Oracle: Workload Identity authentication (#2781)

* Oracle: Workload Identity authentication

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Merge main

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Cleanup go.mod

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Lint

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

* Use mutex for environment variables

Signed-off-by: anders-swanson <anders.swanson@oracle.com>

---------

Signed-off-by: anders-swanson <anders.swanson@oracle.com>
Signed-off-by: Anders Swanson <91502735+anders-swanson@users.noreply.github.com>

apis/externalsecrets/v1alpha1/secretstore_oracle_types.go

@@ -16,6 +16,17 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+type OraclePrincipalType string
+
+const (
+	// UserPrincipal represents a user principal.
+	UserPrincipal OraclePrincipalType = "UserPrincipal"
+	// InstancePrincipal represents a instance principal.
+	InstancePrincipal OraclePrincipalType = "InstancePrincipal"
+	// WorkloadPrincipal represents a workload principal.
+	WorkloadPrincipal OraclePrincipalType = "Workload"
+)
+
 // Configures an store to sync secrets using a Oracle Vault
 // backend.
 type OracleProvider struct {
@@ -25,8 +36,15 @@ type OracleProvider struct {
 	// Vault is the vault's OCID of the specific vault where secret is located.
 	Vault string `json:"vault"`
 
+	// The type of principal to use for authentication. If left blank, the Auth struct will
+	// determine the principal type. This optional field must be specified if using
+	// workload identity.
+	// +optional
+	PrincipalType OraclePrincipalType `json:"principalType,omitempty"`
+
 	// Auth configures how secret-manager authenticates with the Oracle Vault.
-	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
+	// If empty, instance principal is used. Optionally, the authenticating principal type
+	// and/or user data may be supplied for the use of workload identity and user principal.
 	// +optional
 	Auth *OracleAuth `json:"auth,omitempty"`
 }

apis/externalsecrets/v1beta1/secretstore_oracle_types.go

@@ -16,6 +16,17 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+type OraclePrincipalType string
+
+const (
+	// UserPrincipal represents a user principal.
+	UserPrincipal OraclePrincipalType = "UserPrincipal"
+	// InstancePrincipal represents a instance principal.
+	InstancePrincipal OraclePrincipalType = "InstancePrincipal"
+	// WorkloadPrincipal represents a workload principal.
+	WorkloadPrincipal OraclePrincipalType = "Workload"
+)
+
 // Configures an store to sync secrets using a Oracle Vault
 // backend.
 type OracleProvider struct {
@@ -25,6 +36,12 @@ type OracleProvider struct {
 	// Vault is the vault's OCID of the specific vault where secret is located.
 	Vault string `json:"vault"`
 
+	// The type of principal to use for authentication. If left blank, the Auth struct will
+	// determine the principal type. This optional field must be specified if using
+	// workload identity.
+	// +optional
+	PrincipalType OraclePrincipalType `json:"principalType,omitempty"`
+
 	// Auth configures how secret-manager authenticates with the Oracle Vault.
 	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
 	// +optional
@@ -32,6 +49,7 @@ type OracleProvider struct {
 }
 
 type OracleAuth struct {
+
 	// Tenancy is the tenancy OCID where user is located.
 	Tenancy string `json:"tenancy"`
 

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -877,8 +877,10 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault. If empty, use the instance principal,
-                          otherwise the user credentials specified in Auth.
+                          with the Oracle Vault. If empty, instance principal is used.
+                          Optionally, the authenticating principal type and/or user
+                          data may be supplied for the use of workload identity and
+                          user principal.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -941,6 +943,12 @@ spec:
                         - tenancy
                         - user
                         type: object
+                      principalType:
+                        description: The type of principal to use for authentication.
+                          If left blank, the Auth struct will determine the principal
+                          type. This optional field must be specified if using workload
+                          identity.
+                        type: string
                       region:
                         description: Region is the region where vault is located.
                         type: string
@@ -3015,6 +3023,12 @@ spec:
                         - tenancy
                         - user
                         type: object
+                      principalType:
+                        description: The type of principal to use for authentication.
+                          If left blank, the Auth struct will determine the principal
+                          type. This optional field must be specified if using workload
+                          identity.
+                        type: string
                       region:
                         description: Region is the region where vault is located.
                         type: string

