add domain field to secretserver provider (#5258)

Signed-off-by: Rodrigo Kellermann <kellermann@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

apis/externalsecrets/v1/secretsstore_secretserver_types.go

@@ -38,6 +38,10 @@ type SecretServerProvider struct {
 	// +required
 	Password *SecretServerProviderRef `json:"password"`
 
+	// Domain is the secret server domain.
+	// +optional
+	Domain string `json:"domain,omitempty"`
+
 	// ServerURL
 	// URL to your secret server installation
 	// +required

cmd/controller/root.go

@@ -152,7 +152,7 @@ var rootCmd = &cobra.Command{
 			metricsOpts.CertName = metricsCertName
 			metricsOpts.KeyName = metricsKeyName
 		}
-		
+
 		// Disable HTTP/2 if not explicitly enabled
 		if !enableHTTP2 {
 			metricsOpts.TLSOpts = []func(*tls.Config){disableHTTP2}

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -4018,6 +4018,9 @@ spec:
                       SecretServer configures this store to sync secrets using SecretServer provider
                       https://docs.delinea.com/online-help/secret-server/start.htm
                     properties:
+                      domain:
+                        description: Domain is the secret server domain.
+                        type: string
                       password:
                         description: Password is the secret server account password.
                         properties:

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -4018,6 +4018,9 @@ spec:
                       SecretServer configures this store to sync secrets using SecretServer provider
                       https://docs.delinea.com/online-help/secret-server/start.htm
                     properties:
+                      domain:
+                        description: Domain is the secret server domain.
+                        type: string
                       password:
                         description: Password is the secret server account password.
                         properties:

deploy/crds/bundle.yaml

@@ -5769,6 +5769,9 @@ spec:
                         SecretServer configures this store to sync secrets using SecretServer provider
                         https://docs.delinea.com/online-help/secret-server/start.htm
                       properties:
+                        domain:
+                          description: Domain is the secret server domain.
+                          type: string
                         password:
                           description: Password is the secret server account password.
                           properties:
@@ -16746,6 +16749,9 @@ spec:
                         SecretServer configures this store to sync secrets using SecretServer provider
                         https://docs.delinea.com/online-help/secret-server/start.htm
                       properties:
+                        domain:
+                          description: Domain is the secret server domain.
+                          type: string
                         password:
                           description: Password is the secret server account password.
                           properties:

docs/api/spec.md

@@ -7971,6 +7971,18 @@ SecretServerProviderRef
 </tr>
 <tr>
 <td>
+<code>domain</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Domain is the secret server domain.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>serverURL</code></br>
 <em>
 string

pkg/provider/secretserver/client_test.go

@@ -132,6 +132,7 @@ func newTestClient() esv1.SecretsClient {
 				createSecret(6000, "{ \"user\": \"betaTest\", \"password\": \"badPassword\" }"),
 				createNilFieldsSecret(7000),
 				createEmptyFieldsSecret(8000),
+				createSecret(9000, "{ \"user\": \"robertOppenheimer\", \"password\": \"badPassword\", \"domain\":\"domain1\", \"server\":\"192.168.1.50\"}"),
 			},
 		},
 	}
@@ -262,6 +263,13 @@ func TestGetSecretSecretServer(t *testing.T) {
 			want: []byte(nil),
 			err:  esv1.NoSecretError{},
 		},
+		"Secret from code: with domain": {
+			ref: esv1.ExternalSecretDataRemoteRef{
+				Key:      "9000",
+				Property: "domain",
+			},
+			want: []byte(`domain1`),
+		},
 	}
 
 	for name, tc := range testCases {

pkg/provider/secretserver/provider.go

@@ -72,6 +72,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 		Credentials: server.UserCredential{
 			Username: username,
 			Password: password,
+			Domain:   cfg.Domain,
 		},
 		ServerURL: cfg.ServerURL,
 	})

pkg/provider/secretserver/provider_test.go

@@ -168,6 +168,7 @@ func TestNewClient(t *testing.T) {
 	userNameValue := "foo"
 	passwordKey := "password"
 	passwordValue := generateRandomString()
+	domain := "domain1"
 
 	clientSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "default"},
@@ -183,6 +184,22 @@ func TestNewClient(t *testing.T) {
 		ServerURL: "https://example.com",
 	}
 
+	clientSecretWithDomain := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "with-domain", Namespace: "default"},
+		Data: map[string][]byte{
+			userNameKey: []byte(userNameValue),
+			passwordKey: []byte(passwordValue),
+			domain:      []byte(domain),
+		},
+	}
+
+	validProviderWithDomain := &esv1.SecretServerProvider{
+		Username:  makeSecretRefUsingRef(clientSecretWithDomain.Name, userNameKey),
+		Password:  makeSecretRefUsingRef(clientSecretWithDomain.Name, passwordKey),
+		Domain:    domain,
+		ServerURL: "https://example.com",
+	}
+
 	tests := map[string]struct {
 		store    esv1.GenericStore          // leave nil for namespaced store
 		provider *esv1.SecretServerProvider // discarded when store is set
@@ -290,6 +307,22 @@ func TestNewClient(t *testing.T) {
 			},
 			kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
 		},
+		"cluster secret store with domain": {
+			store: &esv1.ClusterSecretStore{
+				TypeMeta: metav1.TypeMeta{Kind: esv1.ClusterSecretStoreKind},
+				Spec: esv1.SecretStoreSpec{
+					Provider: &esv1.SecretStoreProvider{
+						SecretServer: &esv1.SecretServerProvider{
+							Username:  makeSecretRefUsingNamespacedRef(clientSecretWithDomain.Namespace, clientSecretWithDomain.Name, userNameKey),
+							Password:  makeSecretRefUsingNamespacedRef(clientSecretWithDomain.Namespace, clientSecretWithDomain.Name, passwordKey),
+							Domain:    validProviderWithDomain.Domain,
+							ServerURL: validProviderWithDomain.ServerURL,
+						},
+					},
+				},
+			},
+			kube: clientfake.NewClientBuilder().WithObjects(clientSecret, clientSecretWithDomain).Build(),
+		},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -312,10 +345,14 @@ func TestNewClient(t *testing.T) {
 				assert.True(t, ok)
 				secretServerClient, ok := delineaClient.api.(*server.Server)
 				assert.True(t, ok)
-				assert.Equal(t, server.UserCredential{
+				expectedCredentials := server.UserCredential{
 					Username: userNameValue,
 					Password: passwordValue,
-				}, secretServerClient.Configuration.Credentials)
+				}
+				if name == "cluster secret store with domain" {
+					expectedCredentials.Domain = domain
+				}
+				assert.Equal(t, expectedCredentials, secretServerClient.Configuration.Credentials)
 			} else {
 				assert.Nil(t, sc)
 				tc.errCheck(t, err)