changing kubernetes api struct

apis/externalsecrets/v1alpha1/secretstore_kubernetes_types.go

@@ -18,35 +18,70 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+type KubernetesServer struct {
+
+	// configures the Kubernetes server Address.
+	// +kubebuilder:default=kubernetes.default
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// CABundle is a base64-encoded CA certificate
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
+
+	// there's still room for impersonation or proxy settings:
+	// Impersonate-User
+	// Impersonate-Group
+	// Impersonate-Extra-( extra name )
+	// Impersonate-Uid
+	// Proxy Settings
+}
+
 // Configures a store to sync secrets with a Kubernetes instance.
 type KubernetesProvider struct {
 	// configures the Kubernetes server Address.
 	// +kubebuilder:default= kubernetes.default
 	// +optional
-	Server string `json:"server,omitempty"`
+	Server KubernetesServer `json:"server,omitempty"`
 
 	// Auth configures how secret-manager authenticates with a Kubernetes instance.
-	// +optional
 	Auth KubernetesAuth `json:"auth"`
 
-	// +optional
-	User string `json:"user"`
-
-	//Remote namespace to fetch the secrets from
+	// Remote namespace to fetch the secrets from
 	// +kubebuilder:default= default
 	// +optional
 	RemoteNamespace string `json:"remoteNamespace"`
 }
 
 type KubernetesAuth struct {
-	SecretRef KubernetesSecretRef `json:"secretRef"`
-}
+	// has both clientCert and clientKey as secretKeySelector
+	// +optional
+	Cert *CertAuth `json:"cert,omitempty"`
 
-type KubernetesSecretRef struct {
+	// use static token to authenticate with
 	// +optional
-	Certificate esmeta.SecretKeySelector `json:"certificate,omitempty"`
+	Token *TokenAuth `json:"token,omitempty"`
+
+	// points to a service account that should be used for authentication
 	// +optional
-	Key         esmeta.SecretKeySelector `json:"key,omitempty"`
-	CA          esmeta.SecretKeySelector `json:"ca,omitempty"`
+	ServiceAccount *ServiceAccountAuth `json:"serviceAccount,omitempty"`
+
+	// possibly exec or webhook
+}
+
+type CertAuth struct {
+	ClientCert esmeta.SecretKeySelector `json:"cert,omitempty"`
+	ClientKey  esmeta.SecretKeySelector `json:"key,omitempty"`
+}
+
+type TokenAuth struct {
 	BearerToken esmeta.SecretKeySelector `json:"bearerToken,omitempty"`
 }
+
+type ServiceAccountAuth struct {
+	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
+}

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -301,6 +301,23 @@ func (in *CAProvider) DeepCopy() *CAProvider {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertAuth) DeepCopyInto(out *CertAuth) {
+	*out = *in
+	in.ClientCert.DeepCopyInto(&out.ClientCert)
+	in.ClientKey.DeepCopyInto(&out.ClientKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAuth.
+func (in *CertAuth) DeepCopy() *CertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(CertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
@@ -776,7 +793,21 @@ func (in *IBMProvider) DeepCopy() *IBMProvider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubernetesAuth) DeepCopyInto(out *KubernetesAuth) {
 	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(CertAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Token != nil {
+		in, out := &in.Token, &out.Token
+		*out = new(TokenAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceAccount != nil {
+		in, out := &in.ServiceAccount, &out.ServiceAccount
+		*out = new(ServiceAccountAuth)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuth.
@@ -792,6 +823,7 @@ func (in *KubernetesAuth) DeepCopy() *KubernetesAuth {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
 	*out = *in
+	in.Server.DeepCopyInto(&out.Server)
 	in.Auth.DeepCopyInto(&out.Auth)
 }
 