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -877,8 +877,10 @@ spec:
                     properties:
                       auth:
                         description: Auth configures how secret-manager authenticates
-                          with the Oracle Vault. If empty, use the instance principal,
-                          otherwise the user credentials specified in Auth.
+                          with the Oracle Vault. If empty, instance principal is used.
+                          Optionally, the authenticating principal type and/or user
+                          data may be supplied for the use of workload identity and
+                          user principal.
                         properties:
                           secretRef:
                             description: SecretRef to pass through sensitive information.
@@ -941,6 +943,12 @@ spec:
                         - tenancy
                         - user
                         type: object
+                      principalType:
+                        description: The type of principal to use for authentication.
+                          If left blank, the Auth struct will determine the principal
+                          type. This optional field must be specified if using workload
+                          identity.
+                        type: string
                       region:
                         description: Region is the region where vault is located.
                         type: string
@@ -3015,6 +3023,12 @@ spec:
                         - tenancy
                         - user
                         type: object
+                      principalType:
+                        description: The type of principal to use for authentication.
+                          If left blank, the Auth struct will determine the principal
+                          type. This optional field must be specified if using workload
+                          identity.
+                        type: string
                       region:
                         description: Region is the region where vault is located.
                         type: string

deploy/crds/bundle.yaml

@@ -1118,7 +1118,7 @@ spec:
                       description: Oracle configures this store to sync secrets using Oracle Vault provider
                       properties:
                         auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
                           properties:
                             secretRef:
                               description: SecretRef to pass through sensitive information.
@@ -1164,6 +1164,9 @@ spec:
                             - tenancy
                             - user
                           type: object
+                        principalType:
+                          description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+                          type: string
                         region:
                           description: Region is the region where vault is located.
                           type: string
@@ -2682,6 +2685,9 @@ spec:
                             - tenancy
                             - user
                           type: object
+                        principalType:
+                          description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+                          type: string
                         region:
                           description: Region is the region where vault is located.
                           type: string
@@ -4915,7 +4921,7 @@ spec:
                       description: Oracle configures this store to sync secrets using Oracle Vault provider
                       properties:
                         auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
                           properties:
                             secretRef:
                               description: SecretRef to pass through sensitive information.
@@ -4961,6 +4967,9 @@ spec:
                             - tenancy
                             - user
                           type: object
+                        principalType:
+                          description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+                          type: string
                         region:
                           description: Region is the region where vault is located.
                           type: string
@@ -6479,6 +6488,9 @@ spec:
                             - tenancy
                             - user
                           type: object
+                        principalType:
+                          description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
+                          type: string
                         region:
                           description: Region is the region where vault is located.
                           type: string

docs/api/spec.md

@@ -4400,6 +4400,32 @@ OracleSecretRef
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1beta1.OraclePrincipalType">OraclePrincipalType
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1beta1.OracleProvider">OracleProvider</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;InstancePrincipal&#34;</p></td>
+<td><p>InstancePrincipal represents a instance principal.</p>
+</td>
+</tr><tr><td><p>&#34;UserPrincipal&#34;</p></td>
+<td><p>UserPrincipal represents a user principal.</p>
+</td>
+</tr><tr><td><p>&#34;Workload&#34;</p></td>
+<td><p>WorkloadPrincipal represents a workload principal.</p>
+</td>
+</tr></tbody>
+</table>
 <h3 id="external-secrets.io/v1beta1.OracleProvider">OracleProvider
 </h3>
 <p>
@@ -4442,6 +4468,22 @@ string
 </tr>
 <tr>
 <td>
+<code>principalType</code></br>
+<em>
+<a href="#external-secrets.io/v1beta1.OraclePrincipalType">
+OraclePrincipalType
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The type of principal to use for authentication. If left blank, the Auth struct will
+determine the principal type. This optional field must be specified if using
+workload identity.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>auth</code></br>
 <em>
 <a href="#external-secrets.io/v1beta1.OracleAuth">

docs/provider/oracle-vault.md

@@ -4,9 +4,10 @@ External Secrets Operator integrates with [OCI API](https://github.com/oracle/oc
 
 ### Authentication
 
-If `auth` is not specified, the operator uses the instance principal.
+Specify the authenticating principal with `principalType`, using `UserPrincipal`, `InstancePrincipal`, or `Workload` as values.
+If `principalType` or `auth` are not set, the operator defaults to instance principal for authentication.
 
-For using a specific user credentials, userOCID, tenancyOCID, fingerprint and private key are required.
+For user principal, userOCID, tenancyOCID, fingerprint and private key are required.
 The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.
 
