Completed Oracle provider, e2e tests non functional due to lack of company OCI account

apis/externalsecrets/v1alpha1/secretstore_oracle_types.go

@@ -33,6 +33,7 @@ type OracleProvider struct {
 }
 
 type OracleAuth struct {
+	// SecretRef to pass through sensitive information.
 	SecretRef OracleSecretRef `json:"secretRef"`
 }
 

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -314,6 +314,7 @@ spec:
                           with the Oracle secrets manager.
                         properties:
                           secretRef:
+                            description: SecretRef to pass through sensitive information.
                             properties:
                               fingerprint:
                                 description: projectID is an access token specific

deploy/crds/external-secrets.io_secretstores.yaml

@@ -314,6 +314,7 @@ spec:
                           with the Oracle secrets manager.
                         properties:
                           secretRef:
+                            description: SecretRef to pass through sensitive information.
                             properties:
                               fingerprint:
                                 description: projectID is an access token specific

docs/provider-oracle-vault.md

@@ -0,0 +1,54 @@
+## Oracle Vault
+
+External Secrets Operator integrates with [OCI API](https://github.com/oracle/oci-go-sdk) to sync secret on the Oracle cloud to secrets held on the Kubernetes cluster.
+
+### Authentication
+
+The API requires a userOCID, tenancyOCID, fingerprint, key file and a region. The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.
+
+See url for what region you you are accessing.
+![userOCID-details](./pictures/screenshot_region.png)
+
+Select tenancy in the top right to see your user OCID as shown below.
+![tenancyOCID-details](./pictures/tenancy.png)
+
+Select your user in the top right to see your user OCID as shown below.
+![region-details](./pictures/screenshot_user_OCID.png)
+
+
+#### Service account key authentication
+
+Create a secret containing your private key and fingerprint:
+
+```yaml
+{% include 'oracle-credentials-secret.yaml' %}
+```
+
+Your fingerprint will be attatched to your API key, once it has been generated. Found on the same page as the user OCID.
+![fingerprint-details](./pictures/screenshot_fingerprint.png)
+
+Once you click "Add API Key" you will be shown the following, where you can download the RSA key in the necessary PEM format for API requests.
+This will automatically generate a fingerprint.
+![API-key-details](./pictures/screenshot_API_key.png)
+
+### Update secret store
+Be sure the `oracle` provider is listed in the `Kind=SecretStore`
+
+```yaml
+{% include 'oracle-secret-store.yaml' %}
+```
+
+### Creating external secret
+
+To create a kubernetes secret from the Oracle Cloud Interface secret a`Kind=ExternalSecret` is needed.
+
+```yaml
+{% include 'oracle-external-secret.yaml' %}
+```
+
+
+### Getting the Kubernetes secret
+The operator will fetch the project variable and inject it as a `Kind=Secret`.
+```
+kubectl get secret oracle-secret-to-create -o jsonpath='{.data.dev-secret-test}' | base64 -d
+```

e2e/suite/oracle/oracle.go

@@ -24,13 +24,14 @@ import (
 	"github.com/external-secrets/external-secrets/e2e/suite/common"
 )
 
-var _ = Describe("[azure] ", func() {
-	f := framework.New("eso-azure")
-	vaultURL := os.Getenv("VAULT_URL")
-	tenantID := os.Getenv("TENANT_ID")
-	clientID := os.Getenv("AZURE_CLIENT_ID")
-	clientSecret := os.Getenv("AZURE_CLIENT_SECRET")
-	prov := newOracleProvider(f, clientID, clientSecret, tenantID, vaultURL)
+var _ = Describe("[oracle] ", func() {
+	f := framework.New("eso-oracle")
+	tenancy := os.Getenv("OCI_TENANCY_OCID")
+	user := os.Getenv("OCI_USER_OCID")
+	region := os.Getenv("OCI_REGION")
+	fingerprint := os.Getenv("OCI_FINGERPRINT")
+	privateKey := os.Getenv("OCI_PRIVATE_KEY")
+	prov := newOracleProvider(f, tenancy, user, region, fingerprint, privateKey)
 
 	DescribeTable("sync secrets", framework.TableFunc(f, prov),
 		Entry(common.SimpleDataSync(f)),

e2e/suite/oracle/provider.go

@@ -16,7 +16,6 @@ import (
 	"context"
 
 	// nolint
-	"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
 	. "github.com/onsi/ginkgo"
 
 	// nolint
@@ -25,118 +24,102 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilpointer "k8s.io/utils/pointer"
 
