaticStoreProvider(serviceType, access.Region, credsName, access.Role, externalID, sessionTags),
 		},
 	}
-	err = f.CRClient.Create(context.Background(), secretStore)
+	err = f.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -180,7 +180,7 @@ func SetupStaticStore(f *framework.Framework, access AccessOpts, serviceType esv
 			staticySessionToken:   access.ST,
 		},
 	}
-	err := f.CRClient.Create(context.Background(), awsCreds)
+	err := f.CRClient.Create(GinkgoT().Context(), awsCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	secretStore := &esv1.SecretStore{
@@ -192,7 +192,7 @@ func SetupStaticStore(f *framework.Framework, access AccessOpts, serviceType esv
 			Provider: newStaticStoreProvider(serviceType, access.Region, StaticCredentialsSecretName, "", "", nil),
 		},
 	}
-	err = f.CRClient.Create(context.Background(), secretStore)
+	err = f.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -212,7 +212,7 @@ func CreateReferentStaticStore(f *framework.Framework, access AccessOpts, servic
 			staticySessionToken:   access.ST,
 		},
 	}
-	err := f.CRClient.Create(context.Background(), awsCreds)
+	err := f.CRClient.Create(GinkgoT().Context(), awsCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	secretStore := &esv1.ClusterSecretStore{
@@ -223,7 +223,7 @@ func CreateReferentStaticStore(f *framework.Framework, access AccessOpts, servic
 			Provider: newStaticStoreProvider(serviceType, access.Region, StaticReferentCredentialsSecretName, "", "", nil),
 		},
 	}
-	err = f.CRClient.Create(context.Background(), secretStore)
+	err = f.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 

e2e/suites/provider/cases/aws/parameterstore/parameterstore.go

@@ -32,7 +32,7 @@ const (
 	withReferentStaticAuth = "with static referent auth"
 )
 
-var _ = Describe("[aws] ", Label("aws", "parameterstore"), func() {
+var _ = Describe("[aws] ", Label("aws", "parameterstore"), Ordered, func() {
 	f := framework.New("eso-aws-ps")
 	prov := NewFromEnv(f)
 

e2e/suites/provider/cases/aws/parameterstore/parameterstore_managed.go

@@ -30,7 +30,7 @@ import (
 // here we use the global eso instance
 // that uses the service account in the default namespace
 // which was created by terraform.
-var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws", "parameterstore", "managed"), func() {
+var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws", "parameterstore", "managed"), Ordered, func() {
 	f := framework.New("eso-aws-ps-managed")
 	prov := NewFromEnv(f)
 
@@ -58,7 +58,7 @@ var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws"
 
 // here we create a central eso instance in the default namespace
 // that mounts the service account which was created by terraform.
-var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "parameterstore", "managed"), func() {
+var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "parameterstore", "managed"), Ordered, func() {
 	f := framework.New("eso-aws-ps-irsa-managed")
 	prov := NewFromEnv(f)
 

e2e/suites/provider/cases/aws/parameterstore/provider.go

@@ -52,21 +52,19 @@ type Provider struct {
 }
 
 func NewProvider(f *framework.Framework, kid, sak, st, region, saName, saNamespace string) *Provider {
-
-	config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(kid, sak, st)))
-
-	if err != nil {
-		Fail(err.Error())
-	}
-	sm := ssm.NewFromConfig(config)
 	prov := &Provider{
 		ServiceAccountName:      saName,
 		ServiceAccountNamespace: saNamespace,
 		region:                  region,
-		client:                  sm,
 		framework:               f,
 	}
 
+	BeforeAll(func() {
+		config, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(kid, sak, st)))
+		Expect(err).ToNot(HaveOccurred())
+		prov.client = ssm.NewFromConfig(config)
+	})
+
 	BeforeEach(func() {
 		awscommon.SetupStaticStore(f, awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region}, esv1.AWSServiceParameterStore)
 		awscommon.CreateReferentStaticStore(f, awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region}, esv1.AWSServiceParameterStore)
@@ -107,7 +105,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 	if len(val.Tags) == 0 {
 		overwrite = true
 	}
-	_, err := s.client.PutParameter(context.Background(), &ssm.PutParameterInput{
+	_, err := s.client.PutParameter(GinkgoT().Context(), &ssm.PutParameterInput{
 		Name:      aws.String(key),
 		Value:     aws.String(val.Value),
 		DataType:  aws.String("text"),
@@ -120,7 +118,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 
 // DeleteSecret deletes a secret at the provider.
 func (s *Provider) DeleteSecret(key string) {
-	_, err := s.client.DeleteParameter(context.Background(), &ssm.DeleteParameterInput{
+	_, err := s.client.DeleteParameter(GinkgoT().Context(), &ssm.DeleteParameterInput{
 		Name: aws.String(key),
 	})
 	var nf *ssmtypes.ParameterNotFound
@@ -148,12 +146,12 @@ func (s *Provider) SetupMountedIRSAStore() {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *Provider) TeardownMountedIRSAStore() {
-	s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
+	s.framework.CRClient.Delete(GinkgoT().Context(), &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: awscommon.MountedIRSAStoreName(s.framework),
 		},
@@ -169,7 +167,7 @@ func (s *Provider) SetupReferencedIRSAStore() {
 			Name: awscommon.ReferencedIRSAStoreName(s.framework),
 		},
 	}
-	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, secretStore, func() error {
+	_, err := controllerutil.CreateOrUpdate(GinkgoT().Context(), s.framework.CRClient, secretStore, func() error {
 		secretStore.Spec.Provider = &esv1.SecretStoreProvider{
 			AWS: &esv1.AWSProvider{
 				Service: esv1.AWSServiceParameterStore,
@@ -190,7 +188,7 @@ func (s *Provider) SetupReferencedIRSAStore() {
 }
 
 func (s *Provider) TeardownReferencedIRSAStore() {
-	s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
+	s.framework.CRClient.Delete(GinkgoT().Context(), &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: awscommon.ReferencedIRSAStoreName(s.framework),
 		},

e2e/suites/provider/cases/aws/secretsmanager/provider.go

@@ -27,6 +27,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	secretsmanagertypes "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+
 	//nolint
 	. "github.com/onsi/ginkgo/v2"
 
@@ -52,19 +53,19 @@ type Provider struct {
 }
 
 func NewProvider(f *framework.Framework, kid, sak, st, region, saName, saNamespace string) *Provider {
-	config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(kid, sak, st)))
-	if err != nil {
-		Fail(err.Error())
-	}
-	sm := secretsmanager.NewFromConfig(config)
 	prov := &Provider{
 		ServiceAccountName:      saName,
 		ServiceAccountNamespace: saNamespace,
 		region:                  region,
-		client:                  sm,
 		framework:               f,
 	}
 
+	BeforeAll(func() {
+		config, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(kid, sak, st)))
+		Expect(err).ToNot(HaveOccurred())
+		prov.client = secretsmanager.NewFromConfig(config)
+	})
+
 	BeforeEach(func() {
 		awscommon.SetupStaticStore(f, awscommon.AccessOpts{KID: kid, SAK: sak, ST: st, Region: region}, esv1.AWSServiceSecretsManager)
 		awscommon.SetupExternalIDStore(
@@ -119,7 +120,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 	attempts := 20
 	for {
 		log.Logf("creating secret %s / attempts left: %d", key, attempts)
-		_, err := s.client.CreateSecret(context.Background(), &secretsmanager.CreateSecretInput{
+		_, err := s.client.CreateSecret(GinkgoT().Context(), &secretsmanager.CreateSecretInput{
 			Name:         aws.String(key),
 			SecretString: aws.String(val.Value),
 			Tags:         smTags,
@@ -140,7 +141,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 // and the removal of the secret on the provider side.
 func (s *Provider) DeleteSecret(key string) {
 	log.Logf("deleting secret %s", key)
-	_, err := s.client.DeleteSecret(context.Background(), &secretsmanager.DeleteSecretInput{
+	_, err := s.client.DeleteSecret(GinkgoT().Context(), &secretsmanager.DeleteSecretInput{
 		SecretId:                   aws.String(key),
 		ForceDeleteWithoutRecovery: aws.Bool(true),
 	})
@@ -169,12 +170,12 @@ func (s *Provider) SetupMountedIRSAStore() {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *Provider) TeardownMountedIRSAStore() {
-	s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
+	s.framework.CRClient.Delete(GinkgoT().Context(), &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: awscommon.MountedIRSAStoreName(s.framework),
 		},
@@ -190,7 +191,7 @@ func (s *Provider) SetupReferencedIRSAStore() {
 			Name: awscommon.ReferencedIRSAStoreName(s.framework),
 		},
 	}
-	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, secretStore, func() error {
+	_, err := controllerutil.CreateOrUpdate(GinkgoT().Context(), s.framework.CRClient, secretStore, func() error {
 		secretStore.Spec.Provider = &esv1.SecretStoreProvider{
 			AWS: &esv1.AWSProvider{
 				Service: esv1.AWSServiceSecretsManager,
@@ -211,7 +212,7 @@ func (s *Provider) SetupReferencedIRSAStore() {
 }
 
 func (s *Provider) TeardownReferencedIRSAStore() {
-	s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
+	s.framework.CRClient.Delete(GinkgoT().Context(), &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: awscommon.ReferencedIRSAStoreName(s.framework),
 		},

e2e/suites/provider/cases/aws/secretsmanager/secretsmanager.go

@@ -33,7 +33,7 @@ const (
 	withSessionTags = "with session tags"
 )
 
-var _ = Describe("[aws] ", Label("aws", "secretsmanager"), func() {
+var _ = Describe("[aws] ", Label("aws", "secretsmanager"), Ordered, func() {
 	f := framework.New("eso-aws-sm")
 	prov := NewFromEnv(f)
 

e2e/suites/provider/cases/aws/secretsmanager/secretsmanager_managed.go

@@ -30,7 +30,7 @@ import (
 // here we use the global eso instance
 // that uses the service account in the default namespace
 // which was created by terraform.
-var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws", "secretsmanager", "managed"), func() {
+var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws", "secretsmanager", "managed"), Ordered, func() {
 	f := framework.New("eso-aws-managed")
 	prov := NewFromEnv(f)
 
@@ -58,7 +58,7 @@ var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws"
 