 See url for what region you you are accessing.

docs/snippets/oracle-secret-store.yaml

@@ -7,6 +7,20 @@ spec:
     oracle:
       vault: # The vault OCID
       region: # The vault region
+      principalType: InstancePrincipal
+
+---
+
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: example-workload-identity
+spec:
+  provider:
+    oracle:
+      vault: # The vault OCID
+      region: # The vault region
+      principalType: Workload
 
 ---
 
@@ -22,6 +36,7 @@ spec:
       auth:
         user: # A user OCID
         tenancy: # A user's tenancy
+        principalType: UserPrincipal
         secretRef:
           privatekey:
             name: oracle-secret

e2e/go.mod

@@ -54,7 +54,7 @@ require (
 	github.com/hashicorp/vault/api v1.10.0
 	github.com/onsi/ginkgo/v2 v2.13.0
 	github.com/onsi/gomega v1.27.10
-	github.com/oracle/oci-go-sdk/v56 v56.1.0
+	github.com/oracle/oci-go-sdk/v65 v65.49.3
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.21
 	github.com/xanzy/go-gitlab v0.93.1
 	golang.org/x/oauth2 v0.13.0
@@ -98,6 +98,7 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect

e2e/go.sum

@@ -163,6 +163,8 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEe
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/go-test/deep v1.0.4 h1:u2CU3YKy9I2pmu9pX0eq50wCgjfGIt539SqR7FbHiho=
 github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
+github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
@@ -344,8 +346,8 @@ github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
-github.com/oracle/oci-go-sdk/v56 v56.1.0 h1:HOr9P+MkwgrilEGTJCU7a6GMFrUG/RZAzvh/2JeRXvI=
-github.com/oracle/oci-go-sdk/v56 v56.1.0/go.mod h1:kDJAL3HEAF+4oQR8GfaOkY6rz2kU3/kZ6vYJnJXSCkA=
+github.com/oracle/oci-go-sdk/v65 v65.49.3 h1:HHv+XMZiBYHtoU8Ac/fURdp9v1vJPPCpIbJAWeadREw=
+github.com/oracle/oci-go-sdk/v65 v65.49.3/go.mod h1:IBEV9l1qBzUpo7zgGaRUhbB05BVfcDGYRFBCPlTcPp0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -368,7 +370,6 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.21 h1:yWfiTPwYxB0l5fGMhl/G+liULugVIHD9AU77iNLrURQ=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.21/go.mod h1:fCa7OJZ/9DRTnOKmxvT6pn+LPWUptQAmHF/SBJUGEcg=
-github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/sony/gobreaker v0.5.0 h1:dRCvqm0P490vZPmy7ppEk2qCnCieBooFJ+YoXGYB+yg=
 github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=

e2e/suites/provider/cases/oracle/provider.go

@@ -21,8 +21,8 @@ import (
 
 	// nolint
 	. "github.com/onsi/gomega"
-	"github.com/oracle/oci-go-sdk/v56/common"
-	vault "github.com/oracle/oci-go-sdk/v56/vault"
+	"github.com/oracle/oci-go-sdk/v65/common"
+	vault "github.com/oracle/oci-go-sdk/v65/vault"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilpointer "k8s.io/utils/pointer"

go.mod

@@ -31,7 +31,7 @@ require (
 	github.com/lestrrat-go/jwx v1.2.26
 	github.com/onsi/ginkgo/v2 v2.13.0
 	github.com/onsi/gomega v1.27.10
-	github.com/oracle/oci-go-sdk/v56 v56.1.0
+	github.com/oracle/oci-go-sdk/v65 v65.49.3
 	github.com/prometheus/client_golang v1.17.0
 	github.com/prometheus/client_model v0.5.0
 	github.com/spf13/cobra v1.7.0
@@ -102,6 +102,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-playground/validator/v10 v10.15.5 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3 // indirect

go.sum

@@ -278,6 +278,8 @@ github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
+github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
@@ -547,8 +549,8 @@ github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
-github.com/oracle/oci-go-sdk/v56 v56.1.0 h1:HOr9P+MkwgrilEGTJCU7a6GMFrUG/RZAzvh/2JeRXvI=
-github.com/oracle/oci-go-sdk/v56 v56.1.0/go.mod h1:kDJAL3HEAF+4oQR8GfaOkY6rz2kU3/kZ6vYJnJXSCkA=
+github.com/oracle/oci-go-sdk/v65 v65.49.3 h1:HHv+XMZiBYHtoU8Ac/fURdp9v1vJPPCpIbJAWeadREw=
+github.com/oracle/oci-go-sdk/v65 v65.49.3/go.mod h1:IBEV9l1qBzUpo7zgGaRUhbB05BVfcDGYRFBCPlTcPp0=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -592,7 +594,6 @@ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/sony/gobreaker v0.5.0 h1:dRCvqm0P490vZPmy7ppEk2qCnCieBooFJ+YoXGYB+yg=
 github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=

pkg/provider/oracle/fake/fake.go

@@ -16,7 +16,7 @@ package fake
 import (
 	"context"
 