+	"github.com/oracle/oci-go-sdk/v45/common"
+	vault "github.com/oracle/oci-go-sdk/v45/vault"
+
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
 
 type oracleProvider struct {
-	clientID     string
-	clientSecret string
-	tenantID     string
-	vaultURL     string
-	client       *keyvault.BaseClient
-	framework    *framework.Framework
+	tenancy     string
+	user        string
+	region      string
+	fingerprint string
+	privateKey  string
+	framework   *framework.Framework
+	ctx         context.Context
 }
 
-func newOracleProvider(f *framework.Framework) *oracleProvider {
+const (
+	secretName = "secretName"
+)
+
+func newOracleProvider(f *framework.Framework, tenancy, user, region, fingerprint, privateKey string) *oracleProvider {
 	prov := &oracleProvider{
-		framework: f,
+		tenancy:     tenancy,
+		user:        user,
+		region:      region,
+		fingerprint: fingerprint,
+		privateKey:  privateKey,
+		framework:   f,
 	}
 	BeforeEach(prov.BeforeEach)
 	return prov
 }
 
-func (p *oracleProvider) CreateSecret(key, val string) {}
-
-func (p *oracleProvider) DeleteSecret(key string) {}
-
-func BeforeEach() {
-
-}
-
-// func neworacleProvider(f *framework.Framework) *oracleProvider {
-
-// 	clientCredentialsConfig := kvauth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
-// 	clientCredentialsConfig.Resource = "https://vault.azure.net"
-// 	authorizer, err := clientCredentialsConfig.Authorizer()
-// 	Expect(err).ToNot(HaveOccurred())
-// 	basicClient := keyvault.New()
-// 	basicClient.Authorizer = authorizer
-
-// 	prov := &azureProvider{
-// 		framework:    f,
-// 		clientID:     clientID,
-// 		clientSecret: clientSecret,
-// 		tenantID:     tenantID,
-// 		vaultURL:     vaultURL,
-// 		client:       &basicClient,
-// 	}
-// 	BeforeEach(prov.BeforeEach)
-// 	return prov
-// }
-
-func (s *azureProvider) CreateSecret(key, val string) {
-	_, err := s.client.SetSecret(
-		context.Background(),
-		s.vaultURL,
-		key,
-		keyvault.SecretSetParameters{
-			Value: &val,
-			SecretAttributes: &keyvault.SecretAttributes{
-				RecoveryLevel: keyvault.Purgeable,
-				Enabled:       utilpointer.BoolPtr(true),
-			},
-		})
+func (p *oracleProvider) CreateSecret(key, val string) {
+	configurationProvider := common.NewRawConfigurationProvider(p.tenancy, p.user, p.region, p.fingerprint, p.privateKey, nil)
+	client, err := vault.NewVaultsClientWithConfigurationProvider(configurationProvider)
+	Expect(err).ToNot(HaveOccurred())
+	kmssecretrequest := vault.CreateSecretRequest(vault.CreateSecretRequest{})
+	kmssecretrequest.SecretName = utilpointer.StringPtr(secretName)
+	kmssecretrequest.SecretContent = vault.Base64SecretContentDetails{
+		Name:    utilpointer.StringPtr("secretName"),
+		Content: utilpointer.StringPtr("secretContent"),
+	}
+	_, err = client.CreateSecret(p.ctx, kmssecretrequest)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s *azureProvider) DeleteSecret(key string) {
-	_, err := s.client.DeleteSecret(
-		context.Background(),
-		s.vaultURL,
-		key)
+func (p *oracleProvider) DeleteSecret(key string) {
+	configurationProvider := common.NewRawConfigurationProvider(p.tenancy, p.user, p.region, p.fingerprint, p.privateKey, nil)
+	client, err := vault.NewVaultsClientWithConfigurationProvider(configurationProvider)
+	Expect(err).ToNot(HaveOccurred())
+	kmssecretrequest := vault.ScheduleSecretDeletionRequest(vault.ScheduleSecretDeletionRequest{})
+	kmssecretrequest.SecretId = utilpointer.StringPtr(secretName)
+	_, err = client.ScheduleSecretDeletion(p.ctx, kmssecretrequest)
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func (s *azureProvider) BeforeEach() {
-	azureCreds := &v1.Secret{
+func (p *oracleProvider) BeforeEach() {
+	OracleCreds := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "provider-secret",
-			Namespace: s.framework.Namespace.Name,
+			Name:      secretName,
+			Namespace: p.framework.Namespace.Name,
 		},
 		StringData: map[string]string{
-			"client-id":     s.clientID,
-			"client-secret": s.clientSecret,
+			secretName: "value",
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), azureCreds)
+	err := p.framework.CRClient.Create(context.Background(), OracleCreds)
 	Expect(err).ToNot(HaveOccurred())
 