@@ -806,20 +838,26 @@ func (in *KubernetesProvider) DeepCopy() *KubernetesProvider {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesSecretRef) DeepCopyInto(out *KubernetesSecretRef) {
+func (in *KubernetesServer) DeepCopyInto(out *KubernetesServer) {
 	*out = *in
-	in.Certificate.DeepCopyInto(&out.Certificate)
-	in.Key.DeepCopyInto(&out.Key)
-	in.CA.DeepCopyInto(&out.CA)
-	in.BearerToken.DeepCopyInto(&out.BearerToken)
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesSecretRef.
-func (in *KubernetesSecretRef) DeepCopy() *KubernetesSecretRef {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServer.
+func (in *KubernetesServer) DeepCopy() *KubernetesServer {
 	if in == nil {
 		return nil
 	}
-	out := new(KubernetesSecretRef)
+	out := new(KubernetesServer)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -1111,6 +1149,22 @@ func (in *SecretStoreStatusCondition) DeepCopy() *SecretStoreStatusCondition {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountAuth) DeepCopyInto(out *ServiceAccountAuth) {
+	*out = *in
+	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountAuth.
+func (in *ServiceAccountAuth) DeepCopy() *ServiceAccountAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
 	*out = *in
 	if in.ConfigMap != nil {
@@ -1171,6 +1225,22 @@ func (in *TemplateRefItem) DeepCopy() *TemplateRefItem {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenAuth) DeepCopyInto(out *TokenAuth) {
+	*out = *in
+	in.BearerToken.DeepCopyInto(&out.BearerToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenAuth.
+func (in *TokenAuth) DeepCopy() *TokenAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
 	*out = *in
 	in.SecretRef.DeepCopyInto(&out.SecretRef)

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -537,9 +537,10 @@ spec:
                         description: Auth configures how secret-manager authenticates
                           with a Kubernetes instance.
                         properties:
-                          secretRef:
+                          cert:
+                            description: has both clientCert and clientKey as secretKeySelector
                             properties:
-                              bearerToken:
+                              cert:
                                 description: A reference to a specific 'key' within
                                   a Secret resource, In some instances, `key` is a
                                   required field.
@@ -561,7 +562,7 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
-                              ca:
+                              key:
                                 description: A reference to a specific 'key' within
                                   a Secret resource, In some instances, `key` is a
                                   required field.
@@ -583,20 +584,17 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
-                              certificate:
-                                description: A reference to a specific 'key' within
-                                  a Secret resource, In some instances, `key` is a
-                                  required field.
+                            type: object
+                          serviceAccount:
+                            description: points to a service account that should be
+                              used for authentication
+                            properties:
+                              serviceAccount:
+                                description: A reference to a ServiceAccount resource.
                                 properties:
-                                  key:
-                                    description: The key of the entry in the Secret
-                                      resource's `data` field to be used. Some instances
-                                      of this field may be defaulted, in others it
-                                      may be required.
-                                    type: string
                                   name:
-                                    description: The name of the Secret resource being
-                                      referred to.
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
                                     type: string
                                   namespace:
                                     description: Namespace of the resource being referred
@@ -604,8 +602,14 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
+                                required:
+                                - name
                                 type: object
-                              key:
+                            type: object
+                          token:
+                            description: use static token to authenticate with
+                            properties:
+                              bearerToken:
                                 description: A reference to a specific 'key' within
                                   a Secret resource, In some instances, `key` is a
                                   required field.
@@ -628,8 +632,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                       remoteNamespace:
                         default: default
@@ -638,9 +640,43 @@ spec:
                       server:
                         default: kubernetes.default
                         description: configures the Kubernetes server Address.
-                        type: string
-                      user:
-                        type: string
+                        properties:
+                          caBundle:
+                            description: CABundle is a base64-encoded CA certificate
+                            format: byte
+                            type: string
+                          caProvider:
+                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                            properties:
+                              key:
+                                description: The key the value inside of the provider
+                                  type to use, only used with "Secret" type
+                                type: string
+                              name:
+                                description: The name of the object located at the
+                                  provider type.
+                                type: string
+                              namespace:
+                                description: The namespace the Provider type is in.
+                                type: string
+                              type:
+                                description: The type of provider to use such as "Secret",
+                                  or "ConfigMap".
+                                enum:
+                                - Secret
+                                - ConfigMap
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          url:
+                            default: kubernetes.default
+                            description: configures the Kubernetes server Address.
+                            type: string
+                        type: object
+                    required:
+                    - auth
                     type: object
                   oracle:
                     description: Oracle configures this store to sync secrets using