 // here we create a central eso instance in the default namespace
 // that mounts the service account which was created by terraform.
-var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "secretsmanager", "managed"), func() {
+var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "secretsmanager", "managed"), Ordered, func() {
 	f := framework.New("eso-aws-managed")
 	prov := NewFromEnv(f)
 

e2e/suites/provider/cases/azure/provider.go

@@ -16,7 +16,6 @@ limitations under the License.
 package azure
 
 import (
-	"context"
 	"os"
 	"strings"
 	"sync"
@@ -128,7 +127,7 @@ func newFromWorkloadIdentity(f *framework.Framework) *azureProvider {
 			// exchange the federated token for an access token
 			aadEndpoint := esoazkv.AadEndpointForType(esv1.AzureEnvironmentPublicCloud)
 			kvResource := strings.TrimSuffix(azure.PublicCloud.KeyVaultEndpoint, "/")
-			tokenProvider, err := esoazkv.NewTokenProvider(context.Background(), string(token), clientID, tenantID, aadEndpoint, kvResource)
+			tokenProvider, err := esoazkv.NewTokenProvider(GinkgoT().Context(), string(token), clientID, tenantID, aadEndpoint, kvResource)
 			if err != nil {
 				Fail(err.Error())
 			}
@@ -141,7 +140,7 @@ func newFromWorkloadIdentity(f *framework.Framework) *azureProvider {
 
 func (s *azureProvider) CreateSecret(key string, val framework.SecretEntry) {
 	_, err := s.client.SetSecret(
-		context.Background(),
+		GinkgoT().Context(),
 		s.vaultURL,
 		key,
 		keyvault.SecretSetParameters{
@@ -156,7 +155,7 @@ func (s *azureProvider) CreateSecret(key string, val framework.SecretEntry) {
 
 func (s *azureProvider) DeleteSecret(key string) {
 	_, err := s.client.DeleteSecret(
-		context.Background(),
+		GinkgoT().Context(),
 		s.vaultURL,
 		key)
 	Expect(err).ToNot(HaveOccurred())
@@ -164,7 +163,7 @@ func (s *azureProvider) DeleteSecret(key string) {
 
 func (s *azureProvider) CreateKey(key string) *keyvault.JSONWebKey {
 	out, err := s.client.CreateKey(
-		context.Background(),
+		GinkgoT().Context(),
 		s.vaultURL,
 		key,
 		keyvault.KeyCreateParameters{
@@ -180,13 +179,13 @@ func (s *azureProvider) CreateKey(key string) *keyvault.JSONWebKey {
 }
 
 func (s *azureProvider) DeleteKey(key string) {
-	_, err := s.client.DeleteKey(context.Background(), s.vaultURL, key)
+	_, err := s.client.DeleteKey(GinkgoT().Context(), s.vaultURL, key)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *azureProvider) CreateCertificate(key string) {
 	_, err := s.client.CreateCertificate(
-		context.Background(),
+		GinkgoT().Context(),
 		s.vaultURL,
 		key,
 		keyvault.CertificateCreateParameters{
@@ -216,7 +215,7 @@ func (s *azureProvider) GetCertificate(key string) []byte {
 	attempts := 60
 	for {
 		out, err := s.client.GetCertificate(
-			context.Background(),
+			GinkgoT().Context(),
 			s.vaultURL,
 			key,
 			"",
@@ -235,7 +234,7 @@ func (s *azureProvider) GetCertificate(key string) []byte {
 }
 
 func (s *azureProvider) DeleteCertificate(key string) {
-	_, err := s.client.DeleteCertificate(context.Background(), s.vaultURL, key)
+	_, err := s.client.DeleteCertificate(GinkgoT().Context(), s.vaultURL, key)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -306,7 +305,7 @@ func (s *azureProvider) CreateSecretStore() {
 			credentialKeyClientSecret: s.clientSecret,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), azureCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), azureCreds)
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := &esv1.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
@@ -319,7 +318,7 @@ func (s *azureProvider) CreateSecretStore() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -334,7 +333,7 @@ func (s *azureProvider) CreateSecretStoreNewSDK() {
 			credentialKeyClientSecret: s.clientSecret,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), azureCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), azureCreds)
 	// Ignore AlreadyExists error since CreateSecretStore() might have already created this secret
 	if err != nil && !apierrors.IsAlreadyExists(err) {
 		Expect(err).ToNot(HaveOccurred())
@@ -350,7 +349,7 @@ func (s *azureProvider) CreateSecretStoreNewSDK() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -365,7 +364,7 @@ func (s *azureProvider) CreateReferentSecretStore() {
 			credentialKeyClientSecret: s.clientSecret,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), azureCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), azureCreds)
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
@@ -378,7 +377,7 @@ func (s *azureProvider) CreateReferentSecretStore() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -393,7 +392,7 @@ func (s *azureProvider) CreateReferentSecretStoreNewSDK() {
 			credentialKeyClientSecret: s.clientSecret,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), azureCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), azureCreds)
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
@@ -406,7 +405,7 @@ func (s *azureProvider) CreateReferentSecretStoreNewSDK() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -427,7 +426,7 @@ func (s *azureProvider) CreateSecretStoreWithWI() {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), ClusterSecretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), ClusterSecretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -443,6 +442,6 @@ func (s *azureProvider) CreateReferentSecretStoreWithWI() {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), ClusterSecretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), ClusterSecretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/common/common.go

@@ -16,10 +16,10 @@ limitations under the License.
 package common
 
 import (
-	"context"
 	"fmt"
 	"time"
 
+	. "github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -731,7 +731,7 @@ func DeletionPolicyDelete(f *framework.Framework) (string, func(*framework.TestC
 			prov.DeleteSecret(remoteRefKey2)
 
 			gomega.Eventually(func() bool {
-				_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secret.Name, metav1.GetOptions{})
+				_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(GinkgoT().Context(), secret.Name, metav1.GetOptions{})
 				return errors.IsNotFound(err)
 			}, time.Minute*5, time.Second*5).Should(gomega.BeTrue())
 		}

e2e/suites/provider/cases/conjur/conjur.go

@@ -20,6 +20,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 
 	"github.com/external-secrets/external-secrets-e2e/framework"
+	"github.com/external-secrets/external-secrets-e2e/framework/addon"
 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
 )
 
@@ -29,60 +30,74 @@ const (
 	withJWTK8sHostID = "with jwt k8s hostid provider"
 )
 
-var _ = Describe("[conjur]", Label("conjur"), func() {
+var _ = Describe("[conjur]", Label("conjur"), Ordered, func() {
 	f := framework.New("eso-conjur")
-	prov := newConjurProvider(f)
+	conjur := addon.NewConjur()
+	prov := newConjurProvider(f, conjur)
+
+	BeforeAll(func() {
+		addon.InstallGlobalAddon(conjur)
+	})
 
 	DescribeTable("sync secrets",
 		framework.TableFuncWithExternalSecret(f, prov),
 		// use api key auth
-		framework.Compose(withTokenAuth, f, common.FindByName, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.FindByTag, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.SimpleDataSync, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.SyncWithoutTargetName, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataFromRewrite, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.DecodingPolicySync, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplateFromLiteral, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.TemplateFromConfigmaps, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.SSHKeySync, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.SSHKeySyncDataProperty, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.DockerJSONConfig, useApiKeyAuth),
-		framework.Compose(withTokenAuth, f, common.NestedJSONWithGJSON, useApiKeyAuth),
+		framework.Compose(withTokenAuth, f, common.FindByName, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.FindByTag, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.SimpleDataSync, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.SyncWithoutTargetName, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataFromRewrite, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.DecodingPolicySync, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplateFromLiteral, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.TemplateFromConfigmaps, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.SSHKeySync, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.SSHKeySyncDataProperty, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.DockerJSONConfig, useApiKeyAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.NestedJSONWithGJSON, useApiKeyAuth(prov)),
 
 		// use jwt k8s provider
-		framework.Compose(withJWTK8s, f, common.FindByName, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.FindByNameAndRewrite, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.FindByTag, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.SimpleDataSync, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.SyncWithoutTargetName, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.JSONDataFromRewrite, useJWTK8sProvider),
+		framework.Compose(withJWTK8s, f, common.FindByName, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.FindByNameAndRewrite, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.FindByTag, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.SimpleDataSync, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.SyncWithoutTargetName, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.JSONDataFromRewrite, useJWTK8sProvider(prov)),
 
 		// use jwt k8s hostid provider
-		framework.Compose(withJWTK8sHostID, f, common.FindByName, useJWTK8sHostIDProvider),
-		framework.Compose(withJWTK8sHostID, f, common.FindByNameAndRewrite, useJWTK8sHostIDProvider),
-		framework.Compose(withJWTK8sHostID, f, common.FindByTag, useJWTK8sHostIDProvider),
-		framework.Compose(withJWTK8sHostID, f, common.SimpleDataSync, useJWTK8sHostIDProvider),
-		framework.Compose(withJWTK8sHostID, f, common.SyncWithoutTargetName, useJWTK8sHostIDProvider),
-		framework.Compose(withJWTK8sHostID, f, common.JSONDataFromSync, useJWTK8sHostIDProvider),
-		framework.Compose(withJWTK8sHostID, f, common.JSONDataFromRewrite, useJWTK8sHostIDProvider),
+		framework.Compose(withJWTK8sHostID, f, common.FindByName, useJWTK8sHostIDProvider(prov)),
+		framework.Compose(withJWTK8sHostID, f, common.FindByNameAndRewrite, useJWTK8sHostIDProvider(prov)),
+		framework.Compose(withJWTK8sHostID, f, common.FindByTag, useJWTK8sHostIDProvider(prov)),
+		framework.Compose(withJWTK8sHostID, f, common.SimpleDataSync, useJWTK8sHostIDProvider(prov)),
+		framework.Compose(withJWTK8sHostID, f, common.SyncWithoutTargetName, useJWTK8sHostIDProvider(prov)),
+		framework.Compose(withJWTK8sHostID, f, common.JSONDataFromSync, useJWTK8sHostIDProvider(prov)),
+		framework.Compose(withJWTK8sHostID, f, common.JSONDataFromRewrite, useJWTK8sHostIDProvider(prov)),
 	)
 })
 
-func useApiKeyAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name
+func useApiKeyAuth(prov *conjurProvider) func(tc *framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateApiKeyStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = defaultStoreName
+	}
 }
 
-func useJWTK8sProvider(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
+func useJWTK8sProvider(prov *conjurProvider) func(tc *framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateJWTK8sStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
+	}
 }
 
-func useJWTK8sHostIDProvider(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sHostIDProviderName
+func useJWTK8sHostIDProvider(prov *conjurProvider) func(tc *framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateJWTK8sHostIDStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sHostIDProviderName
+	}
 }

e2e/suites/provider/cases/conjur/provider.go

@@ -16,7 +16,6 @@ limitations under the License.
 package conjur
 
 import (
-	"context"
 	"encoding/base64"
 	"strings"
 
@@ -36,21 +35,27 @@ import (
 )
 
 type conjurProvider struct {
-	url       string
-	client    *conjurapi.Client
+	addon     *addon.Conjur
 	framework *framework.Framework
 }
 
 const (
+	defaultStoreName         = "conjur"
+	secretName               = "conjur-creds"
 	jwtK8sProviderName       = "jwt-k8s-provider"
 	jwtK8sHostIDProviderName = "jwt-k8s-hostid-provider"
+	hostidServiceAccountName = "test-app-hostid-sa"
+	appServiceAccountName    = "test-app-sa"
 )
 
-func newConjurProvider(f *framework.Framework) *conjurProvider {
+func newConjurProvider(f *framework.Framework, conjur *addon.Conjur) *conjurProvider {
 	prov := &conjurProvider{
 		framework: f,
+		addon:     conjur,
 	}
+
 	BeforeEach(prov.BeforeEach)
+
 	return prov
 }
 
