feat: make vault auth an optional entry (#4516)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1beta1/secretstore_vault_types.go

@@ -29,7 +29,7 @@ const (
 // KV backend.
 type VaultProvider struct {
 	// Auth configures how secret-manager authenticates with the Vault server.
-	Auth VaultAuth `json:"auth"`
+	Auth *VaultAuth `json:"auth,omitempty"`
 
 	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
 	Server string `json:"server"`

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -3389,7 +3389,11 @@ func (in *VaultLdapAuth) DeepCopy() *VaultLdapAuth {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
 	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(VaultAuth)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.Path != nil {
 		in, out := &in.Path, &out.Path
 		*out = new(string)

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -5901,7 +5901,6 @@ spec:
                         - v2
                         type: string
                     required:
-                    - auth
                     - server
                     type: object
                   webhook:

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -5901,7 +5901,6 @@ spec:
                         - v2
                         type: string
                     required:
-                    - auth
                     - server
                     type: object
                   webhook:

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -1655,7 +1655,6 @@ spec:
                             - v2
                             type: string
                         required:
-                        - auth
                         - server
                         type: object
                       resultType:

config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml

@@ -851,7 +851,6 @@ spec:
                     - v2
                     type: string
                 required:
-                - auth
                 - server
                 type: object
               resultType:

deploy/crds/bundle.yaml

@@ -6273,7 +6273,6 @@ spec:
                             - v2
                           type: string
                       required:
-                        - auth
                         - server
                       type: object
                     webhook:
@@ -13484,7 +13483,6 @@ spec:
                             - v2
                           type: string
                       required:
-                        - auth
                         - server
                       type: object
                     webhook:
@@ -15591,7 +15589,6 @@ spec:
                                 - v2
                               type: string
                           required:
-                            - auth
                             - server
                           type: object
                         resultType:
@@ -17827,7 +17824,6 @@ spec:
                         - v2
                       type: string
                   required:
-                    - auth
                     - server
                   type: object
                 resultType:

e2e/suites/provider/cases/vault/provider.go

@@ -211,7 +211,7 @@ func (s *vaultProvider) CreateCertStore(v *addon.Vault, ns string) {
 
 	By("creating an secret store for vault")
 	secretStore := makeStore(certAuthProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		Cert: &esv1beta1.VaultCertAuth{
 			ClientCert: esmeta.SecretKeySelector{
 				Name: certAuthProviderName,
@@ -238,7 +238,7 @@ func (s vaultProvider) CreateTokenStore(v *addon.Vault, ns string, customizers .
 		},
 	}
 	secretStore := makeStore(s.framework.Namespace.Name, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: vaultCreds.Name,
 			Key:  "token",
@@ -269,7 +269,7 @@ func (s vaultProvider) CreateReferentTokenStore(v *addon.Vault, ns string, custo
 		},
 	}
 	secretStore := makeClusterStore(referentSecretStoreName(s.framework), ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: referentSecret.Name,
 			Key:  referentKey,
@@ -311,7 +311,7 @@ func (s vaultProvider) CreateAppRoleStore(v *addon.Vault, ns string) {
 
 	By("creating an secret store for vault")
 	secretStore := makeStore(appRoleAuthProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		AppRole: &esv1beta1.VaultAppRole{
 			Path:   v.AppRolePath,
 			RoleID: v.AppRoleID,
@@ -341,7 +341,7 @@ func (s vaultProvider) CreateV1Store(v *addon.Vault, ns string) {
 	secretV1StorePath := "secret_v1"
 	secretStore.Spec.Provider.Vault.Version = esv1beta1.VaultKVStoreV1
 	secretStore.Spec.Provider.Vault.Path = &secretV1StorePath
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: "v1-provider",
 			Key:  "token",
@@ -364,7 +364,7 @@ func (s vaultProvider) CreateJWTStore(v *addon.Vault, ns string) {
 	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := makeStore(jwtProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		Jwt: &esv1beta1.VaultJwtAuth{
 			Path: v.JWTPath,
 			Role: v.JWTRole,
@@ -380,7 +380,7 @@ func (s vaultProvider) CreateJWTStore(v *addon.Vault, ns string) {
 
 func (s vaultProvider) CreateJWTK8sStore(v *addon.Vault, ns string) {
 	secretStore := makeStore(jwtK8sProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		Jwt: &esv1beta1.VaultJwtAuth{
 			Path: v.JWTK8sPath,
 			Role: v.JWTRole,
@@ -400,7 +400,7 @@ func (s vaultProvider) CreateJWTK8sStore(v *addon.Vault, ns string) {
 
 func (s vaultProvider) CreateKubernetesAuthStore(v *addon.Vault, ns string) {
 	secretStore := makeStore(kubernetesProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{
 		Kubernetes: &esv1beta1.VaultKubernetesAuth{
 			Path: v.KubernetesAuthPath,
 			Role: v.KubernetesAuthRole,

pkg/provider/vault/auth.go

@@ -43,6 +43,10 @@ const (
 // setAuth gets a new token using the configured mechanism.
 // If there's already a valid token, does nothing.
 func (c *client) setAuth(ctx context.Context, cfg *vault.Config) error {
+	if c.store.Auth == nil {
+		return nil
+	}
+
 	if c.store.Namespace != nil { // set namespace before checking the need for AuthNamespace
 		c.client.SetNamespace(*c.store.Namespace)
 	}
@@ -208,7 +212,7 @@ func (c *client) useAuthNamespace(_ context.Context) func() {
 		ns = *c.store.Namespace
 	}
 