deploy/crds/external-secrets.io_secretstores.yaml

@@ -537,9 +537,10 @@ spec:
                         description: Auth configures how secret-manager authenticates
                           with a Kubernetes instance.
                         properties:
-                          secretRef:
+                          cert:
+                            description: has both clientCert and clientKey as secretKeySelector
                             properties:
-                              bearerToken:
+                              cert:
                                 description: A reference to a specific 'key' within
                                   a Secret resource, In some instances, `key` is a
                                   required field.
@@ -561,7 +562,7 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
-                              ca:
+                              key:
                                 description: A reference to a specific 'key' within
                                   a Secret resource, In some instances, `key` is a
                                   required field.
@@ -583,20 +584,17 @@ spec:
                                       the referent.
                                     type: string
                                 type: object
-                              certificate:
-                                description: A reference to a specific 'key' within
-                                  a Secret resource, In some instances, `key` is a
-                                  required field.
+                            type: object
+                          serviceAccount:
+                            description: points to a service account that should be
+                              used for authentication
+                            properties:
+                              serviceAccount:
+                                description: A reference to a ServiceAccount resource.
                                 properties:
-                                  key:
-                                    description: The key of the entry in the Secret
-                                      resource's `data` field to be used. Some instances
-                                      of this field may be defaulted, in others it
-                                      may be required.
-                                    type: string
                                   name:
-                                    description: The name of the Secret resource being
-                                      referred to.
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
                                     type: string
                                   namespace:
                                     description: Namespace of the resource being referred
@@ -604,8 +602,14 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
+                                required:
+                                - name
                                 type: object
-                              key:
+                            type: object
+                          token:
+                            description: use static token to authenticate with
+                            properties:
+                              bearerToken:
                                 description: A reference to a specific 'key' within
                                   a Secret resource, In some instances, `key` is a
                                   required field.
@@ -628,8 +632,6 @@ spec:
                                     type: string
                                 type: object
                             type: object
-                        required:
-                        - secretRef
                         type: object
                       remoteNamespace:
                         default: default
@@ -638,9 +640,43 @@ spec:
                       server:
                         default: kubernetes.default
                         description: configures the Kubernetes server Address.
-                        type: string
-                      user:
-                        type: string
+                        properties:
+                          caBundle:
+                            description: CABundle is a base64-encoded CA certificate
+                            format: byte
+                            type: string
+                          caProvider:
+                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                            properties:
+                              key:
+                                description: The key the value inside of the provider
+                                  type to use, only used with "Secret" type
+                                type: string
+                              name:
+                                description: The name of the object located at the
+                                  provider type.
+                                type: string
+                              namespace:
+                                description: The namespace the Provider type is in.
+                                type: string
+                              type:
+                                description: The type of provider to use such as "Secret",
+                                  or "ConfigMap".
+                                enum:
+                                - Secret
+                                - ConfigMap
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          url:
+                            default: kubernetes.default
+                            description: configures the Kubernetes server Address.
+                            type: string
+                        type: object
+                    required:
+                    - auth
                     type: object
                   oracle:
                     description: Oracle configures this store to sync secrets using

pkg/provider/kubernetes/kubernetes.go

@@ -33,11 +33,13 @@ import (
 )
 
 const (
+	errPropertyNotFound                    = "property field not found on extrenal secrets"
 	errKubernetesCredSecretName            = "kubernetes credentials are empty"
 	errInvalidClusterStoreMissingNamespace = "invalid clusterStore missing Cert namespace"
 	errFetchCredentialsSecret              = "could not fetch Credentials secret: %w"
 	errMissingCredentials                  = "missing Credentials: %v"
 	errUninitalizedKubernetesProvider      = "provider kubernetes is not initialized"
+	errEmptyKey                            = "key %s found but empty"
 )
 
