Deployed 31cecaa6 to main with MkDocs 1.5.3 and mike 1.2.0.dev0

main/api/secretstore/index.html

@@ -2964,6 +2964,16 @@ If you want to design cross-namespace SecretStores you must use <a href="../clus
 <span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;Secret&quot;</span>
 <span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
 <span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;cert-key&quot;</span>
+<span class="w">      </span><span class="c1"># client side related TLS communication, when the Vault server requires mutual authentication</span>
+<span class="w">      </span><span class="nt">tls</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">clientCert</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">...</span>
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.crt&quot;</span>
+<span class="w">        </span><span class="nt">secretRef</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">...</span>
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.key&quot;</span>
 
 <span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 <span class="w">        </span><span class="c1"># static token: https://www.vaultproject.io/docs/auth/token</span>
@@ -2992,6 +3002,17 @@ If you want to design cross-namespace SecretStores you must use <a href="../clus
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-secret&quot;</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;vault&quot;</span>
 
+<span class="w">        </span><span class="c1"># TLS certificates auth method: https://developer.hashicorp.com/vault/docs/auth/cert</span>
+<span class="w">        </span><span class="nt">cert</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">clientCert</span><span class="p">:</span>
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">...</span>
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.crt&quot;</span>
+<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span>
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">...</span>
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.key&quot;</span>
+
 <span class="w">    </span><span class="c1"># (3): GCP Secret Manager</span>
 <span class="w">    </span><span class="nt">gcpsm</span><span class="p">:</span>
 <span class="w">      </span><span class="c1"># Auth defines the information necessary to authenticate against GCP by getting</span>

main/api/spec/index.html

@@ -9429,6 +9429,56 @@ authenticate with Vault using the Cert authentication method</p>
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1beta1.VaultClientTLS">VaultClientTLS
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1beta1.VaultProvider">VaultProvider</a>)
+</p>
+<p>
+<p>VaultClientTLS is the configuration used for client side related TLS communication,
+when the Vault server requires mutual authentication.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>certSecretRef</code></br>
+<em>
+<a href="https://pkg.go.dev/github.com/external-secrets/external-secrets/apis/meta/v1#SecretKeySelector">
+External Secrets meta/v1.SecretKeySelector
+</a>
+</em>
+</td>
+<td>
+<p>CertSecretRef is a certificate added to the transport layer
+when communicating with the Vault server.
+If no key for the Secret is specified, external-secret will default to &lsquo;tls.crt&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>keySecretRef</code></br>
+<em>
+<a href="https://pkg.go.dev/github.com/external-secrets/external-secrets/apis/meta/v1#SecretKeySelector">
+External Secrets meta/v1.SecretKeySelector
+</a>
+</em>
+</td>
+<td>
+<p>KeySecretRef to a key in a Secret resource containing client private key
+added to the transport layer when communicating with the Vault server.
+If no key for the Secret is specified, external-secret will default to &lsquo;tls.key&rsquo;.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1beta1.VaultIamAuth">VaultIamAuth
 </h3>
 <p>
@@ -9942,6 +9992,24 @@ are used to validate the TLS connection.</p>
 </tr>
 <tr>
 <td>
+<code>tls</code></br>
+<em>
+<a href="#external-secrets.io/v1beta1.VaultClientTLS">
+VaultClientTLS
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The configuration used for client side related TLS communication, when the Vault server
+requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
+This parameter is ignored for plain HTTP protocol connection.
+It&rsquo;s worth noting this configuration is different from the &ldquo;TLS certificates auth method&rdquo;,
+which is available under the <code>auth.cert</code> section.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>caProvider</code></br>
 <em>
 <a href="#external-secrets.io/v1beta1.CAProvider">

main/provider/hashicorp-vault/index.html

@@ -2110,11 +2110,29 @@
     </span>
   </a>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#tls-certificates-authentication" class="md-nav__link">
+    <span class="md-ellipsis">
+      TLS certificates authentication
+    </span>
+  </a>
+  
 </li>
         
       </ul>
     </nav>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#mutual-authentication-mtls" class="md-nav__link">
+    <span class="md-ellipsis">
+      Mutual authentication (mTLS)
+    </span>
+  </a>
+  
 </li>
         
           <li class="md-nav__item">
@@ -3218,11 +3236,29 @@
     </span>
   </a>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#tls-certificates-authentication" class="md-nav__link">
+    <span class="md-ellipsis">
+      TLS certificates authentication
+    </span>
+  </a>
+  
 </li>
         
       </ul>
     </nav>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#mutual-authentication-mtls" class="md-nav__link">
+    <span class="md-ellipsis">
+      Mutual authentication (mTLS)
+    </span>
+  </a>
+  
 </li>
         