@@ -58,31 +63,34 @@ func (s *conjurProvider) CreateSecret(key string, val framework.SecretEntry) {
 	// Generate a policy file for the secret key
 	policy := createVariablePolicy(key, s.framework.Namespace.Name, val.Tags)
 
-	_, err := s.client.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
+	_, err := s.addon.ConjurClient.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
 	Expect(err).ToNot(HaveOccurred())
 
 	// Add the secret value
-	err = s.client.AddSecret(key, val.Value)
+	err = s.addon.ConjurClient.AddSecret(key, val.Value)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *conjurProvider) DeleteSecret(key string) {
 	policy := deleteVariablePolicy(key)
-	_, err := s.client.LoadPolicy(conjurapi.PolicyModePatch, "root", strings.NewReader(policy))
+	_, err := s.addon.ConjurClient.LoadPolicy(conjurapi.PolicyModePatch, "root", strings.NewReader(policy))
 
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *conjurProvider) BeforeEach() {
-	ns := s.framework.Namespace.Name
-	c := addon.NewConjur(ns)
-	s.framework.Install(c)
-	s.client = c.ConjurClient
-	s.url = c.ConjurURL
-
-	s.CreateApiKeyStore(c, ns)
-	s.CreateJWTK8sStore(c, ns)
-	s.CreateJWTK8sHostIDStore(c, ns)
+	// setup policy
+	saName := "system:serviceaccount:" + s.framework.Namespace.Name + ":" + appServiceAccountName
+	policy := createJwtHostPolicy(saName, "eso-tests")
+	_, err := s.addon.ConjurClient.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
+	Expect(err).ToNot(HaveOccurred())
+
+	// setup policy
+	saName = "system:serviceaccount:" + s.framework.Namespace.Name + ":" + hostidServiceAccountName
+	policy = createJwtHostPolicy(saName, "eso-tests-hostid")
+
+	_, err = s.addon.ConjurClient.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
+	Expect(err).ToNot(HaveOccurred())
 }
 
 func makeStore(name, ns string, c *addon.Conjur) *esv1.SecretStore {
@@ -102,111 +110,97 @@ func makeStore(name, ns string, c *addon.Conjur) *esv1.SecretStore {
 	}
 }
 
-func (s *conjurProvider) CreateApiKeyStore(c *addon.Conjur, ns string) {
+func (s *conjurProvider) CreateApiKeyStore() {
 	By("creating a conjur secret")
 	conjurCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      ns,
-			Namespace: ns,
+			Name:      secretName,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			"apikey":   []byte(c.AdminApiKey),
+			"apikey":   []byte(s.addon.AdminApiKey),
 			"username": []byte("admin"),
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), conjurCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), conjurCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	By("creating an secret store for conjur")
-	secretStore := makeStore(ns, ns, c)
+	secretStore := makeStore(defaultStoreName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Conjur.Auth = esv1.ConjurAuth{
 		APIKey: &esv1.ConjurAPIKey{
 			Account: "default",
 			UserRef: &esmeta.SecretKeySelector{
-				Name: ns,
+				Name: secretName,
 				Key:  "username",
 			},
 			APIKeyRef: &esmeta.SecretKeySelector{
-				Name: ns,
+				Name: secretName,
 				Key:  "apikey",
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s conjurProvider) CreateJWTK8sStore(c *addon.Conjur, ns string) {
+func (s conjurProvider) CreateJWTK8sStore() {
 	// Create a service account
 	sa := &v1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-app-sa",
-			Namespace: ns,
+			Name:      appServiceAccountName,
+			Namespace: s.framework.Namespace.Name,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), sa)
-	Expect(err).ToNot(HaveOccurred())
-
-	// Add the service account to the Conjur policy with permissions to
-	// authenticate with authn-jwt
-	saName := "system:serviceaccount:" + ns + ":test-app-sa"
-	policy := createJwtHostPolicy(saName, "eso-tests")
-
-	_, err = s.client.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
+	err := s.framework.CRClient.Create(GinkgoT().Context(), sa)
 	Expect(err).ToNot(HaveOccurred())
 
 	// Now create a secret store that uses the service account to authenticate
-	secretStore := makeStore(jwtK8sProviderName, ns, c)
+	secretStore := makeStore(jwtK8sProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Conjur.Auth = esv1.ConjurAuth{
 		Jwt: &esv1.ConjurJWT{
 			Account:   "default",
 			ServiceID: "eso-tests",
 			ServiceAccountRef: &esmeta.ServiceAccountSelector{
-				Name: "test-app-sa",
+				Name: appServiceAccountName,
 				Audiences: []string{
-					c.ConjurURL,
+					s.addon.ConjurURL,
 				},
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s conjurProvider) CreateJWTK8sHostIDStore(c *addon.Conjur, ns string) {
+func (s conjurProvider) CreateJWTK8sHostIDStore() {
 	// Create a service account
 	sa := &v1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-app-hostid-sa",
-			Namespace: ns,
+			Name:      hostidServiceAccountName,
+			Namespace: s.framework.Namespace.Name,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), sa)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), sa)
 	Expect(err).ToNot(HaveOccurred())
 
-	// Add the service account to the Conjur policy with permissions to
-	// authenticate with authn-jwt
-	saName := "system:serviceaccount:" + ns + ":test-app-hostid-sa"
-	policy := createJwtHostPolicy(saName, "eso-tests-hostid")
-
-	_, err = s.client.LoadPolicy(conjurapi.PolicyModePost, "root", strings.NewReader(policy))
-	Expect(err).ToNot(HaveOccurred())
+	saName := "system:serviceaccount:" + s.framework.Namespace.Name + ":" + hostidServiceAccountName
 
 	// Now create a secret store that uses the service account to authenticate
-	secretStore := makeStore(jwtK8sHostIDProviderName, ns, c)
+	secretStore := makeStore(jwtK8sHostIDProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Conjur.Auth = esv1.ConjurAuth{
 		Jwt: &esv1.ConjurJWT{
 			Account:   "default",
 			HostID:    "host/" + saName,
 			ServiceID: "eso-tests-hostid",
 			ServiceAccountRef: &esmeta.ServiceAccountSelector{
-				Name: "test-app-hostid-sa",
+				Name: hostidServiceAccountName,
 				Audiences: []string{
-					c.ConjurURL,
+					s.addon.ConjurURL,
 				},
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/delinea/delinea.go

@@ -23,61 +23,43 @@ import (
 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-var _ = ginkgo.Describe("[delinea]", ginkgo.Label("delinea"), func() {
+var _ = Describe("[delinea]", Label("delinea"), func() {
 
 	f := framework.New("eso-delinea")
 
 	// Initialization is deferred so that assertions work.
 	provider := &secretStoreProvider{}
 
-	ginkgo.BeforeEach(func() {
+	BeforeEach(func() {
 
 		cfg, err := loadConfigFromEnv()
 		gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
 		provider.init(cfg)
 
-		createResources(context.Background(), f, cfg)
+		createResources(GinkgoT().Context(), f, cfg)
 	})
 
-	ginkgo.DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
-
-		ginkgo.Entry(common.JSONDataWithProperty(f)),
-		ginkgo.Entry(common.JSONDataWithoutTargetName(f)),
-		ginkgo.Entry(common.JSONDataWithTemplate(f)),
-		ginkgo.Entry(common.JSONDataWithTemplateFromLiteral(f)),
-		ginkgo.Entry(common.TemplateFromConfigmaps(f)),
-		ginkgo.Entry(common.JSONDataFromSync(f)),
-		ginkgo.Entry(common.JSONDataFromRewrite(f)),
-		ginkgo.Entry(common.NestedJSONWithGJSON(f)),
-		ginkgo.Entry(common.DockerJSONConfig(f)),
-		ginkgo.Entry(common.DataPropertyDockerconfigJSON(f)),
-		ginkgo.Entry(common.SSHKeySyncDataProperty(f)),
-		ginkgo.Entry(common.DecodingPolicySync(f)),
-
-		// V1Alpha1 is not supported.
-		// ginkgo.Entry(common.SyncV1Alpha1(f)),
-
-		// Non-JSON values are not supported by DSV.
-		// ginkgo.Entry(common.SimpleDataSync(f)),
-		// ginkgo.Entry(common.SyncWithoutTargetName(f)),
-		// ginkgo.Entry(common.SSHKeySync(f)),
-		// ginkgo.Entry(common.DeletionPolicyDelete(f)),
-
-		// FindByName is not supported.
-		// ginkgo.Entry(common.FindByName(f)),
-		// ginkgo.Entry(common.FindByNameAndRewrite(f)),
-		// ginkgo.Entry(common.FindByNameWithPath(f)),
-
-		// FindByTag is not supported.
-		// ginkgo.Entry(common.FindByTag(f)),
-		// ginkgo.Entry(common.FindByTagWithPath(f)),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
+
+		Entry(common.JSONDataWithProperty(f)),
+		Entry(common.JSONDataWithoutTargetName(f)),
+		Entry(common.JSONDataWithTemplate(f)),
+		Entry(common.JSONDataWithTemplateFromLiteral(f)),
+		Entry(common.TemplateFromConfigmaps(f)),
+		Entry(common.JSONDataFromSync(f)),
+		Entry(common.JSONDataFromRewrite(f)),
+		Entry(common.NestedJSONWithGJSON(f)),
+		Entry(common.DockerJSONConfig(f)),
+		Entry(common.DataPropertyDockerconfigJSON(f)),
+		Entry(common.SSHKeySyncDataProperty(f)),
+		Entry(common.DecodingPolicySync(f)),
 	)
 })
 

e2e/suites/provider/cases/fake/provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package fake
 
 import (
-	"context"
 	"encoding/json"
 
 	// nolint
@@ -47,7 +46,7 @@ func NewProvider(f *framework.Framework) *Provider {
 
 func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 	var store esv1.SecretStore
-	err := s.framework.CRClient.Get(context.Background(), types.NamespacedName{
+	err := s.framework.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
 		Namespace: s.framework.Namespace.Name,
 		Name:      s.framework.Namespace.Name,
 	}, &store)
@@ -60,7 +59,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 		Key:   key,
 		Value: val.Value,
 	})
-	err = s.framework.CRClient.Patch(context.Background(), &store, client.MergeFrom(base))
+	err = s.framework.CRClient.Patch(GinkgoT().Context(), &store, client.MergeFrom(base))
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -70,7 +69,7 @@ func (s *Provider) BeforeEach() {
 
 func (s *Provider) DeleteSecret(key string) {
 	var store esv1.SecretStore
-	err := s.framework.CRClient.Get(context.Background(), types.NamespacedName{
+	err := s.framework.CRClient.Get(GinkgoT().Context(), types.NamespacedName{
 		Namespace: s.framework.Namespace.Name,
 		Name:      s.framework.Namespace.Name,
 	}, &store)
@@ -83,7 +82,7 @@ func (s *Provider) DeleteSecret(key string) {
 		}
 	}
 	store.Spec.Provider.Fake.Data = data
-	err = s.framework.CRClient.Patch(context.Background(), &store, client.MergeFrom(base))
+	err = s.framework.CRClient.Patch(GinkgoT().Context(), &store, client.MergeFrom(base))
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -103,6 +102,6 @@ func (s *Provider) CreateStore() {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), fakeStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), fakeStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/gcp/provider.go