 type KClient interface {
@@ -56,8 +58,6 @@ type BaseClient struct {
 	store       *esv1alpha1.KubernetesProvider
 	namespace   string
 	storeKind   string
-	Server      string
-	User        string
 	Certificate []byte
 	Key         []byte
 	CA          []byte
@@ -83,8 +83,6 @@ func (k *ProviderKubernetes) NewClient(ctx context.Context, store esv1alpha1.Gen
 		store:     storeSpecKubernetes,
 		namespace: namespace,
 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
-		Server:    storeSpecKubernetes.Server,
-		User:      storeSpecKubernetes.User,
 	}
 
 	if err := bStore.setAuth(ctx); err != nil {
@@ -92,7 +90,7 @@ func (k *ProviderKubernetes) NewClient(ctx context.Context, store esv1alpha1.Gen
 	}
 
 	config := &rest.Config{
-		Host:        bStore.store.Server,
+		Host:        bStore.store.Server.URL,
 		BearerToken: string(bStore.BearerToken),
 		TLSClientConfig: rest.TLSClientConfig{
 			Insecure: false,
@@ -118,7 +116,7 @@ func (k *ProviderKubernetes) Close(ctx context.Context) error {
 
 func (k *ProviderKubernetes) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if ref.Property == "" {
-		return nil, fmt.Errorf("property field not found on extrenal secrets")
+		return nil, fmt.Errorf(errPropertyNotFound)
 	}
 
 	payload, err := k.GetSecretMap(ctx, ref)
@@ -155,26 +153,46 @@ func (k *ProviderKubernetes) GetSecretMap(ctx context.Context, ref esv1alpha1.Ex
 
 func (k *BaseClient) setAuth(ctx context.Context) error {
 	var err error
-	k.Certificate, err = k.helper(ctx, k.store.Auth.SecretRef.Certificate, "cert")
-	if err != nil {
-		return err
-	}
-	k.Key, err = k.helper(ctx, k.store.Auth.SecretRef.Key, "key")
-	if err != nil {
-		return err
-	}
-	k.CA, err = k.helper(ctx, k.store.Auth.SecretRef.CA, "ca")
-	if err != nil {
-		return err
+	if len(k.store.Server.CABundle) > 0 {
+		k.CA = k.store.Server.CABundle
+	} else if k.store.Server.CAProvider != nil {
+		keySelector := esmeta.SecretKeySelector{
+			Name:      k.store.Server.CAProvider.Name,
+			Namespace: k.store.Server.CAProvider.Namespace,
+			Key:       k.store.Server.CAProvider.Key,
+		}
+		k.CA, err = k.fetchSecretKey(ctx, keySelector, "CA")
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("no Certificate Authority provided")
 	}
-	k.BearerToken, err = k.helper(ctx, k.store.Auth.SecretRef.BearerToken, "bearerToken")
-	if err != nil {
-		return err
+
+	if k.store.Auth.Token != nil {
+		k.BearerToken, err = k.fetchSecretKey(ctx, k.store.Auth.Token.BearerToken, "bearerToken")
+		if err != nil {
+			return err
+		}
+	} else if k.store.Auth.ServiceAccount != nil {
+		return fmt.Errorf("not implemented yet")
+	} else if k.store.Auth.Cert != nil {
+		k.Certificate, err = k.fetchSecretKey(ctx, k.store.Auth.Cert.ClientCert, "cert")
+		if err != nil {
+			return err
+		}
+		k.Key, err = k.fetchSecretKey(ctx, k.store.Auth.Cert.ClientKey, "key")
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("no credentials provided")
 	}
+
 	return nil
 }
 
-func (k *BaseClient) helper(ctx context.Context, key esmeta.SecretKeySelector, component string) ([]byte, error) {
+func (k *BaseClient) fetchSecretKey(ctx context.Context, key esmeta.SecretKeySelector, component string) ([]byte, error) {
 	keySecret := &corev1.Secret{}
 	keySecretName := key.Name
 	if keySecretName == "" {
@@ -197,9 +215,13 @@ func (k *BaseClient) helper(ctx context.Context, key esmeta.SecretKeySelector, c
 		return nil, fmt.Errorf(errFetchCredentialsSecret, err)
 	}
 