 	secretStore := &esv1alpha1.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      s.framework.Namespace.Name,
-			Namespace: s.framework.Namespace.Name,
+			Name:      p.framework.Namespace.Name,
+			Namespace: p.framework.Namespace.Name,
 		},
 		Spec: esv1alpha1.SecretStoreSpec{
 			Provider: &esv1alpha1.SecretStoreProvider{
-				AzureKV: &esv1alpha1.AzureKVProvider{
-					TenantID: &s.tenantID,
-					VaultURL: &s.vaultURL,
-					AuthSecretRef: &esv1alpha1.AzureKVAuth{
-						ClientID: &esmeta.SecretKeySelector{
-							Name: "provider-secret",
-							Key:  "client-id",
-						},
-						ClientSecret: &esmeta.SecretKeySelector{
-							Name: "provider-secret",
-							Key:  "client-secret",
+				Oracle: &esv1alpha1.OracleProvider{
+					Auth: esv1alpha1.OracleAuth{
+						SecretRef: esv1alpha1.OracleSecretRef{
+							Fingerprint: esmeta.SecretKeySelector{
+								Name: "kms-secret",
+								Key:  "keyid",
+							},
+							PrivateKey: esmeta.SecretKeySelector{
+								Name: "kms-secret",
+								Key:  "accesskey",
+							},
 						},
 					},
 				},
 			},
 		},
 	}
-	err = s.framework.CRClient.Create(context.Background(), secretStore)
+	err = p.framework.CRClient.Create(context.Background(), secretStore)
 	Expect(err).ToNot(HaveOccurred())
 }

pkg/provider/oracle/fake/fake.go

@@ -27,17 +27,10 @@ func (mc *OracleMockClient) GetSecret(ctx context.Context, request vault.GetSecr
 	return mc.getSecret(ctx, request)
 }
 
-func (mc *OracleMockClient) WithValue(input vault.GetSecretRequest) (output vault.GetSecretResponse, err error) {
+func (mc *OracleMockClient) WithValue(input vault.GetSecretRequest, output vault.GetSecretResponse, err error) {
 	if mc != nil {
 		mc.getSecret = func(ctx context.Context, paramReq vault.GetSecretRequest) (vault.GetSecretResponse, error) {
-			// type secretmanagerpb.AccessSecretVersionRequest contains unexported fields
-			// use cmpopts.IgnoreUnexported to ignore all the unexported fields in the cmp.
-			// if !cmp.Equal(paramReq, input, cmpopts.IgnoreUnexported(vault.Secret{})) {
-			// 	return nil, fmt.Errorf("unexpected test argument")
-			// }
 			return output, err
 		}
 	}
-	return output, nil
-	// not sure why I need this as other providers don't require extra return function
 }

pkg/provider/oracle/oracle.go

@@ -16,19 +16,18 @@ import (
 	"encoding/json"
 	"fmt"
 
-	corev1 "k8s.io/api/core/v1"
-
+	"github.com/oracle/oci-go-sdk/v45/common"
 	vault "github.com/oracle/oci-go-sdk/v45/vault"
 	"github.com/tidwall/gjson"
-
-	"github.com/external-secrets/external-secrets/pkg/provider"
-	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
-	"github.com/external-secrets/external-secrets/pkg/provider/schema"
-	"github.com/oracle/oci-go-sdk/v45/common"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/provider"
+	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
+	"github.com/external-secrets/external-secrets/pkg/provider/schema"
+	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
 const (
@@ -47,6 +46,8 @@ const (
 	errMissingRegion                         = "missing Region"
 	errMissingFingerprint                    = "missing Fingerprint"
 	errJSONSecretUnmarshal                   = "unable to unmarshal secret: %w"
+	errMissingKey                            = "missing Key in secret: %s"
+	errInvalidSecret                         = "invalid secret received. no secret string nor binary for key: %s"
 )
 
 type client struct {
@@ -63,16 +64,6 @@ type client struct {
 	privateKey  string
 }
 