@@ -103,8 +103,7 @@ func (s *GcpProvider) getClient(ctx context.Context) (client *secretmanager.Clie
 }
 
 func (s *GcpProvider) CreateSecret(key string, val framework.SecretEntry) {
-	ctx := context.Background()
-	client, err := s.getClient(ctx)
+	client, err := s.getClient(GinkgoT().Context())
 	Expect(err).ToNot(HaveOccurred())
 	defer client.Close()
 	// Create the request to create the secret.
@@ -120,7 +119,7 @@ func (s *GcpProvider) CreateSecret(key string, val framework.SecretEntry) {
 			},
 		},
 	}
-	secret, err := client.CreateSecret(ctx, createSecretReq)
+	secret, err := client.CreateSecret(GinkgoT().Context(), createSecretReq)
 	Expect(err).ToNot(HaveOccurred())
 	addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{
 		Parent: secret.Name,
@@ -128,20 +127,19 @@ func (s *GcpProvider) CreateSecret(key string, val framework.SecretEntry) {
 			Data: []byte(val.Value),
 		},
 	}
-	_, err = client.AddSecretVersion(ctx, addSecretVersionReq)
+	_, err = client.AddSecretVersion(GinkgoT().Context(), addSecretVersionReq)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *GcpProvider) DeleteSecret(key string) {
-	ctx := context.Background()
-	client, err := s.getClient(ctx)
+	client, err := s.getClient(GinkgoT().Context())
 	Expect(err).ToNot(HaveOccurred())
 	Expect(err).ToNot(HaveOccurred())
 	defer client.Close()
 	req := &secretmanagerpb.DeleteSecretRequest{
 		Name: fmt.Sprintf("projects/%s/secrets/%s", s.projectID, key),
 	}
-	err = client.DeleteSecret(ctx, req)
+	err = client.DeleteSecret(GinkgoT().Context(), req)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -178,9 +176,9 @@ func (s *GcpProvider) CreateSAKeyStore() {
 			serviceAccountKey: s.credentials,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), gcpCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), gcpCreds)
 	if err != nil {
-		err = s.framework.CRClient.Update(context.Background(), gcpCreds)
+		err = s.framework.CRClient.Update(GinkgoT().Context(), gcpCreds)
 		Expect(err).ToNot(HaveOccurred())
 	}
 	secretStore := makeStore(s)
@@ -192,7 +190,7 @@ func (s *GcpProvider) CreateSAKeyStore() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -206,9 +204,9 @@ func (s *GcpProvider) CreateReferentSAKeyStore() {
 			serviceAccountKey: s.credentials,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), gcpCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), gcpCreds)
 	if err != nil {
-		err = s.framework.CRClient.Update(context.Background(), gcpCreds)
+		err = s.framework.CRClient.Update(GinkgoT().Context(), gcpCreds)
 		Expect(err).ToNot(HaveOccurred())
 	}
 
@@ -233,7 +231,7 @@ func (s *GcpProvider) CreateReferentSAKeyStore() {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), css)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), css)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -244,7 +242,7 @@ func referentName(f *framework.Framework) string {
 func (s *GcpProvider) CreatePodIDStore() {
 	secretStore := makeStore(s)
 	secretStore.ObjectMeta.Name = PodIDSecretStoreName
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -258,7 +256,7 @@ func (s *GcpProvider) CreateSpecifcSASecretStore() {
 			Name: s.SAClusterSecretStoreName(),
 		},
 	}
-	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, clusterSecretStore, func() error {
+	_, err := controllerutil.CreateOrUpdate(GinkgoT().Context(), s.framework.CRClient, clusterSecretStore, func() error {
 		clusterSecretStore.Spec.Controller = s.controllerClass
 		clusterSecretStore.Spec.Provider = &esv1.SecretStoreProvider{
 			GCPSM: &esv1.GCPSMProvider{
@@ -283,7 +281,7 @@ func (s *GcpProvider) CreateSpecifcSASecretStore() {
 // Cleanup removes global resources that may have been
 // created by this provider.
 func (s *GcpProvider) DeleteSpecifcSASecretStore() {
-	err := s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
+	err := s.framework.CRClient.Delete(GinkgoT().Context(), &esv1.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: s.SAClusterSecretStoreName(),
 		},

e2e/suites/provider/cases/gitlab/provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package gitlab
 
 import (
-	"context"
 	"os"
 	"strings"
 
@@ -113,7 +112,7 @@ func (s *gitlabProvider) BeforeEach() {
 			"environment": s.environment,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), gitlabCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), gitlabCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	// Create a secret store - change these values to match YAML
@@ -140,6 +139,6 @@ func (s *gitlabProvider) BeforeEach() {
 		},
 	}
 
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/kubernetes/provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package kubernetes
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
 
@@ -64,7 +63,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 	for k, v := range stringMap {
 		secret.Data[k] = []byte(v)
 	}
-	err = s.framework.CRClient.Create(context.Background(), secret)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secret)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -80,7 +79,7 @@ func (s *Provider) DeleteSecret(key string) {
 			Namespace: s.framework.Namespace.Name,
 		},
 	}
-	err := s.framework.CRClient.Delete(context.Background(), secret, &client.DeleteOptions{})
+	err := s.framework.CRClient.Delete(GinkgoT().Context(), secret, &client.DeleteOptions{})
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -156,13 +155,13 @@ func makeDefaultStore(suffix, namespace string) (*rbac.Role, *rbac.RoleBinding,
 func (s *Provider) CreateStore() {
 	rb, role, store := makeDefaultStore("", s.framework.Namespace.Name)
 
-	err := s.framework.CRClient.Create(context.Background(), role)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), role)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = s.framework.CRClient.Create(context.Background(), rb)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), rb)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = s.framework.CRClient.Create(context.Background(), store)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), store)
 	Expect(err).ToNot(HaveOccurred())
 }
 
@@ -178,13 +177,13 @@ func (s *Provider) CreateReferentStore() {
 	}
 	css.Spec.Provider.Kubernetes.Server.CAProvider.Namespace = &s.framework.Namespace.Name
 
-	err := s.framework.CRClient.Create(context.Background(), role)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), role)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = s.framework.CRClient.Create(context.Background(), rb)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), rb)
 	Expect(err).ToNot(HaveOccurred())
 
-	err = s.framework.CRClient.Create(context.Background(), css)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), css)
 	Expect(err).ToNot(HaveOccurred())
 }
 

e2e/suites/provider/cases/oracle/provider.go

@@ -105,7 +105,7 @@ func (p *oracleProvider) BeforeEach() {
 			secretName: "value",
 		},
 	}
-	err := p.framework.CRClient.Create(context.Background(), OracleCreds)
+	err := p.framework.CRClient.Create(GinkgoT().Context(), OracleCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	secretStore := &esv1.SecretStore{
@@ -136,6 +136,6 @@ func (p *oracleProvider) BeforeEach() {
 			},
 		},
 	}
-	err = p.framework.CRClient.Create(context.Background(), secretStore)
+	err = p.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/scaleway/scaleway.go

@@ -24,15 +24,15 @@ import (
 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/onsi/ginkgo/v2"
-	"github.com/onsi/gomega"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var cleanupOnce sync.Once
 
-var _ = ginkgo.Describe("[scaleway]", ginkgo.Label("scaleway"), func() {
+var _ = Describe("[scaleway]", Label("scaleway"), func() {
 
 	f := framework.New("eso-scaleway")
 	f.MakeRemoteRefKey = func(base string) string {
@@ -42,44 +42,44 @@ var _ = ginkgo.Describe("[scaleway]", ginkgo.Label("scaleway"), func() {
 	// Initialization is deferred so that assertions work.
 	provider := &secretStoreProvider{}
 
-	ginkgo.BeforeEach(func() {
+	BeforeEach(func() {
 
 		cfg, err := loadConfigFromEnv()
-		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+		Expect(err).ToNot(HaveOccurred())
 
 		provider.init(cfg)
 
 		cleanupOnce.Do(provider.cleanup)
 
-		createResources(context.Background(), f, cfg)
+		createResources(GinkgoT().Context(), f, cfg)
 	})
 
-	ginkgo.DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
-
-		//ginkgo.Entry(common.SyncV1Alpha1(f)), // not supported
-		ginkgo.Entry(common.SimpleDataSync(f)),
-		ginkgo.Entry(common.SyncWithoutTargetName(f)),
-		ginkgo.Entry(common.JSONDataWithProperty(f)),
-		ginkgo.Entry(common.JSONDataWithoutTargetName(f)),
-		ginkgo.Entry(common.JSONDataWithTemplate(f)),
-		ginkgo.Entry(common.JSONDataWithTemplateFromLiteral(f)),
-		ginkgo.Entry(common.TemplateFromConfigmaps(f)),
-		ginkgo.Entry(common.JSONDataFromSync(f)),
-		ginkgo.Entry(common.JSONDataFromRewrite(f)),
-		ginkgo.Entry(common.NestedJSONWithGJSON(f)),
-		ginkgo.Entry(common.DockerJSONConfig(f)),
-		ginkgo.Entry(common.DataPropertyDockerconfigJSON(f)),
-		ginkgo.Entry(common.SSHKeySync(f)),
-		ginkgo.Entry(common.SSHKeySyncDataProperty(f)),
-		ginkgo.Entry(common.DeletionPolicyDelete(f)),
-		//ginkgo.Entry(common.DecodingPolicySync(f)), // not supported
-
-		ginkgo.Entry(common.FindByName(f)),
-		ginkgo.Entry(common.FindByNameAndRewrite(f)),
-		//ginkgo.Entry(common.FindByNameWithPath(f)), // not supported
-
-		ginkgo.Entry(common.FindByTag(f)),
-		//ginkgo.Entry(common.FindByTagWithPath(f)), // not supported
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
+
+		//Entry(common.SyncV1Alpha1(f)), // not supported
+		Entry(common.SimpleDataSync(f)),
+		Entry(common.SyncWithoutTargetName(f)),
+		Entry(common.JSONDataWithProperty(f)),
+		Entry(common.JSONDataWithoutTargetName(f)),
+		Entry(common.JSONDataWithTemplate(f)),
+		Entry(common.JSONDataWithTemplateFromLiteral(f)),
+		Entry(common.TemplateFromConfigmaps(f)),
+		Entry(common.JSONDataFromSync(f)),
+		Entry(common.JSONDataFromRewrite(f)),
+		Entry(common.NestedJSONWithGJSON(f)),
+		Entry(common.DockerJSONConfig(f)),
+		Entry(common.DataPropertyDockerconfigJSON(f)),
+		Entry(common.SSHKeySync(f)),
+		Entry(common.SSHKeySyncDataProperty(f)),
+		Entry(common.DeletionPolicyDelete(f)),
+		//Entry(common.DecodingPolicySync(f)), // not supported
+
+		Entry(common.FindByName(f)),
+		Entry(common.FindByNameAndRewrite(f)),
+		//Entry(common.FindByNameWithPath(f)), // not supported
+
+		Entry(common.FindByTag(f)),
+		//Entry(common.FindByTagWithPath(f)), // not supported
 	)
 })
 
@@ -89,7 +89,6 @@ func createResources(ctx context.Context, f *framework.Framework, cfg *config) {
 	apiKeySecretKey := "secret-key"
 
 	// Creating a secret to hold the API key.
-
 	secretSpec := v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      apiKeySecretName,
@@ -101,7 +100,7 @@ func createResources(ctx context.Context, f *framework.Framework, cfg *config) {
 	}
 
 	err := f.CRClient.Create(ctx, &secretSpec)
-	gomega.Expect(err).ToNot(gomega.HaveOccurred())
+	Expect(err).ToNot(HaveOccurred())
 
 	// Creating SecretStore.
 