-	check := keySecret.Data[key.Key]
-	if (check == nil) || (len(check) == 0) {
+	val, ok := keySecret.Data[key.Key]
+	if !ok {
 		return nil, fmt.Errorf(errMissingCredentials, component)
 	}
-	return check, nil
+
+	if len(val) == 0 {
+		return nil, fmt.Errorf(errEmptyKey, component)
+	}
+	return val, nil
 }

pkg/provider/kubernetes/kubernetes_test.go

@@ -26,7 +26,12 @@ import (
 	fclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+const (
+	errTestFetchCredentialsSecret = "test could not fetch Credentials secret failed"
+	errTestAuthValue              = "test failed key didn't match expected value"
 )
 
 type fakeClient struct {
@@ -42,10 +47,6 @@ func (fk fakeClient) Get(ctx context.Context, name string, opts metav1.GetOption
 	return &secret, nil
 }
 
-func (fk fakeClient) Create(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Secret, error) {
-	return nil, nil
-}
-
 func TestKubernetesSecretManagerGetSecret(t *testing.T) {
 	expected := make(map[string][]byte)
 	value := "bar"
@@ -121,94 +122,128 @@ func TestKubernetesSecretManagerGetSecretMap(t *testing.T) {
 }
 
 func TestKubernetesSecretManagerSetAuth(t *testing.T) {
-	kp := esv1alpha1.KubernetesProvider{}
-	fs := &corev1.Secret{}
-	secretName := "good-name"
-	fs.ObjectMeta.Name = secretName
-	secretValue := make(map[string][]byte)
-	secretValue["cert"] = []byte("secret-cert")
-	secretValue["ca"] = []byte("secret-ca")
-	secretValue["bearerToken"] = []byte("bearerToken")
-
-	fs2 := &corev1.Secret{}
-	fs2.ObjectMeta.Name = "secret-for-the-key"
-	secretValue2 := make(map[string][]byte)
-	secretValue2["key"] = []byte("secret-key")
-
-	fs.Data = secretValue
-	fs2.Data = secretValue2
+	kp := esv1alpha1.KubernetesProvider{Server: esv1alpha1.KubernetesServer{}}
+
+	fs := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "good-name"},
+		Data:       make(map[string][]byte),
+	}
+	fs.Data["cert"] = []byte("secret-cert")
+	fs.Data["ca"] = []byte("secret-ca")
+	fs.Data["bearerToken"] = []byte("bearerToken")
+
+	fs2 := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "secret-for-the-key"},
+		Data:       make(map[string][]byte),
+	}
+	fs2.Data["key"] = []byte("secret-key")
+
 	fk := fclient.NewClientBuilder().WithObjects(fs, fs2).Build()
-	bc := BaseClient{fk, &kp, "", "", "", "", nil, nil, nil, nil}
+	bc := BaseClient{fk, &kp, "", "", nil, nil, nil, nil}
 
 	ctx := context.Background()
 
 	err := bc.setAuth(ctx)
 
-	if err.Error() != "kubernetes credentials are empty" {
+	if err.Error() != "no Certificate Authority provided" {
+		fmt.Println(err.Error())
+		t.Error("test no Certificate Authority provided failed")
+	}
+
+	kp.Server.CAProvider = &esv1alpha1.CAProvider{
+		Type:      esv1alpha1.CAProviderTypeConfigMap,
+		Name:      fs.ObjectMeta.Name,
+		Namespace: &fs.ObjectMeta.Namespace,
+		Key:       "ca",
+	}
+
+	bc.setAuth(ctx)
+
+	if string(bc.CA) != "secret-ca" {
+		t.Error("failed to set CA provider")
+	}
+
+	kp.Server.CABundle = []byte("ca-bundle")
+
+	err = bc.setAuth(ctx)
+
+	if err.Error() != "no credentials provided" {
+		fmt.Println(err.Error())
 		t.Error("test kubernetes credentials not empty failed")
 	}
 
