Merge branch 'external-secrets:main' into vault-ca-provider

.github/PAUL.yaml

@@ -1,5 +1,8 @@
 maintainers:
 - knelasevero
+- gusfcarvalho
+- sebagomez
+- serdarkalayci
 - riccardomc
 - iamcaleberic
 - jonatasbaldin

deploy/charts/external-secrets/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: external-secrets
 description: External secret management for Kubernetes
 type: application
-version: "0.3.5"
-appVersion: "v0.3.5"
+version: "0.3.6"
+appVersion: "v0.3.6"
 kubeVersion: ">= 1.11.0-0"
 keywords:
   - kubernetes-external-secrets

deploy/charts/external-secrets/README.md

@@ -4,7 +4,7 @@
 
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.3.6](https://img.shields.io/badge/Version-0.3.6-informational?style=flat-square)
 
 External secret management for Kubernetes
 

pkg/provider/vault/fake/vault.go

@@ -26,6 +26,10 @@ type MockRawRequestWithContextFn func(ctx context.Context, r *vault.Request) (*v
 
 type MockSetTokenFn func(v string)
 
+type MockTokenFn func() string
+
+type MockClearTokenFn func()
+
 type MockSetNamespaceFn func(namespace string)
 
 func NewMockNewRequestFn(req *vault.Request) MockNewRequestFn {
@@ -57,6 +61,16 @@ func NewSetTokenFn(ofn ...func(v string)) MockSetTokenFn {
 	}
 }
 
+func NewTokenFn(v string) MockTokenFn {
+	return func() string {
+		return v
+	}
+}
+
+func NewClearTokenFn() MockClearTokenFn {
+	return func() {}
+}
+
 func NewSetNamespaceFn() MockSetNamespaceFn {
 	return func(namespace string) {}
 }
@@ -65,6 +79,8 @@ type VaultClient struct {
 	MockNewRequest            MockNewRequestFn
 	MockRawRequestWithContext MockRawRequestWithContextFn
 	MockSetToken              MockSetTokenFn
+	MockToken                 MockTokenFn
+	MockClearToken            MockClearTokenFn
 	MockSetNamespace          MockSetNamespaceFn
 }
 
@@ -80,6 +96,14 @@ func (c *VaultClient) SetToken(v string) {
 	c.MockSetToken(v)
 }
 
+func (c *VaultClient) Token() string {
+	return c.MockToken()
+}
+
+func (c *VaultClient) ClearToken() {
+	c.MockClearToken()
+}
+
 func (c *VaultClient) SetNamespace(namespace string) {
 	c.MockSetNamespace(namespace)
 }

pkg/provider/vault/vault.go

@@ -68,12 +68,16 @@ const (
 	errSecretKeyFmt  = "cannot find secret data for key: %q"
 
 	errClientTLSAuth = "error from Client TLS Auth: %q"
+
+	errVaultRevokeToken = "error while revoking token: %w"
 )
 
 type Client interface {
 	NewRequest(method, requestPath string) *vault.Request
 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
 	SetToken(v string)
+	Token() string
+	ClearToken()
 	SetNamespace(namespace string)
 }
 
@@ -156,6 +160,15 @@ func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecret
 }
 
 func (v *client) Close(ctx context.Context) error {
+	// Revoke the token if we have one set and it wasn't sourced from a TokenSecretRef
+	if v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
+		req := v.client.NewRequest(http.MethodPost, "/v1/auth/token/revoke-self")
+		_, err := v.client.RawRequestWithContext(ctx, req)
+		if err != nil {
+			return fmt.Errorf(errVaultRevokeToken, err)
+		}
+		v.client.ClearToken()
+	}
 	return nil
 }
 

pkg/provider/vault/vault_test.go

@@ -246,7 +246,9 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 
 								return nil
 							}),
-						MockSetToken: fake.NewSetTokenFn(),
+						MockSetToken:   fake.NewSetTokenFn(),
+						MockToken:      fake.NewTokenFn(""),
+						MockClearToken: fake.NewClearTokenFn(),
 					}, nil
 				},
 			},