@@ -134,5 +133,5 @@ func createResources(ctx context.Context, f *framework.Framework, cfg *config) {
 	}
 
 	err = f.CRClient.Create(ctx, &secretStoreSpec)
-	gomega.Expect(err).ToNot(gomega.HaveOccurred())
+	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/secretserver/secretserver.go

@@ -24,41 +24,41 @@ import (
 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/onsi/ginkgo/v2"
-	"github.com/onsi/gomega"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-var _ = ginkgo.Describe("[secretserver]", ginkgo.Label("secretserver"), func() {
+var _ = Describe("[secretserver]", Label("secretserver"), func() {
 
 	f := framework.New("eso-secretserver")
 
 	// Initialization is deferred so that assertions work.
 	provider := &secretStoreProvider{}
 
-	ginkgo.BeforeEach(func() {
+	BeforeEach(func() {
 
 		cfg, err := loadConfigFromEnv()
-		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+		Expect(err).ToNot(HaveOccurred())
 
 		provider.init(cfg, f)
-		createResources(context.Background(), f, cfg)
+		createResources(GinkgoT().Context(), f, cfg)
 	})
 
-	ginkgo.DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
-		ginkgo.Entry(common.JSONDataWithTemplate(f)),
-		ginkgo.Entry(common.JSONDataWithProperty(f)),
-		ginkgo.Entry(common.JSONDataWithoutTargetName(f)),
-		ginkgo.Entry(common.JSONDataWithTemplateFromLiteral(f)),
-		ginkgo.Entry(common.TemplateFromConfigmaps(f)),
-		ginkgo.Entry(common.JSONDataFromSync(f)),    // <--
-		ginkgo.Entry(common.JSONDataFromRewrite(f)), // <--
-		ginkgo.Entry(common.NestedJSONWithGJSON(f)),
-		ginkgo.Entry(common.DockerJSONConfig(f)),
-		ginkgo.Entry(common.DataPropertyDockerconfigJSON(f)),
-		ginkgo.Entry(common.SSHKeySyncDataProperty(f)),
-		ginkgo.Entry(common.DecodingPolicySync(f)), // <--
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
+		Entry(common.JSONDataWithTemplate(f)),
+		Entry(common.JSONDataWithProperty(f)),
+		Entry(common.JSONDataWithoutTargetName(f)),
+		Entry(common.JSONDataWithTemplateFromLiteral(f)),
+		Entry(common.TemplateFromConfigmaps(f)),
+		Entry(common.JSONDataFromSync(f)),    // <--
+		Entry(common.JSONDataFromRewrite(f)), // <--
+		Entry(common.NestedJSONWithGJSON(f)),
+		Entry(common.DockerJSONConfig(f)),
+		Entry(common.DataPropertyDockerconfigJSON(f)),
+		Entry(common.SSHKeySyncDataProperty(f)),
+		Entry(common.DecodingPolicySync(f)), // <--
 	)
 })
 
@@ -78,7 +78,7 @@ func createResources(ctx context.Context, f *framework.Framework, cfg *config) {
 	}
 
 	err := f.CRClient.Create(ctx, &secretSpec)
-	gomega.Expect(err).ToNot(gomega.HaveOccurred())
+	Expect(err).ToNot(HaveOccurred())
 
 	// Creating SecretStore.
 	secretStoreSpec := esv1.SecretStore{
@@ -105,5 +105,5 @@ func createResources(ctx context.Context, f *framework.Framework, cfg *config) {
 	}
 
 	err = f.CRClient.Create(ctx, &secretStoreSpec)
-	gomega.Expect(err).ToNot(gomega.HaveOccurred())
+	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/template/provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package template
 
 import (
-	"context"
 
 	// nolint
 	. "github.com/onsi/ginkgo/v2"
@@ -84,6 +83,6 @@ func (s *templateProvider) BeforeEach() {
 		},
 	}
 
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

e2e/suites/provider/cases/template/template.go

@@ -25,7 +25,9 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
-	"github.com/onsi/gomega"
+
+	// nolint
+	. "github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -136,10 +138,10 @@ func genericPushSecretTemplate(f *framework.Framework) (string, func(*framework.
 			},
 		}
 		tc.VerifyPushSecretOutcome = func(sourcePs *esv1alpha1.PushSecret, pushClient esv1.SecretsClient) {
-			gomega.Eventually(func() bool {
+			Eventually(func() bool {
 				s := &esv1alpha1.PushSecret{}
-				err := tc.Framework.CRClient.Get(context.Background(), types.NamespacedName{Name: tc.PushSecret.Name, Namespace: tc.PushSecret.Namespace}, s)
-				gomega.Expect(err).ToNot(gomega.HaveOccurred())
+				err := tc.Framework.CRClient.Get(GinkgoT().Context(), types.NamespacedName{Name: tc.PushSecret.Name, Namespace: tc.PushSecret.Namespace}, s)
+				Expect(err).ToNot(HaveOccurred())
 				for i := range s.Status.Conditions {
 					c := s.Status.Conditions[i]
 					if c.Type == esv1alpha1.PushSecretReady && c.Status == v1.ConditionTrue {
@@ -148,7 +150,7 @@ func genericPushSecretTemplate(f *framework.Framework) (string, func(*framework.
 				}
 
 				return false
-			}, time.Minute*1, time.Second*5).Should(gomega.BeTrue())
+			}, time.Minute*1, time.Second*5).Should(BeTrue())
 
 			// create an external secret that fetches the created remote secret
 			// and check the value
@@ -177,12 +179,12 @@ func genericPushSecretTemplate(f *framework.Framework) (string, func(*framework.
 				},
 			}
 
-			err := tc.Framework.CRClient.Create(context.Background(), es)
-			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+			err := tc.Framework.CRClient.Create(GinkgoT().Context(), es)
+			Expect(err).ToNot(HaveOccurred())
 
 			outputSecret := &v1.Secret{}
-			err = wait.PollImmediate(time.Second*5, time.Second*15, func() (bool, error) {
-				err := f.CRClient.Get(context.Background(), types.NamespacedName{
+			err = wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second*5, time.Second*15, true, func(ctx context.Context) (bool, error) {
+				err := f.CRClient.Get(ctx, types.NamespacedName{
 					Namespace: f.Namespace.Name,
 					Name:      exampleOutput,
 				}, outputSecret)
@@ -191,11 +193,11 @@ func genericPushSecretTemplate(f *framework.Framework) (string, func(*framework.
 				}
 				return true, nil
 			})
-			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+			Expect(err).ToNot(HaveOccurred())
 
 			v, ok := outputSecret.Data[exampleOutput]
-			gomega.Expect(ok).To(gomega.BeTrue())
-			gomega.Expect(string(v)).To(gomega.Equal("executed: BAR"))
+			Expect(ok).To(BeTrue())
+			Expect(string(v)).To(Equal("executed: BAR"))
 		}
 	}
 }

e2e/suites/provider/cases/vault/provider.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"time"
 
 	vault "github.com/hashicorp/vault/api"
 
@@ -38,6 +39,7 @@ import (
 )
 
 type vaultProvider struct {
+	addon     *addon.Vault
 	url       string
 	mtlsUrl   string
 	client    *vault.Client
@@ -65,10 +67,12 @@ var (
 	invalidMtlSuffix = "-invalid-mtls"
 )
 
-func newVaultProvider(f *framework.Framework) *vaultProvider {
+func newVaultProvider(f *framework.Framework, addon *addon.Vault) *vaultProvider {
 	prov := &vaultProvider{
+		addon:     addon,
 		framework: f,
 	}
+
 	BeforeEach(prov.BeforeEach)
 	AfterEach(prov.AfterEach)
 	return prov
@@ -78,74 +82,57 @@ func newVaultProvider(f *framework.Framework) *vaultProvider {
 func (s *vaultProvider) CreateSecret(key string, val framework.SecretEntry) {
 	req := s.client.NewRequest(http.MethodPost, fmt.Sprintf("/v1/secret/data/%s", key))
 	req.BodyBytes = []byte(fmt.Sprintf(`{"data": %s}`, val.Value))
-	_, err := s.client.RawRequestWithContext(context.Background(), req) //nolint:staticcheck
+	_, err := s.client.RawRequestWithContext(GinkgoT().Context(), req) //nolint:staticcheck
 	Expect(err).ToNot(HaveOccurred())
 
 	req = s.client.NewRequest(http.MethodPost, fmt.Sprintf("/v1/secret_v1/%s", key))
 	req.BodyBytes = []byte(val.Value)
-	_, err = s.client.RawRequestWithContext(context.Background(), req) //nolint:staticcheck
+	_, err = s.client.RawRequestWithContext(GinkgoT().Context(), req) //nolint:staticcheck
 	Expect(err).ToNot(HaveOccurred())
 }
 
 func (s *vaultProvider) DeleteSecret(key string) {
 	req := s.client.NewRequest(http.MethodDelete, fmt.Sprintf("/v1/secret/data/%s", key))
-	_, err := s.client.RawRequestWithContext(context.Background(), req) //nolint:staticcheck
+	_, err := s.client.RawRequestWithContext(GinkgoT().Context(), req) //nolint:staticcheck
 	Expect(err).ToNot(HaveOccurred())
 
