support for adding headers in vault provider (#3677)

* support for vault headers

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

* changes in crds bases for headers support

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

* adding autogenerated files

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

* removing extra---

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

* adding headers before x-vault-Inconsistent

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

* changing for lint pass

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

---------

Signed-off-by: Abhinav Garg 10033523 <abhinav1708@gmail.com>

apis/externalsecrets/v1beta1/secretstore_vault_types.go

@@ -86,6 +86,10 @@ type VaultProvider struct {
 	// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 	// +optional
 	ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
+
+	// Headers to be added in Vault request
+	// +optional
+	Headers map[string]string `json:"headers,omitempty"`
 }
 
 // VaultClientTLS is the configuration used for client side related TLS communication,

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -3192,6 +3192,13 @@ func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
 		*out = new(CAProvider)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultProvider.

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -4401,6 +4401,11 @@ spec:
                           the option is enabled serverside.
                           https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                         type: boolean
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers to be added in Vault request
+                        type: object
                       namespace:
                         description: |-
                           Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -4401,6 +4401,11 @@ spec:
                           the option is enabled serverside.
                           https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                         type: boolean
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers to be added in Vault request
+                        type: object
                       namespace:
                         description: |-
                           Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows

config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml

@@ -604,6 +604,11 @@ spec:
                       the option is enabled serverside.
                       https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                     type: boolean
+                  headers:
+                    additionalProperties:
+                      type: string
+                    description: Headers to be added in Vault request
+                    type: object
                   namespace:
                     description: |-
                       Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows

deploy/crds/bundle.yaml

@@ -4748,6 +4748,11 @@ spec:
                             the option is enabled serverside.
                             https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                           type: boolean
+                        headers:
+                          additionalProperties:
+                            type: string
+                          description: Headers to be added in Vault request
+                          type: object
                         namespace:
                           description: |-
                             Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
@@ -10374,6 +10379,11 @@ spec:
                             the option is enabled serverside.
                             https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                           type: boolean
+                        headers:
+                          additionalProperties:
+                            type: string
+                          description: Headers to be added in Vault request
+                          type: object
                         namespace:
                           description: |-
                             Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
@@ -12064,6 +12074,11 @@ spec:
                         the option is enabled serverside.
                         https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                       type: boolean
+                    headers:
+                      additionalProperties:
+                        type: string
+                      description: Headers to be added in Vault request
+                      type: object
                     namespace:
                       description: |-
                         Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows

docs/api/spec.md

@@ -8627,6 +8627,18 @@ the option is enabled serverside.
 <a href="https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header">https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header</a></p>
 </td>
 </tr>
+<tr>
+<td>
+<code>headers</code></br>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Headers to be added in Vault request</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1beta1.VaultUserPassAuth">VaultUserPassAuth

pkg/provider/vault/provider.go

@@ -149,9 +149,16 @@ func (p *Provider) initClient(ctx context.Context, c *client, client util.Client
 		client.SetNamespace(*vaultSpec.Namespace)
 	}
 
+	if vaultSpec.Headers != nil {
+		for hKey, hValue := range vaultSpec.Headers {
+			client.AddHeader(hKey, hValue)
+		}
+	}
+
 	if vaultSpec.ReadYourWrites && vaultSpec.ForwardInconsistent {
 		client.AddHeader("X-Vault-Inconsistent", "forward-active-node")
 	}
+
 	c.client = client
 	c.auth = client.Auth()
 	c.logical = client.Logical()