diff --git a/apis/externalsecrets/v1beta1/secretsstore_delinea_types.go b/apis/externalsecrets/v1beta1/secretsstore_delinea_types.go
new file mode 100644
index 000000000..ab3482239
--- /dev/null
+++ b/apis/externalsecrets/v1beta1/secretsstore_delinea_types.go
@@ -0,0 +1,51 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type DelineaProviderSecretRef struct {
+
+ // Value can be specified directly to set a value without using a secret.
+ // +optional
+ Value string `json:"value,omitempty"`
+
+ // SecretRef references a key in a secret that will be used as value.
+ // +optional
+ SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
+type DelineaProvider struct {
+
+ // ClientID is the non-secret part of the credential.
+ ClientID *DelineaProviderSecretRef `json:"clientId"`
+
+ // ClientSecret is the secret part of the credential.
+ ClientSecret *DelineaProviderSecretRef `json:"clientSecret"`
+
+ // Tenant is the chosen hostname / site name.
+ Tenant string `json:"tenant"`
+
+ // URLTemplate
+ // If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ // +optional
+ URLTemplate string `json:"urlTemplate,omitempty"`
+
+ // TLD is based on the server location that was chosen during provisioning.
+ // If unset, defaults to "com".
+ // +optional
+ TLD string `json:"tld,omitempty"`
+}
diff --git a/apis/externalsecrets/v1beta1/secretstore_types.go b/apis/externalsecrets/v1beta1/secretstore_types.go
index f7d0f2879..efa23ef0b 100644
--- a/apis/externalsecrets/v1beta1/secretstore_types.go
+++ b/apis/externalsecrets/v1beta1/secretstore_types.go
@@ -136,6 +136,11 @@ type SecretStoreProvider struct {
// Conjur configures this store to sync secrets using conjur provider
// +optional
Conjur *ConjurProvider `json:"conjur,omitempty"`
+
+ // Delinea DevOps Secrets Vault
+ // https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ // +optional
+ Delinea *DelineaProvider `json:"delinea,omitempty"`
}
type CAProviderType string
diff --git a/apis/externalsecrets/v1beta1/zz_generated.deepcopy.go b/apis/externalsecrets/v1beta1/zz_generated.deepcopy.go
index 37ec00270..b9c7b21f4 100644
--- a/apis/externalsecrets/v1beta1/zz_generated.deepcopy.go
+++ b/apis/externalsecrets/v1beta1/zz_generated.deepcopy.go
@@ -701,6 +701,51 @@ func (in *ConjurProvider) DeepCopy() *ConjurProvider {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DelineaProvider) DeepCopyInto(out *DelineaProvider) {
+ *out = *in
+ if in.ClientID != nil {
+ in, out := &in.ClientID, &out.ClientID
+ *out = new(DelineaProviderSecretRef)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.ClientSecret != nil {
+ in, out := &in.ClientSecret, &out.ClientSecret
+ *out = new(DelineaProviderSecretRef)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelineaProvider.
+func (in *DelineaProvider) DeepCopy() *DelineaProvider {
+ if in == nil {
+ return nil
+ }
+ out := new(DelineaProvider)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DelineaProviderSecretRef) DeepCopyInto(out *DelineaProviderSecretRef) {
+ *out = *in
+ if in.SecretRef != nil {
+ in, out := &in.SecretRef, &out.SecretRef
+ *out = new(metav1.SecretKeySelector)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelineaProviderSecretRef.
+func (in *DelineaProviderSecretRef) DeepCopy() *DelineaProviderSecretRef {
+ if in == nil {
+ return nil
+ }
+ out := new(DelineaProviderSecretRef)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DopplerAuth) DeepCopyInto(out *DopplerAuth) {
*out = *in
@@ -1861,6 +1906,11 @@ func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
*out = new(ConjurProvider)
(*in).DeepCopyInto(*out)
}
+ if in.Delinea != nil {
+ in, out := &in.Delinea, &out.Delinea
+ *out = new(DelineaProvider)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreProvider.