           <li class="md-nav__item">
@@ -3560,8 +3596,9 @@ Will generate a secret with:
 <a href="https://www.vaultproject.io/docs/auth/kubernetes">kubernetes-native</a>,
 <a href="https://www.vaultproject.io/docs/auth/ldap">ldap</a>,
 <a href="https://www.vaultproject.io/docs/auth/userpass">userPass</a>,
-<a href="https://www.vaultproject.io/docs/auth/jwt">jwt/oidc</a> and
-<a href="https://developer.hashicorp.com/vault/docs/auth/aws">awsAuth</a>, each one comes with it's own
+<a href="https://www.vaultproject.io/docs/auth/jwt">jwt/oidc</a>,
+<a href="https://developer.hashicorp.com/vault/docs/auth/aws">awsAuth</a> and
+<a href="https://developer.hashicorp.com/vault/docs/auth/cert">tlsCert</a>, each one comes with it's own
 trade-offs. Depending on the authentication method you need to adapt your environment.</p>
 <h4 id="token-based-authentication">Token-based authentication</h4>
 <p>A static token is stored in a <code>Kind=Secret</code> and is used to authenticate with vault.</p>
@@ -3756,6 +3793,36 @@ or <code>Kind=ClusterSecretStore</code> resource.</p>
 <p><a href="https://developer.hashicorp.com/vault/docs/auth/aws">AWS IAM</a> uses either a
 set of AWS Programmatic access credentials stored in a <code>Kind=Secret</code> and referenced by the
 <code>secretRef</code> or by getting the authentication token from an <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a> enabled service account</p>
+<h4 id="tls-certificates-authentication">TLS certificates authentication</h4>
+<p><a href="https://developer.hashicorp.com/vault/docs/auth/cert">TLS certificates auth method</a>  allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. SSL/TLS client certificates are defined as having an ExtKeyUsage extension with the usage set to either ClientAuth or Any.</p>
+<h3 id="mutual-authentication-mtls">Mutual authentication (mTLS)</h3>
+<p>Under specific compliance requirements, the Vault server can be set up to enforce mutual authentication from clients across all APIs by configuring the server with <code>tls_require_and_verify_client_cert = true</code>. This configuration differs fundamentally from the <a href="#TLS-certificates-authentication">TLS certificates auth method</a>. While the TLS certificates auth method allows the issuance of a Vault token through the <code>/v1/auth/cert/login</code> API, the mTLS configuration solely focuses on TLS transport layer authentication and lacks any authorization-related capabilities. It's important to note that the Vault token must still be included in the request, following any of the supported authentication methods mentioned earlier.</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">vault</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;https://vault.acme.org&quot;</span>
+<span class="w">      </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;secret&quot;</span>
+<span class="w">      </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;v2&quot;</span>
+
+<span class="w">      </span><span class="c1"># client TLS related configuration</span>
+<span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;...&quot;</span>
+<span class="w">      </span><span class="nt">tls</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">clientCert</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.crt&quot;</span>
+<span class="w">        </span><span class="nt">secretRef</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret&quot;</span>
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;tls.key&quot;</span>
+
+<span class="w">      </span><span class="c1"># the authentication methods are not really related to the client TLS configuration</span>
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
+<span class="w">        </span><span class="l l-Scalar l-Scalar-Plain">...</span>
+</code></pre></div>
 <h3 id="access-key-id-secret-access-key">Access Key ID &amp; Secret Access Key</h3>
 <p>You can store Access Key ID &amp; Secret Access Key in a <code>Kind=Secret</code> and reference it from a SecretStore.</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>

main/snippets/full-secret-store.yaml

@@ -62,6 +62,16 @@ spec:
         type: "Secret"
         name: "my-cert-secret"
         key: "cert-key"
+      # client side related TLS communication, when the Vault server requires mutual authentication
+      tls:
+        clientCert:
+          namespace: ...
+          name: "my-cert-secret"
+          key: "tls.crt"
+        secretRef:
+          namespace: ...
+          name: "my-cert-secret"
+          key: "tls.key"
 
       auth:
         # static token: https://www.vaultproject.io/docs/auth/token
@@ -90,6 +100,17 @@ spec:
             name: "my-secret"
             key: "vault"
 
+        # TLS certificates auth method: https://developer.hashicorp.com/vault/docs/auth/cert
+        cert:
+          clientCert:
+            namespace: ...
+            name: "my-cert-secret"
+            key: "tls.crt"
+          secretRef:
+            namespace: ...
+            name: "my-cert-secret"
+            key: "tls.key"
+
     # (3): GCP Secret Manager
     gcpsm:
       # Auth defines the information necessary to authenticate against GCP by getting

main/snippets/vault-mtls-store.yaml

@@ -0,0 +1,25 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: vault-backend
+  namespace: example
+spec:
+  provider:
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+
+      # client TLS related configuration
+      caBundle: "..."
+      tls:
+        clientCert:
+          name: "my-cert-secret"
+          key: "tls.crt"
+        secretRef:
+          name: "my-cert-secret"
+          key: "tls.key"
+
+      # the authentication methods are not really related to the client TLS configuration
+      auth:
+        ...