-// // Oracle struct with values for *oracle.Client and projectID.
-// type providerOracle struct {
-// 	OracleClient identity.IdentityClient
-// 	projectID    interface{}
-// }
-
-// type OracleCredentials struct {
-// 	Token string `json:"token"`
-// }
-
 type KeyManagementService struct {
 	Client SMInterface
 }
@@ -134,8 +125,9 @@ func (c *client) setAuth(ctx context.Context) error {
 }
 
 func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	
-	
+	if utils.IsNil(kms.Client) {
+		return nil, fmt.Errorf(errUninitalizedOracleProvider)
+	}
 	kmsRequest := vault.GetSecretRequest{
 		SecretId: &ref.Key,
 	}
@@ -147,7 +139,7 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
 		if *secretOut.SecretName != "" {
 			return []byte(*secretOut.SecretName), nil
 		}
-		return nil, fmt.Errorf("invalid secret received. no secret string nor binary for key: %s", ref.Key)
+		return nil, fmt.Errorf(errInvalidSecret, ref.Key)
 	}
 	var payload *string
 	if secretOut.SecretName != nil {
@@ -158,7 +150,7 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
 
 	val := gjson.Get(payloadval, ref.Property)
 	if !val.Exists() {
-		return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
+		return nil, fmt.Errorf(errMissingKey, ref.Key)
 	}
 
 	return []byte(val.String()), nil
@@ -172,7 +164,7 @@ func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha
 	kv := make(map[string]string)
 	err = json.Unmarshal(data, &kv)
 	if err != nil {
-		return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
+		return nil, fmt.Errorf(errJSONSecretUnmarshal, err)
 	}
 	secretData := make(map[string][]byte)
 	for k, v := range kv {
@@ -212,11 +204,6 @@ func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1alpha1
 	return kms, nil
 }
 
-// // Function newOracleProvider returns a reference to a new Oracle struct 'instance'.
-// func NewOracleProvider() *providerOracle {
-// 	return &providerOracle{}
-// }
-
 func (kms *KeyManagementService) Close() error {
 	return nil
 }
@@ -226,72 +213,3 @@ func init() {
 		Oracle: &esv1alpha1.OracleProvider{},
 	})
 }
-
-// func fakeMain(kms *KeyManagementService) {
-
-// 	configurationProvider := common.NewRawConfigurationProvider("", "", "", "", "", nil)
-
-// 	c, err := identity.NewIdentityClientWithConfigurationProvider(common.DefaultConfigProvider())
-// 	o.client = c
-// 	fmt.Println("Client:", o.client)
-// 	if err != nil {
-// 		fmt.Println("Error:", err)
-// 		return
-// 	}
-
-// 	// The OCID of the tenancy containing the compartment.
-// 	// tenancyID, err := common.DefaultConfigProvider().TenancyOCID()
-// 	// if err != nil {
-// 	// 	fmt.Println("Error:", err)
-// 	// 	return
-// 	// }
-
-// 	// The OCID of the tenancy containing the compartment.
-// 	userID, err := common.DefaultConfigProvider().UserOCID()
-// 	if err != nil {
-// 		fmt.Println("Error:", err)
-// 		return
-// 	}
-
-// 	// request := identity.ListAvailabilityDomainsRequest{
-// 	// 	CompartmentId: &tenancyID,
-// 	// }
-
-// 	// request2 := identity.ListCustomerSecretKeysRequest{
-// 	// 	UserId: &TF_VAR_user_ocid,
-// 	// }
-
-// 	request2 := identity.ListCustomerSecretKeysRequest{
-// 		UserId: &userID,
-// 	}
-
-// 	// r, err := c.ListAvailabilityDomains(context.Background(), request)
-// 	// if err != nil {
-// 	// 	fmt.Println("Error:", err)
-// 	// 	return
-// 	// }
-
-// 	r, err := c.ListCustomerSecretKeys(context.Background(), request2)
-// 	if err != nil {
-// 		fmt.Println("Error:", err)
-// 		return
-// 	}
-
-// 	//c.list
-
-// 	//z, err := c.ListCustomerSecretKeys(context.Background(), identity.ListCustomerSecretKeysRequest{})
-
-// 	fmt.Printf("List of available Secret Keys: %v", r.Items)
-// 	return
-// }
-
-// var TF_VAR_user_ocid = os.Getenv("OCI_USER")
-// var TF_VAR_region = os.Getenv("OCI_REGION")
-
-// //var TF_VAR_fingerprint = os.Getenv("OCI_CLI_FINGERPRINT").
-// var TF_VAR_private_key = os.Getenv("OCI_PRIVATE_KEY")
-
-// // var TF_VAR_tenancy_ocid = os.Getenv("OCI_TENANCY")
-
-// // Requires a token to be set in environment variablego.
-// var ORACLETOKEN = os.Getenv("ORACLETOKEN")

pkg/provider/oracle/oracle_test.go

@@ -18,8 +18,6 @@ import (
 	"strings"
 	"testing"
 
-	
-
 	vault "github.com/oracle/oci-go-sdk/v45/vault"
 	utilpointer "k8s.io/utils/pointer"
 