 	req = s.client.NewRequest(http.MethodDelete, fmt.Sprintf("/v1/secret_v1/%s", key))
-	_, err = s.client.RawRequestWithContext(context.Background(), req) //nolint:staticcheck
+	_, err = s.client.RawRequestWithContext(GinkgoT().Context(), req) //nolint:staticcheck
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s *vaultProvider) BeforeEach() {
-	ns := s.framework.Namespace.Name
-	v := addon.NewVault(ns)
-	s.framework.Install(v)
-	s.client = v.VaultClient
-	s.url = v.VaultURL
-	s.mtlsUrl = v.VaultMtlsURL
-
-	mtlsCustomizer := func(provider *vaultProvider, secret *v1.Secret, secretStore *metav1.ObjectMeta, secretStoreSpec *esv1.SecretStoreSpec, isClusterStore bool) {
-		secret.Name = secret.Name + mtlsSuffix
-		secretStore.Name = secretStore.Name + mtlsSuffix
-		secretStoreSpec.Provider.Vault.Server = provider.mtlsUrl
-		secretStoreSpec.Provider.Vault.ClientTLS = esv1.VaultClientTLS{
-			CertSecretRef: &esmeta.SecretKeySelector{
-				Name: clientTlsCertName,
-			},
-			KeySecretRef: &esmeta.SecretKeySelector{
-				Name: clientTlsCertName,
-			},
-		}
-		if isClusterStore {
-			secretStoreSpec.Provider.Vault.ClientTLS.CertSecretRef.Namespace = &provider.framework.Namespace.Name
-			secretStoreSpec.Provider.Vault.ClientTLS.KeySecretRef.Namespace = &provider.framework.Namespace.Name
-		}
+func WithMTLS(provider *vaultProvider, secret *v1.Secret, secretStore *metav1.ObjectMeta, secretStoreSpec *esv1.SecretStoreSpec, isClusterStore bool) {
+	provider.CreateClientTlsCert()
+	secret.Name = secret.Name + mtlsSuffix
+	secretStore.Name = secretStore.Name + mtlsSuffix
+	secretStoreSpec.Provider.Vault.Server = provider.mtlsUrl
+	secretStoreSpec.Provider.Vault.ClientTLS = esv1.VaultClientTLS{
+		CertSecretRef: &esmeta.SecretKeySelector{
+			Name: clientTlsCertName,
+		},
+		KeySecretRef: &esmeta.SecretKeySelector{
+			Name: clientTlsCertName,
+		},
 	}
-
-	invalidMtlsCustomizer := func(provider *vaultProvider, secret *v1.Secret, secretStore *metav1.ObjectMeta, secretStoreSpec *esv1.SecretStoreSpec, isClusterStore bool) {
-		secret.Name = secret.Name + invalidMtlSuffix
-		secretStore.Name = secretStore.Name + invalidMtlSuffix
-		secretStoreSpec.Provider.Vault.Server = provider.mtlsUrl
+	if isClusterStore {
+		secretStoreSpec.Provider.Vault.ClientTLS.CertSecretRef.Namespace = &provider.framework.Namespace.Name
+		secretStoreSpec.Provider.Vault.ClientTLS.KeySecretRef.Namespace = &provider.framework.Namespace.Name
 	}
+}
 
-	s.CreateClientTlsCert(v, ns)
-	s.CreateCertStore(v, ns)
-	s.CreateTokenStore(v, ns)
-	s.CreateAppRoleStore(v, ns)
-	s.CreateV1Store(v, ns)
-	s.CreateJWTStore(v, ns)
-	s.CreateJWTK8sStore(v, ns)
-	s.CreateKubernetesAuthStore(v, ns)
-	s.CreateReferentTokenStore(v, ns)
-	s.CreateTokenStore(v, ns, mtlsCustomizer)
-	s.CreateReferentTokenStore(v, ns, mtlsCustomizer)
-	s.CreateTokenStore(v, ns, invalidMtlsCustomizer)
+func WithInvalidMTLS(provider *vaultProvider, secret *v1.Secret, secretStore *metav1.ObjectMeta, secretStoreSpec *esv1.SecretStoreSpec, isClusterStore bool) {
+	secret.Name = secret.Name + invalidMtlSuffix
+	secretStore.Name = secretStore.Name + invalidMtlSuffix
+	secretStoreSpec.Provider.Vault.Server = provider.mtlsUrl
+}
+
+func (s *vaultProvider) BeforeEach() {
+	s.client = s.addon.VaultClient
+	s.url = s.addon.VaultURL
+	s.mtlsUrl = s.addon.VaultMtlsURL
 }
 
 func (s *vaultProvider) AfterEach() {
-	s.DeleteClusterSecretStore(referentSecretStoreName(s.framework))
-	s.DeleteClusterSecretStore(referentSecretStoreName(s.framework) + mtlsSuffix)
 }
 
 func makeStore(name, ns string, v *addon.Vault) *esv1.SecretStore {
@@ -175,44 +162,44 @@ func makeClusterStore(name, ns string, v *addon.Vault) *esv1.ClusterSecretStore
 	}
 }
 
-func (s *vaultProvider) CreateClientTlsCert(v *addon.Vault, ns string) {
+func (s *vaultProvider) CreateClientTlsCert() {
 	By("creating a secret containing the Vault TLS client certificate")
-	clientCert := v.ClientCert
-	clientKey := v.ClientKey
+	clientCert := s.addon.ClientCert
+	clientKey := s.addon.ClientKey
 	vaultClientCert := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      clientTlsCertName,
-			Namespace: ns,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
 			"tls.crt": clientCert,
 			"tls.key": clientKey,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), vaultClientCert)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), vaultClientCert)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s *vaultProvider) CreateCertStore(v *addon.Vault, ns string) {
+func (s *vaultProvider) CreateCertStore() {
 	By("creating a vault secret")
-	clientCert := v.ClientCert
-	clientKey := v.ClientKey
+	clientCert := s.addon.ClientCert
+	clientKey := s.addon.ClientKey
 	vaultCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      certAuthProviderName,
-			Namespace: ns,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			"token":       []byte(v.RootToken),
+			"token":       []byte(s.addon.RootToken),
 			"client_cert": clientCert,
 			"client_key":  clientKey,
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	By("creating an secret store for vault")
-	secretStore := makeStore(certAuthProviderName, ns, v)
+	secretStore := makeStore(certAuthProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		Cert: &esv1.VaultCertAuth{
 			ClientCert: esmeta.SecretKeySelector{
@@ -225,21 +212,21 @@ func (s *vaultProvider) CreateCertStore(v *addon.Vault, ns string) {
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s vaultProvider) CreateTokenStore(v *addon.Vault, ns string, customizers ...StoreCustomizer) {
+func (s vaultProvider) CreateTokenStore(customizers ...StoreCustomizer) {
 	vaultCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "token-provider",
-			Namespace: ns,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			"token": []byte(v.RootToken),
+			"token": []byte(s.addon.RootToken),
 		},
 	}
-	secretStore := makeStore(s.framework.Namespace.Name, ns, v)
+	secretStore := makeStore(s.framework.Namespace.Name, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: vaultCreds.Name,
@@ -251,26 +238,26 @@ func (s vaultProvider) CreateTokenStore(v *addon.Vault, ns string, customizers .
 	}
 
 	secretStore.Spec.Provider.Vault.Auth.TokenSecretRef.Name = vaultCreds.Name
-	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
 // CreateReferentTokenStore creates a secret in the ExternalSecrets
 // namespace and creates a ClusterSecretStore with an empty namespace
 // that can be used to test the referent namespace feature.
-func (s vaultProvider) CreateReferentTokenStore(v *addon.Vault, ns string, customizers ...StoreCustomizer) {
+func (s vaultProvider) CreateReferentTokenStore(customizers ...StoreCustomizer) {
 	referentSecret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      referentSecretName,
 			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			referentKey: []byte(v.RootToken),
+			referentKey: []byte(s.addon.RootToken),
 		},
 	}
-	secretStore := makeClusterStore(referentSecretStoreName(s.framework), ns, v)
+	secretStore := makeClusterStore(referentSecretStoreName(s.framework), s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: referentSecret.Name,
@@ -281,65 +268,63 @@ func (s vaultProvider) CreateReferentTokenStore(v *addon.Vault, ns string, custo
 		customizer(&s, referentSecret, &secretStore.ObjectMeta, &secretStore.Spec, true)
 	}
 
+	DeferCleanup(func() {
+		// cannot use ginkgo context nested in DeferCleanup
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+		defer cancel()
+		s.framework.CRClient.Delete(ctx, secretStore)
+	})
+
 	secretStore.Spec.Provider.Vault.Auth.TokenSecretRef.Name = referentSecret.Name
-	_, err := s.framework.KubeClientSet.CoreV1().Secrets(s.framework.Namespace.Name).Create(context.Background(), referentSecret, metav1.CreateOptions{})
+	_, err := s.framework.KubeClientSet.CoreV1().Secrets(s.framework.Namespace.Name).Create(GinkgoT().Context(), referentSecret, metav1.CreateOptions{})
 	Expect(err).ToNot(HaveOccurred())
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s *vaultProvider) DeleteClusterSecretStore(name string) {
-	err := s.framework.CRClient.Delete(context.Background(), &esv1.ClusterSecretStore{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-		},
-	})
-	Expect(err).ToNot(HaveOccurred())
-}
-
-func (s vaultProvider) CreateAppRoleStore(v *addon.Vault, ns string) {
+func (s vaultProvider) CreateAppRoleStore() {
 	By("creating a vault secret")
 	vaultCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      appRoleAuthProviderName,
-			Namespace: ns,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			"approle_secret": []byte(v.AppRoleSecret),
+			"approle_secret": []byte(s.addon.AppRoleSecret),
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	By("creating an secret store for vault")
-	secretStore := makeStore(appRoleAuthProviderName, ns, v)
+	secretStore := makeStore(appRoleAuthProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		AppRole: &esv1.VaultAppRole{
-			Path:   v.AppRolePath,
-			RoleID: v.AppRoleID,
+			Path:   s.addon.AppRolePath,
+			RoleID: s.addon.AppRoleID,
 			SecretRef: esmeta.SecretKeySelector{
 				Name: appRoleAuthProviderName,
 				Key:  "approle_secret",
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s vaultProvider) CreateV1Store(v *addon.Vault, ns string) {
+func (s vaultProvider) CreateV1Store() {
 	vaultCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "v1-provider",
-			Namespace: ns,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			"token": []byte(v.RootToken),
+			"token": []byte(s.addon.RootToken),
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
-	secretStore := makeStore(kvv1ProviderName, ns, v)
+	secretStore := makeStore(kvv1ProviderName, s.framework.Namespace.Name, s.addon)
 	secretV1StorePath := "secret_v1"
 	secretStore.Spec.Provider.Vault.Version = esv1.VaultKVStoreV1
 	secretStore.Spec.Provider.Vault.Path = &secretV1StorePath
@@ -349,43 +334,43 @@ func (s vaultProvider) CreateV1Store(v *addon.Vault, ns string) {
 			Key:  "token",
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s vaultProvider) CreateJWTStore(v *addon.Vault, ns string) {
+func (s vaultProvider) CreateJWTStore() {
 	vaultCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      jwtProviderSecretName,
-			Namespace: ns,
+			Namespace: s.framework.Namespace.Name,
 		},
 		Data: map[string][]byte{
-			"jwt": []byte(v.JWTToken),
+			"jwt": []byte(s.addon.JWTToken),
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
-	secretStore := makeStore(jwtProviderName, ns, v)
+	secretStore := makeStore(jwtProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		Jwt: &esv1.VaultJwtAuth{
-			Path: v.JWTPath,
-			Role: v.JWTRole,
+			Path: s.addon.JWTPath,
+			Role: s.addon.JWTRole,
 			SecretRef: &esmeta.SecretKeySelector{
 				Name: jwtProviderSecretName,
 				Key:  "jwt",
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s vaultProvider) CreateJWTK8sStore(v *addon.Vault, ns string) {
-	secretStore := makeStore(jwtK8sProviderName, ns, v)
+func (s vaultProvider) CreateJWTK8sStore() {
+	secretStore := makeStore(jwtK8sProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		Jwt: &esv1.VaultJwtAuth{
-			Path: v.JWTK8sPath,
-			Role: v.JWTRole,
+			Path: s.addon.JWTK8sPath,
+			Role: s.addon.JWTRole,
 			KubernetesServiceAccountToken: &esv1.VaultKubernetesServiceAccountTokenAuth{
 				ServiceAccountRef: esmeta.ServiceAccountSelector{
 					Name: "default",
@@ -396,22 +381,22 @@ func (s vaultProvider) CreateJWTK8sStore(v *addon.Vault, ns string) {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s vaultProvider) CreateKubernetesAuthStore(v *addon.Vault, ns string) {
-	secretStore := makeStore(kubernetesProviderName, ns, v)
+func (s vaultProvider) CreateKubernetesAuthStore() {
+	secretStore := makeStore(kubernetesProviderName, s.framework.Namespace.Name, s.addon)
 	secretStore.Spec.Provider.Vault.Auth = &esv1.VaultAuth{
 		Kubernetes: &esv1.VaultKubernetesAuth{
-			Path: v.KubernetesAuthPath,
-			Role: v.KubernetesAuthRole,
+			Path: s.addon.KubernetesAuthPath,
+			Role: s.addon.KubernetesAuthRole,
 			ServiceAccountRef: &esmeta.ServiceAccountSelector{
 				Name: "default",
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
+	err := s.framework.CRClient.Create(GinkgoT().Context(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }
 