-	if c.store.Auth.Namespace != nil {
+	if c.store.Auth != nil && c.store.Auth.Namespace != nil {
 		// Different Auth Vault Namespace than Secret Vault Namespace
 		// Switch namespaces then switch back at the end
 		if c.store.Auth.Namespace != nil && *c.store.Auth.Namespace != ns {

pkg/provider/vault/client.go

@@ -120,7 +120,7 @@ func (c *client) configureClientTLS(ctx context.Context, cfg *vault.Config) erro
 func (c *client) Close(ctx context.Context) error {
 	// Revoke the token if we have one set, it wasn't sourced from a TokenSecretRef,
 	// and token caching isn't enabled
-	if !enableCache && c.client.Token() != "" && c.store.Auth.TokenSecretRef == nil {
+	if !enableCache && c.client.Token() != "" && c.store.Auth != nil && c.store.Auth.TokenSecretRef == nil {
 		err := revokeTokenIfValid(ctx, c.client)
 		if err != nil {
 			return err

pkg/provider/vault/provider.go

@@ -212,7 +212,8 @@ func (p *Provider) prepareConfig(ctx context.Context, kube kclient.Client, corev
 }
 
 func getVaultClient(p *Provider, store esv1beta1.GenericStore, cfg *vault.Config) (util.Client, error) {
-	isStaticToken := store.GetSpec().Provider.Vault.Auth.TokenSecretRef != nil
+	auth := store.GetSpec().Provider.Vault.Auth
+	isStaticToken := auth != nil && auth.TokenSecretRef != nil
 	useCache := enableCache && !isStaticToken
 
 	key := cache.Key{
@@ -239,6 +240,10 @@ func getVaultClient(p *Provider, store esv1beta1.GenericStore, cfg *vault.Config
 }
 
 func isReferentSpec(prov *esv1beta1.VaultProvider) bool {
+	if prov.Auth == nil {
+		return false
+	}
+
 	if prov.Auth.TokenSecretRef != nil && prov.Auth.TokenSecretRef.Namespace == nil {
 		return true
 	}

pkg/provider/vault/provider_test.go

@@ -60,7 +60,7 @@ func makeValidSecretStoreWithVersion(v esv1beta1.VaultKVStoreVersion) *esv1beta1
 					Server:  "vault.example.com",
 					Path:    &secretStorePath,
 					Version: v,
-					Auth: esv1beta1.VaultAuth{
+					Auth: &esv1beta1.VaultAuth{
 						Kubernetes: &esv1beta1.VaultKubernetesAuth{
 							Path: "kubernetes",
 							Role: "kubernetes-auth-role",
@@ -91,7 +91,7 @@ func makeValidSecretStoreWithCerts() *esv1beta1.SecretStore {
 					Server:  "vault.example.com",
 					Path:    &secretStorePath,
 					Version: esv1beta1.VaultKVStoreV2,
-					Auth: esv1beta1.VaultAuth{
+					Auth: &esv1beta1.VaultAuth{
 						Cert: &esv1beta1.VaultCertAuth{
 							ClientCert: esmeta.SecretKeySelector{
 								Name: tlsAuthCerts,
@@ -141,7 +141,7 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1beta1.ClusterSecretStore {
 					Server:  "vault.example.com",
 					Path:    &secretStorePath,
 					Version: "v2",
-					Auth: esv1beta1.VaultAuth{
+					Auth: &esv1beta1.VaultAuth{
 						Kubernetes: &esv1beta1.VaultKubernetesAuth{
 							Path: "kubernetes",
 							Role: "kubernetes-auth-role",
@@ -173,7 +173,7 @@ func makeValidSecretStoreWithIamAuthSecret() *esv1beta1.SecretStore {
 					Server:  "https://vault.example.com:8200",
 					Path:    &secretStorePath,
 					Version: esv1beta1.VaultKVStoreV2,
-					Auth: esv1beta1.VaultAuth{
+					Auth: &esv1beta1.VaultAuth{
 						Iam: &esv1beta1.VaultIamAuth{
 							Path:   "aws",
 							Region: "us-east-1",
@@ -313,7 +313,7 @@ MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
 			reason: "Should return error if no valid authentication method is given.",
 			args: args{
 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
-					s.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{}
+					s.Spec.Provider.Vault.Auth = &esv1beta1.VaultAuth{}
 				}),
 			},
 			want: want{

pkg/provider/vault/validate_test.go

@@ -254,11 +254,12 @@ func TestValidateStore(t *testing.T) {
 			c := &Provider{
 				NewVaultClient: nil,
 			}
+			auth := tt.args.auth
 			store := &esv1beta1.SecretStore{
 				Spec: esv1beta1.SecretStoreSpec{
 					Provider: &esv1beta1.SecretStoreProvider{
 						Vault: &esv1beta1.VaultProvider{
-							Auth:      tt.args.auth,
+							Auth:      &auth,
 							ClientTLS: tt.args.clientTLS,
 						},
 					},