+	if string(bc.CA) != "ca-bundle" {
+		t.Error("failed to set CA provider")
+	}
+
 	kp = esv1alpha1.KubernetesProvider{
 		Auth: esv1alpha1.KubernetesAuth{
-			SecretRef: esv1alpha1.KubernetesSecretRef{
-				Certificate: esmeta.SecretKeySelector{
+			Cert: &esv1alpha1.CertAuth{
+				ClientCert: v1.SecretKeySelector{
 					Name: "fake-name",
 				},
 			},
 		},
 	}
+	kp.Server.CABundle = []byte("ca-bundle")
 
 	err = bc.setAuth(ctx)
 
 	if err.Error() != "could not fetch Credentials secret: secrets \"fake-name\" not found" {
 		fmt.Println(err.Error())
-		t.Error("test could not fetch Credentials secret failed")
+		t.Error(errTestFetchCredentialsSecret)
 	}
-	kp.Auth.SecretRef.Certificate.Name = secretName
+
+	kp.Auth.Cert.ClientCert.Name = fs.ObjectMeta.Name
 
 	err = bc.setAuth(ctx)
 
-	if err.Error() != "missing Credentials: cert" {
+	if err.Error() != fmt.Errorf(errMissingCredentials, "cert").Error() {
 		fmt.Println(err.Error())
-		t.Error("test could not fetch Credentials secret failed")
+		t.Error(errTestFetchCredentialsSecret)
 	}
 
-	kp.Auth.SecretRef.Certificate.Key = "cert"
-	kp.Auth.SecretRef.Key.Name = "secret-for-the-key"
+	kp.Auth.Cert.ClientCert.Key = "cert"
+	kp.Auth.Cert.ClientKey.Name = "secret-for-the-key"
 
 	err = bc.setAuth(ctx)
 
-	if err.Error() != "missing Credentials: key" {
+	if err.Error() != fmt.Errorf(errMissingCredentials, "key").Error() {
 		fmt.Println(err.Error())
-		t.Error("test could not fetch Credentials secret failed")
+		t.Error(errTestFetchCredentialsSecret)
 	}
+	kp.Auth.Cert.ClientKey.Key = "key"
 
-	kp.Auth.SecretRef.Key.Key = "key"
-	kp.Auth.SecretRef.CA.Name = secretName
+	bc.setAuth(ctx)
 
-	err = bc.setAuth(ctx)
-
-	if err.Error() != "missing Credentials: ca" {
-		fmt.Println(err.Error())
-		t.Error("test could not fetch Credentials secret failed")
-	}
-	kp.Auth.SecretRef.CA.Key = "ca"
-	kp.Auth.SecretRef.BearerToken.Name = secretName
+	kp.Auth.Token = &esv1alpha1.TokenAuth{BearerToken: v1.SecretKeySelector{Name: "good-name"}}
 
 	err = bc.setAuth(ctx)
 
-	if err.Error() != "missing Credentials: bearerToken" {
+	if err.Error() != fmt.Errorf(errMissingCredentials, "bearerToken").Error() {
 		fmt.Println(err.Error())
-		t.Error("test could not fetch Credentials secret failed")
+		t.Error(errTestFetchCredentialsSecret)
 	}
 
-	kp.Auth.SecretRef.BearerToken.Key = "bearerToken"
+	kp.Auth.Token = &esv1alpha1.TokenAuth{BearerToken: v1.SecretKeySelector{Name: "good-name", Key: "bearerToken"}}
 
 	err = bc.setAuth(ctx)
 
 	if err != nil {
 		fmt.Println(err.Error())
-		t.Error("test could not fetch Credentials secret failed")
+		t.Error(errTestFetchCredentialsSecret)
+	}
+	if string(bc.CA) != "ca-bundle" {
+		t.Error(errTestAuthValue)
+	}
+	if string(bc.Certificate) != "secret-cert" {
+		t.Error(errTestAuthValue)
+	}
+	if string(bc.Key) != "secret-key" {
+		t.Errorf(errTestAuthValue)
+	}
+	if string(bc.BearerToken) != "bearerToken" {
+		t.Error(errTestAuthValue)
 	}
 }