e2e/suites/provider/cases/vault/vault.go

@@ -30,6 +30,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 
 	"github.com/external-secrets/external-secrets-e2e/framework"
+	"github.com/external-secrets/external-secrets-e2e/framework/addon"
 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
@@ -47,257 +48,296 @@ const (
 	withReferentAuthAndMTLS = "with referent provider and mTLS"
 )
 
-var _ = Describe("[vault]", Label("vault"), func() {
-	f := framework.New("eso-vault")
-	prov := newVaultProvider(f)
+var _ = Describe("[vault]", Label("vault"), Ordered, func() {
+	f := framework.New("vault")
+	vault := addon.NewVault()
+	prov := newVaultProvider(f, vault)
+
+	BeforeAll(func() {
+		addon.InstallGlobalAddon(vault)
+	})
 
 	DescribeTable("sync secrets",
 		framework.TableFuncWithExternalSecret(f, prov),
 		// uses token auth
-		framework.Compose(withTokenAuth, f, common.FindByName, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataFromRewrite, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.DecodingPolicySync, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplateFromLiteral, useTokenAuth),
-		framework.Compose(withTokenAuth, f, common.TemplateFromConfigmaps, useTokenAuth),
+		framework.Compose(withTokenAuth, f, common.FindByName, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataFromRewrite, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.DecodingPolicySync, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplateFromLiteral, useTokenAuth(prov)),
+		framework.Compose(withTokenAuth, f, common.TemplateFromConfigmaps, useTokenAuth(prov)),
 		// use cert auth
-		framework.Compose(withCertAuth, f, common.FindByName, useCertAuth),
-		framework.Compose(withCertAuth, f, common.FindByNameAndRewrite, useCertAuth),
-		framework.Compose(withCertAuth, f, common.JSONDataFromSync, useCertAuth),
-		framework.Compose(withCertAuth, f, common.JSONDataFromRewrite, useCertAuth),
-		framework.Compose(withCertAuth, f, common.JSONDataWithProperty, useCertAuth),
-		framework.Compose(withCertAuth, f, common.JSONDataWithTemplate, useCertAuth),
-		framework.Compose(withCertAuth, f, common.DataPropertyDockerconfigJSON, useCertAuth),
-		framework.Compose(withCertAuth, f, common.JSONDataWithoutTargetName, useCertAuth),
+		framework.Compose(withCertAuth, f, common.FindByName, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.FindByNameAndRewrite, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.JSONDataFromSync, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.JSONDataFromRewrite, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.JSONDataWithProperty, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.JSONDataWithTemplate, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.DataPropertyDockerconfigJSON, useCertAuth(prov)),
+		framework.Compose(withCertAuth, f, common.JSONDataWithoutTargetName, useCertAuth(prov)),
 		// use approle auth
-		framework.Compose(withApprole, f, common.FindByName, useApproleAuth),
-		framework.Compose(withApprole, f, common.FindByNameAndRewrite, useApproleAuth),
-		framework.Compose(withApprole, f, common.JSONDataFromSync, useApproleAuth),
-		framework.Compose(withApprole, f, common.JSONDataFromRewrite, useApproleAuth),
-		framework.Compose(withApprole, f, common.JSONDataWithProperty, useApproleAuth),
-		framework.Compose(withApprole, f, common.JSONDataWithTemplate, useApproleAuth),
-		framework.Compose(withApprole, f, common.DataPropertyDockerconfigJSON, useApproleAuth),
-		framework.Compose(withApprole, f, common.JSONDataWithoutTargetName, useApproleAuth),
+		framework.Compose(withApprole, f, common.FindByName, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.FindByNameAndRewrite, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.JSONDataFromSync, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.JSONDataFromRewrite, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.JSONDataWithProperty, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.JSONDataWithTemplate, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.DataPropertyDockerconfigJSON, useApproleAuth(prov)),
+		framework.Compose(withApprole, f, common.JSONDataWithoutTargetName, useApproleAuth(prov)),
 		// use v1 provider
-		framework.Compose(withV1, f, common.FindByName, useV1Provider),
-		framework.Compose(withV1, f, common.FindByNameAndRewrite, useV1Provider),
-		framework.Compose(withV1, f, common.JSONDataFromSync, useV1Provider),
-		framework.Compose(withV1, f, common.JSONDataFromRewrite, useV1Provider),
-		framework.Compose(withV1, f, common.JSONDataWithProperty, useV1Provider),
-		framework.Compose(withV1, f, common.JSONDataWithTemplate, useV1Provider),
-		framework.Compose(withV1, f, common.DataPropertyDockerconfigJSON, useV1Provider),
-		framework.Compose(withV1, f, common.JSONDataWithoutTargetName, useV1Provider),
+		framework.Compose(withV1, f, common.FindByName, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.FindByNameAndRewrite, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.JSONDataFromSync, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.JSONDataFromRewrite, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.JSONDataWithProperty, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.JSONDataWithTemplate, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.DataPropertyDockerconfigJSON, useV1Provider(prov)),
+		framework.Compose(withV1, f, common.JSONDataWithoutTargetName, useV1Provider(prov)),
 		// use jwt provider
-		framework.Compose(withJWT, f, common.FindByName, useJWTProvider),
-		framework.Compose(withJWT, f, common.FindByNameAndRewrite, useJWTProvider),
-		framework.Compose(withJWT, f, common.JSONDataFromSync, useJWTProvider),
-		framework.Compose(withJWT, f, common.JSONDataFromRewrite, useJWTProvider),
-		framework.Compose(withJWT, f, common.JSONDataWithProperty, useJWTProvider),
-		framework.Compose(withJWT, f, common.JSONDataWithTemplate, useJWTProvider),
-		framework.Compose(withJWT, f, common.DataPropertyDockerconfigJSON, useJWTProvider),
-		framework.Compose(withJWT, f, common.JSONDataWithoutTargetName, useJWTProvider),
+		framework.Compose(withJWT, f, common.FindByName, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.FindByNameAndRewrite, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.JSONDataFromSync, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.JSONDataFromRewrite, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.JSONDataWithProperty, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.JSONDataWithTemplate, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.DataPropertyDockerconfigJSON, useJWTProvider(prov)),
+		framework.Compose(withJWT, f, common.JSONDataWithoutTargetName, useJWTProvider(prov)),
 		// use jwt k8s provider
-		framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.JSONDataFromRewrite, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.JSONDataWithProperty, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.JSONDataWithTemplate, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.DataPropertyDockerconfigJSON, useJWTK8sProvider),
-		framework.Compose(withJWTK8s, f, common.JSONDataWithoutTargetName, useJWTK8sProvider),
+		framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.JSONDataFromRewrite, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.JSONDataWithProperty, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.JSONDataWithTemplate, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.DataPropertyDockerconfigJSON, useJWTK8sProvider(prov)),
+		framework.Compose(withJWTK8s, f, common.JSONDataWithoutTargetName, useJWTK8sProvider(prov)),
 		// use kubernetes provider
-		framework.Compose(withK8s, f, common.FindByName, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.FindByNameAndRewrite, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.JSONDataFromSync, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.JSONDataFromRewrite, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.JSONDataWithProperty, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.JSONDataWithTemplate, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.DataPropertyDockerconfigJSON, useKubernetesProvider),
-		framework.Compose(withK8s, f, common.JSONDataWithoutTargetName, useKubernetesProvider),
+		framework.Compose(withK8s, f, common.FindByName, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.FindByNameAndRewrite, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.JSONDataFromSync, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.JSONDataFromRewrite, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.JSONDataWithProperty, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.JSONDataWithTemplate, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.DataPropertyDockerconfigJSON, useKubernetesProvider(prov)),
+		framework.Compose(withK8s, f, common.JSONDataWithoutTargetName, useKubernetesProvider(prov)),
 		// use referent auth
-		framework.Compose(withReferentAuth, f, common.JSONDataFromSync, useReferentAuth),
+		framework.Compose(withReferentAuth, f, common.JSONDataFromSync, useReferentAuth(prov)),
 		// vault-specific test cases
-		Entry("secret value via data without property should return json-encoded string", Label("json"), testJSONWithoutProperty),
-		Entry("secret value via data with property should return json-encoded string", Label("json"), testJSONWithProperty),
-		Entry("dataFrom without property should extract key/value pairs", Label("json"), testDataFromJSONWithoutProperty),
-		Entry("dataFrom with property should extract key/value pairs", Label("json"), testDataFromJSONWithProperty),
+		Entry("secret value via data without property should return json-encoded string", Label("json"), testJSONWithoutProperty(prov)),
+		Entry("secret value via data with property should return json-encoded string", Label("json"), testJSONWithProperty(prov)),
+		Entry("dataFrom without property should extract key/value pairs", Label("json"), testDataFromJSONWithoutProperty(prov)),
+		Entry("dataFrom with property should extract key/value pairs", Label("json"), testDataFromJSONWithProperty(prov)),
+		// mTLS
+		framework.Compose(withTokenAuthAndMTLS, f, common.FindByName, useMTLSAndTokenAuth(prov)),
+		framework.Compose(withReferentAuthAndMTLS, f, common.JSONDataFromSync, useMTLSAndReferentAuth(prov)),
+		Entry("store without clientTLS configuration should not be valid", Label("vault-invalid-store"), testInvalidMtlsStore(prov)),
 	)
 })
 