-	secrets "github.com/oracle/oci-go-sdk/v56/secrets"
+	secrets "github.com/oracle/oci-go-sdk/v65/secrets"
 )
 
 type OracleMockClient struct {

pkg/provider/oracle/oracle.go

@@ -18,12 +18,14 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"os"
+	"sync"
 	"time"
 
-	"github.com/oracle/oci-go-sdk/v56/common"
-	"github.com/oracle/oci-go-sdk/v56/common/auth"
-	"github.com/oracle/oci-go-sdk/v56/keymanagement"
-	"github.com/oracle/oci-go-sdk/v56/secrets"
+	"github.com/oracle/oci-go-sdk/v65/common"
+	"github.com/oracle/oci-go-sdk/v65/common/auth"
+	"github.com/oracle/oci-go-sdk/v65/keymanagement"
+	"github.com/oracle/oci-go-sdk/v65/secrets"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -58,9 +60,10 @@ var _ esv1beta1.SecretsClient = &VaultManagementService{}
 var _ esv1beta1.Provider = &VaultManagementService{}
 
 type VaultManagementService struct {
-	Client         VMInterface
-	KmsVaultClient KmsVCInterface
-	vault          string
+	Client                VMInterface
+	KmsVaultClient        KmsVCInterface
+	vault                 string
+	workloadIdentityMutex sync.Mutex
 }
 
 type VMInterface interface {
@@ -163,7 +166,27 @@ func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1beta
 		configurationProvider common.ConfigurationProvider
 	)
 
-	if oracleSpec.Auth == nil {
+	if oracleSpec.PrincipalType == esv1beta1.WorkloadPrincipal {
+		defer vms.workloadIdentityMutex.Unlock()
+		vms.workloadIdentityMutex.Lock()
+		// OCI SDK requires specific environment variables for workload identity.
+		if err := os.Setenv(auth.ResourcePrincipalVersionEnvVar, auth.ResourcePrincipalVersion2_2); err != nil {
+			return nil, fmt.Errorf("unable to set OCI SDK environment variable %s: %w", auth.ResourcePrincipalVersionEnvVar, err)
+		}
+		if err := os.Setenv(auth.ResourcePrincipalRegionEnvVar, oracleSpec.Region); err != nil {
+			return nil, fmt.Errorf("unable to set OCI SDK environment variable %s: %w", auth.ResourcePrincipalRegionEnvVar, err)
+		}
+		configurationProvider, err = auth.OkeWorkloadIdentityConfigurationProvider()
+		if err := os.Unsetenv(auth.ResourcePrincipalVersionEnvVar); err != nil {
+			return nil, fmt.Errorf("unabled to unset OCI SDK environment variable %s: %w", auth.ResourcePrincipalVersionEnvVar, err)
+		}
+		if err := os.Unsetenv(auth.ResourcePrincipalRegionEnvVar); err != nil {
+			return nil, fmt.Errorf("unabled to unset OCI SDK environment variable %s: %w", auth.ResourcePrincipalRegionEnvVar, err)
+		}
+		if err != nil {
+			return nil, err
+		}
+	} else if oracleSpec.PrincipalType == esv1beta1.InstancePrincipal || oracleSpec.Auth == nil {
 		configurationProvider, err = auth.InstancePrincipalConfigurationProvider()
 	} else {
 		configurationProvider, err = getUserAuthConfigurationProvider(ctx, kube, oracleSpec, namespace, store.GetObjectKind().GroupVersionKind().Kind, oracleSpec.Region)

pkg/provider/oracle/oracle_test.go

@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/oracle/oci-go-sdk/v56/secrets"
+	"github.com/oracle/oci-go-sdk/v65/secrets"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

pkg/utils/utils_test.go

@@ -19,7 +19,7 @@ import (
 	"testing"
 	"time"
 
-	vault "github.com/oracle/oci-go-sdk/v56/vault"
+	vault "github.com/oracle/oci-go-sdk/v65/vault"
 	v1 "k8s.io/api/core/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"