remove cacert from client Authentication. It's already in CABundle.

2024-12-14 11:57:59 +00:00 · 2021-07-20 14:44:58 +01:00 · 2021-07-20 14:44:58 +01:00 · 4221c1b151
commit 4221c1b151
parent 7de9dc98c5
4 changed files with 1 additions and 19 deletions
--- a/apis/externalsecrets/v1alpha1/secretstore_vault_types.go
+++ b/apis/externalsecrets/v1alpha1/secretstore_vault_types.go
@ -89,12 +89,10 @@ type VaultAuth struct {
 	// +optional
 	Jwt *VaultJwtAuth `json:"jwt,omitempty"`

-        // Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+	// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
 	// Cert authentication method
 	// +optional
 	Cert *VaultCertAuth `json:"cert,omitempty"`
-
-	
 }

 // VaultAppRole authenticates with Vault using the App Role auth mechanism,
@ -177,10 +175,6 @@ type VaultCertAuth struct {
 	// +optional
 	ClientCert string `json:"clientCert"`

-	// CACert is the Vault TLS Listener CA certificate
-	// +optional
-	CACert string `json:"caCert"`
-
 	// SecretRef to a key in a Secret resource containing client private key to
 	// authenticate with Vault using the Cert authentication method
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
--- a/deploy/crds/external-secrets.io_clustersecretstores.yaml
+++ b/deploy/crds/external-secrets.io_clustersecretstores.yaml
@ -346,9 +346,6 @@ spec:
                              by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
-                              caCert:
-                                description: CACert is the Vault TLS Listener CA certificate
-                                type: string
                              clientCert:
                                description: ClientCert is a certificate to authenticate
                                  using the Cert Vault authentication method
--- a/deploy/crds/external-secrets.io_secretstores.yaml
+++ b/deploy/crds/external-secrets.io_secretstores.yaml
@ -346,9 +346,6 @@ spec:
                              by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
-                              caCert:
-                                description: CACert is the Vault TLS Listener CA certificate
-                                type: string
                              clientCert:
                                description: ClientCert is a certificate to authenticate
                                  using the Cert Vault authentication method
--- a/pkg/provider/vault/vault.go
+++ b/pkg/provider/vault/vault.go
@ -49,7 +49,6 @@ const (

 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
 	errVaultClient    = "cannot setup new vault client: %w"
-	errVaultTLSClient = "cannot setup new TLS vault client: %w"
 	errVaultCert      = "cannot set Vault CA certificate: %w"
 	errReadSecret     = "cannot read secret data from Vault: %w"
 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
@ -569,15 +568,10 @@ func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, ce
 		return "", fmt.Errorf(errGetCertPath, err)
 	}

-	caCertPath, err := getCertPath(certAuth.CACert, "ca.crt")
-	if err != nil {
-		return "", fmt.Errorf(errGetCertPath, err)
-	}

 	tlscfg := vault.TLSConfig{
 		ClientCert: clientCertPath,
 		ClientKey:  clientKeyPath,
-		CACert:     caCertPath,
 	}

 	err = cfg.ConfigureTLS(&tlscfg)