-var _ = Describe("[vault] with mTLS", Label("vault", "vault-mtls"), func() {
-	f := framework.New("eso-vault")
-	prov := newVaultProvider(f)
-
-	DescribeTable("sync secrets",
-		framework.TableFuncWithExternalSecret(f, prov),
-		// uses token auth
-		framework.Compose(withTokenAuthAndMTLS, f, common.FindByName, useMTLSAndTokenAuth),
-		// use referent auth
-		framework.Compose(withReferentAuthAndMTLS, f, common.JSONDataFromSync, useMTLSAndReferentAuth),
-		// vault-specific test cases
-		Entry("store without clientTLS configuration should not be valid", Label("vault-invalid-store"), testInvalidMtlsStore),
-	)
-})
-
-func useTokenAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name
+func useTokenAuth(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name
+	}
 }
 
-func useMTLSAndTokenAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name + mtlsSuffix
+func useMTLSAndTokenAuth(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore(WithMTLS)
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name + mtlsSuffix
+	}
 }
 
-func useCertAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = certAuthProviderName
+func useCertAuth(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateCertStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = certAuthProviderName
+	}
 }
 
-func useApproleAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = appRoleAuthProviderName
+func useApproleAuth(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateAppRoleStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = appRoleAuthProviderName
+	}
 }
 
-func useV1Provider(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = kvv1ProviderName
+func useV1Provider(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateV1Store()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = kvv1ProviderName
+	}
 }
 
-func useJWTProvider(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtProviderName
+func useJWTProvider(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateJWTStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtProviderName
+	}
 }
 
-func useJWTK8sProvider(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
+func useJWTK8sProvider(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateJWTK8sStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
+	}
 }
 
-func useKubernetesProvider(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = kubernetesProviderName
+func useKubernetesProvider(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateKubernetesAuthStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = kubernetesProviderName
+	}
 }
 
-func useReferentAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework)
-	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
+func useReferentAuth(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateReferentTokenStore()
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework)
+		tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
+	}
 }
 
-func useMTLSAndReferentAuth(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework) + mtlsSuffix
-	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
+func useMTLSAndReferentAuth(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateReferentTokenStore(WithMTLS)
+		tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework) + mtlsSuffix
+		tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
+	}
 }
 
 const jsonVal = `{"foo":{"nested":{"bar":"mysecret","baz":"bang"}}}`
 
 // when no property is set it should return the json-encoded at path.
-func testJSONWithoutProperty(tc *framework.TestCase) {
-	secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
-	tc.Secrets = map[string]framework.SecretEntry{
-		secretKey: {Value: jsonVal},
-	}
-	tc.ExpectedSecret = &v1.Secret{
-		Type: v1.SecretTypeOpaque,
-		Data: map[string][]byte{
-			secretKey: []byte(jsonVal),
-		},
-	}
-	tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
-		{
-			SecretKey: secretKey,
-			RemoteRef: esapi.ExternalSecretDataRemoteRef{
-				Key: secretKey,
+func testJSONWithoutProperty(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore()
+		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
+		tc.Secrets = map[string]framework.SecretEntry{
+			secretKey: {Value: jsonVal},
+		}
+		tc.ExpectedSecret = &v1.Secret{
+			Type: v1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				secretKey: []byte(jsonVal),
 			},
-		},
+		}
+		tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
+			{
+				SecretKey: secretKey,
+				RemoteRef: esapi.ExternalSecretDataRemoteRef{
+					Key: secretKey,
+				},
+			},
+		}
 	}
 }
 
 // when property is set it should return the json-encoded at path.
-func testJSONWithProperty(tc *framework.TestCase) {
-	secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
-	expectedVal := `{"bar":"mysecret","baz":"bang"}`
-	tc.Secrets = map[string]framework.SecretEntry{
-		secretKey: {Value: jsonVal},
-	}
-	tc.ExpectedSecret = &v1.Secret{
-		Type: v1.SecretTypeOpaque,
-		Data: map[string][]byte{
-			secretKey: []byte(expectedVal),
-		},
-	}
-	tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
-		{
-			SecretKey: secretKey,
-			RemoteRef: esapi.ExternalSecretDataRemoteRef{
-				Key:      secretKey,
-				Property: "foo.nested",
+func testJSONWithProperty(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore()
+		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
+		expectedVal := `{"bar":"mysecret","baz":"bang"}`
+		tc.Secrets = map[string]framework.SecretEntry{
+			secretKey: {Value: jsonVal},
+		}
+		tc.ExpectedSecret = &v1.Secret{
+			Type: v1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				secretKey: []byte(expectedVal),
+			},
+		}
+		tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
+			{
+				SecretKey: secretKey,
+				RemoteRef: esapi.ExternalSecretDataRemoteRef{
+					Key:      secretKey,
+					Property: "foo.nested",
+				},
 			},
-		},
+		}
 	}
 }
 
 // when no property is set it should extract the key/value pairs at the given path
 // note: it should json-encode if a value contains nested data
-func testDataFromJSONWithoutProperty(tc *framework.TestCase) {
-	secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
-	tc.Secrets = map[string]framework.SecretEntry{
-		secretKey: {Value: jsonVal},
-	}
-	tc.ExpectedSecret = &v1.Secret{
-		Type: v1.SecretTypeOpaque,
-		Data: map[string][]byte{
-			"foo": []byte(`{"nested":{"bar":"mysecret","baz":"bang"}}`),
-		},
-	}
-	tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
-		{
-			Extract: &esapi.ExternalSecretDataRemoteRef{
-				Key: secretKey,
+func testDataFromJSONWithoutProperty(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore()
+		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
+		tc.Secrets = map[string]framework.SecretEntry{
+			secretKey: {Value: jsonVal},
+		}
+		tc.ExpectedSecret = &v1.Secret{
+			Type: v1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				"foo": []byte(`{"nested":{"bar":"mysecret","baz":"bang"}}`),
+			},
+		}
+		tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
+			{
+				Extract: &esapi.ExternalSecretDataRemoteRef{
+					Key: secretKey,
+				},
 			},
-		},
+		}
 	}
 }
 
 // when property is set it should extract values with dataFrom at the given path.
-func testDataFromJSONWithProperty(tc *framework.TestCase) {
-	secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
-	tc.Secrets = map[string]framework.SecretEntry{
-		secretKey: {Value: jsonVal},
-	}
-	tc.ExpectedSecret = &v1.Secret{
-		Type: v1.SecretTypeOpaque,
-		Data: map[string][]byte{
-			"bar": []byte(`mysecret`),
-			"baz": []byte(`bang`),
-		},
-	}
-	tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
-		{
-			Extract: &esapi.ExternalSecretDataRemoteRef{
-				Key:      secretKey,
-				Property: "foo.nested",
+func testDataFromJSONWithProperty(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore()
+		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
+		tc.Secrets = map[string]framework.SecretEntry{
+			secretKey: {Value: jsonVal},
+		}
+		tc.ExpectedSecret = &v1.Secret{
+			Type: v1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				"bar": []byte(`mysecret`),
+				"baz": []byte(`bang`),
+			},
+		}
+		tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
+			{
+				Extract: &esapi.ExternalSecretDataRemoteRef{
+					Key:      secretKey,
+					Property: "foo.nested",
+				},
 			},
-		},
+		}
 	}
 }
 
-func testInvalidMtlsStore(tc *framework.TestCase) {
-	tc.ExternalSecret = nil
-	tc.ExpectedSecret = nil
+func testInvalidMtlsStore(prov *vaultProvider) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		prov.CreateTokenStore(WithInvalidMTLS)
+		tc.ExternalSecret = nil
+		tc.ExpectedSecret = nil
 
-	err := wait.PollUntilContextTimeout(context.Background(), time.Second*10, time.Minute, true, func(context context.Context) (bool, error) {
-		var ss esapi.SecretStore
-		err := tc.Framework.CRClient.Get(context, types.NamespacedName{
-			Namespace: tc.Framework.Namespace.Name,
-			Name:      tc.Framework.Namespace.Name + invalidMtlSuffix,
-		}, &ss)
-		if apierrors.IsNotFound(err) {
-			return false, nil
-		}
-		if len(ss.Status.Conditions) == 0 {
-			return false, nil
-		}
-		Expect(string(ss.Status.Conditions[0].Type)).Should(Equal("Ready"))
-		Expect(string(ss.Status.Conditions[0].Status)).Should(Equal("False"))
-		Expect(ss.Status.Conditions[0].Reason).Should(Equal("InvalidProviderConfig"))
-		Expect(ss.Status.Conditions[0].Message).Should(ContainSubstring("unable to validate store"))
-		return true, nil
-	})
-	Expect(err).ToNot(HaveOccurred())
+		err := wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second*10, time.Minute, true, func(ctx context.Context) (bool, error) {
+			var ss esapi.SecretStore
+			err := tc.Framework.CRClient.Get(ctx, types.NamespacedName{
+				Namespace: tc.Framework.Namespace.Name,
+				Name:      tc.Framework.Namespace.Name + invalidMtlSuffix,
+			}, &ss)
+			if apierrors.IsNotFound(err) {
+				return false, nil
+			}
+			if len(ss.Status.Conditions) == 0 {
+				return false, nil
+			}
+			Expect(string(ss.Status.Conditions[0].Type)).Should(Equal("Ready"))
+			Expect(string(ss.Status.Conditions[0].Status)).Should(Equal("False"))
+			Expect(ss.Status.Conditions[0].Reason).Should(Equal("InvalidProviderConfig"))
+			Expect(ss.Status.Conditions[0].Message).Should(ContainSubstring("unable to validate store"))
+			return true, nil
+		})
+		Expect(err).ToNot(HaveOccurred())
+	}
 }

e2e/suites/provider/suite_test.go

@@ -17,7 +17,6 @@ limitations under the License.
 package e2e
 
 import (
-	"context"
 	"testing"
 
 	// nolint
@@ -33,11 +32,8 @@ import (
 )
 
 var _ = SynchronizedBeforeSuite(func() []byte {
-	cfg := &addon.Config{}
-	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
-
 	By("installing eso")
-	addon.InstallGlobalAddon(addon.NewESO(addon.WithCRDs()), cfg)
+	addon.InstallGlobalAddon(addon.NewESO(addon.WithCRDs()))
 
 	return nil
 }, func([]byte) {
@@ -51,10 +47,10 @@ var _ = SynchronizedAfterSuite(func() {
 	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
 	By("Deleting any pending generator states")
 	generatorStates := &genv1alpha1.GeneratorStateList{}
-	err := cfg.CRClient.List(context.Background(), generatorStates)
+	err := cfg.CRClient.List(GinkgoT().Context(), generatorStates)
 	Expect(err).ToNot(HaveOccurred())
 	for _, generatorState := range generatorStates.Items {
-		err = cfg.CRClient.Delete(context.Background(), &generatorState)
+		err = cfg.CRClient.Delete(GinkgoT().Context(), &generatorState)
 		Expect(err).ToNot(HaveOccurred())
 	}
 	By("Cleaning up global addons")