@@ -50,7 +48,7 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 		expectedSecret: "",
 		expectedData:   map[string][]byte{},
 	}
-	smtc.mockClient.WithValue(*smtc.apiInput)
+	smtc.mockClient.WithValue(*smtc.apiInput, *smtc.apiOutput, *&smtc.apiErr)
 	return &smtc
 }
 
@@ -63,13 +61,13 @@ func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
 
 func makeValidAPIInput() *vault.GetSecretRequest {
 	return &vault.GetSecretRequest{
-		SecretId: utilpointer.StringPtr("i have no idea what should go here TEST CHECK"),
+		SecretId: utilpointer.StringPtr("test-secret"),
 	}
 }
 
 func makeValidAPIOutput() *vault.GetSecretResponse {
 	return &vault.GetSecretResponse{
-		Etag:   utilpointer.StringPtr("i have no idea if I need this TEST CHECK"),
+		Etag:   utilpointer.StringPtr("test-name"),
 		Secret: vault.Secret{},
 	}
 }
@@ -79,7 +77,7 @@ func makeValidSecretManagerTestCaseCustom(tweaks ...func(smtc *secretManagerTest
 	for _, fn := range tweaks {
 		fn(smtc)
 	}
-	smtc.mockClient.WithValue(*smtc.apiInput) //HAVING ONLY 1 VARIABLE SEEMS WRONG TEST CHECK
+	smtc.mockClient.WithValue(*smtc.apiInput, *smtc.apiOutput, *&smtc.apiErr)
 	return smtc
 }
 
@@ -99,31 +97,28 @@ func TestOracleSecretManagerGetSecret(t *testing.T) {
 	secretValue := "changedvalue"
 	// good case: default version is set
 	// key is passed in, output is sent back
-
 	setSecretString := func(smtc *secretManagerTestCase) {
 		smtc.apiOutput = &vault.GetSecretResponse{
-			Etag: utilpointer.StringPtr("i have no idea if I need this TEST CHECK"),
+			Etag: utilpointer.StringPtr("test-name"),
 			Secret: vault.Secret{
-				CompartmentId:  utilpointer.StringPtr("i have no idea if I need this TEST CHECK"),
-				Id:             utilpointer.StringPtr("i have no idea if I need this TEST CHECK"),
-				LifecycleState: vault.SecretLifecycleStateEnum("Unsure TEST CHECK"),
-				SecretName:     utilpointer.StringPtr("changedvalue"),
+				CompartmentId: utilpointer.StringPtr("test-compartment-id"),
+				Id:            utilpointer.StringPtr("test-id"),
+				SecretName:    utilpointer.StringPtr("changedvalue"),
 			},
-			// Key:   "testkey",
-			// Value: "changedvalue",
 		}
 		smtc.expectedSecret = secretValue
 	}
 
 	successCases := []*secretManagerTestCase{
-		makeValidSecretManagerTestCaseCustom(setSecretString),
 		makeValidSecretManagerTestCaseCustom(setAPIErr),
 		makeValidSecretManagerTestCaseCustom(setNilMockClient),
+		makeValidSecretManagerTestCaseCustom(setSecretString),
 	}
 
 	sm := KeyManagementService{}
 	for k, v := range successCases {
 		sm.Client = v.mockClient
+		fmt.Println(*v.ref)
 		out, err := sm.GetSecret(context.Background(), *v.ref)
 		if !ErrorContains(err, v.expectError) {
 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
@@ -176,14 +171,3 @@ func ErrorContains(out error, want string) bool {
 	}
 	return strings.Contains(out.Error(), want)
 }
-
-// func TestCreateOracleClient(t *testing.T) {
-// 	//credentials := OracleCredentials{Token: ORACLETOKEN}
-// 	oracle := NewOracleProvider()
-// 	fakeMain(oracle)
-// 	request, err := http.NewRequest("GET", "https://cloud.oracle.com/security/kms/vaults/ocid1.vault.oc1.uk-london-1.cbqqsukvaacas.abwgiljrme75gqca4lh5uaykjk2ot2uwdae3p4l536h3mnrbkezqaphp5vdq/secrets/ocid1.vaultsecret.oc1.uk-london-1.amaaaaaa5op3n4qaqzzdsi3pn2kwcyyoypi5xg3nhzwpr7balrgjwy6uepsq?region=uk-london-1", nil)
-// 	///20180608/secrets/ocid1.vaultsecret.oc1.uk-london-1.amaaaaaa5op3n4qaqzzdsi3pn2kwcyyoypi5xg3nhzwpr7balrgjwy6uepsq
-// 	oracle.client.Call(context.Background(), request)
-// 	//user := oracle.client.UserAgent
-// 	fmt.Printf("Created client for username: %v", err)
-// }