diff --git a/config/crds/bases/external-secrets.io_clustersecretstores.yaml b/config/crds/bases/external-secrets.io_clustersecretstores.yaml
index 40eb66103..52a285e08 100644
--- a/config/crds/bases/external-secrets.io_clustersecretstores.yaml
+++ b/config/crds/bases/external-secrets.io_clustersecretstores.yaml
@@ -2262,6 +2262,78 @@ spec:
- auth
- url
type: object
+ delinea:
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that
+ will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
+ defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a
+ value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that
+ will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
+ defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a
+ value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: TLD is based on the server location that was
+ chosen during provisioning. If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
doppler:
description: Doppler configures this store to sync secrets using
the Doppler provider
diff --git a/config/crds/bases/external-secrets.io_secretstores.yaml b/config/crds/bases/external-secrets.io_secretstores.yaml
index a8d9b5309..612660c26 100644
--- a/config/crds/bases/external-secrets.io_secretstores.yaml
+++ b/config/crds/bases/external-secrets.io_secretstores.yaml
@@ -2262,6 +2262,78 @@ spec:
- auth
- url
type: object
+ delinea:
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that
+ will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
+ defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a
+ value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that
+ will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred
+ to. Ignored if referent is not cluster-scoped. cluster-scoped
+ defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a
+ value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: TLD is based on the server location that was
+ chosen during provisioning. If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
doppler:
description: Doppler configures this store to sync secrets using
the Doppler provider
diff --git a/deploy/crds/bundle.yaml b/deploy/crds/bundle.yaml
index a4802c081..31eea9bec 100644
--- a/deploy/crds/bundle.yaml
+++ b/deploy/crds/bundle.yaml
@@ -2109,6 +2109,63 @@ spec:
- auth
- url
type: object
+ delinea:
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
doppler:
description: Doppler configures this store to sync secrets using the Doppler provider
properties:
@@ -5755,6 +5812,63 @@ spec:
- auth
- url
type: object
+ delinea:
+ description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
doppler:
description: Doppler configures this store to sync secrets using the Doppler provider
properties:
diff --git a/docs/api/spec.md b/docs/api/spec.md
index 371dddf49..a1758009a 100644
--- a/docs/api/spec.md
+++ b/docs/api/spec.md
@@ -1775,6 +1775,132 @@ ConjurAuth
+
DelineaProvider
+
+
+(Appears on:
+SecretStoreProvider)
+
+
+
See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
+
+
+
+
+Field |
+Description |
+
+
+
+
+
+clientId
+
+
+DelineaProviderSecretRef
+
+
+ |
+
+ ClientID is the non-secret part of the credential.
+ |
+
+
+
+clientSecret
+
+
+DelineaProviderSecretRef
+
+
+ |
+
+ ClientSecret is the secret part of the credential.
+ |
+
+
+
+tenant
+
+string
+
+ |
+
+ Tenant is the chosen hostname / site name.
+ |
+
+
+
+urlTemplate
+
+string
+
+ |
+
+(Optional)
+ URLTemplate
+If unset, defaults to “https://%s.secretsvaultcloud.%s/v1/%s%s”.
+ |
+
+
+
+tld
+
+string
+
+ |
+
+(Optional)
+ TLD is based on the server location that was chosen during provisioning.
+If unset, defaults to “com”.
+ |
+
+
+
+DelineaProviderSecretRef
+
+
+(Appears on:
+DelineaProvider)
+
+
+
+
+
+
+Field |
+Description |
+
+
+
+
+
+value
+
+string
+
+ |
+
+(Optional)
+ Value can be specified directly to set a value without using a secret.
+ |
+
+
+
+secretRef
+
+
+External Secrets meta/v1.SecretKeySelector
+
+
+ |
+
+(Optional)
+ SecretRef references a key in a secret that will be used as value.
+ |
+
+
+
DopplerAuth
@@ -4865,6 +4991,21 @@ ConjurProvider
Conjur configures this store to sync secrets using conjur provider
+
+
+delinea
+
+
+DelineaProvider
+
+
+ |
+
+(Optional)
+ Delinea DevOps Secrets Vault
+https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ |
+
SecretStoreRef
diff --git a/docs/introduction/stability-support.md b/docs/introduction/stability-support.md
index 81807bfa1..78ebdd435 100644
--- a/docs/introduction/stability-support.md
+++ b/docs/introduction/stability-support.md
@@ -52,6 +52,7 @@ The following table describes the stability level of each provider and who's res
| [Keeper Security](https://www.keepersecurity.com/) | alpha | [@ppodevlab](https://github.com/ppodevlab) |
| [Scaleway](https://external-secrets.io/latest/provider/scaleway) | alpha | [@azert9](https://github.com/azert9/) |
| [Conjur](https://external-secrets.io/latest/provider/conjur) | alpha | [@davidh-cyberark](https://github.com/davidh-cyberark/) |
+| [Delinea](https://external-secrets.io/latest/provider/delinea) | alpha | [@michaelsauter](https://github.com/michaelsauter/) |
## Provider Feature Support
@@ -78,6 +79,7 @@ The following table show the support for features across different providers.
| Keeper Security | x | | | | x | x | |
| Scaleway | x | x | | | x | x | x |
| Conjur | | | | | x | | |
+| Delinea | x | | | | x | | |
## Support Policy
diff --git a/docs/provider/delinea.md b/docs/provider/delinea.md
new file mode 100644
index 000000000..3b92f152a
--- /dev/null
+++ b/docs/provider/delinea.md
@@ -0,0 +1,56 @@
+## Delinea DevOps Secrets Vault
+
+External Secrets Operator integrates with [Delinea DevOps Secrets Vault](https://docs.delinea.com/online-help/products/devops-secrets-vault/current).
+
+Please note that the [Delinea Secret Server](https://delinea.com/products/secret-server) product is NOT in scope of this integration.
+
+### Creating a SecretStore
+
+You need client ID, client secret and tenant to authenticate with DSV.
+Both client ID and client secret can be specified either directly in the config, or by referencing a kubernetes secret.
+
+To acquire client ID and client secret, refer to the [policy management](https://docs.delinea.com/dsv/current/tutorials/policy.md) and [client management](https://docs.delinea.com/dsv/current/usage/cli-ref/client.md) documentation.
+
+```yaml
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+ name: secret-store
+spec:
+ provider:
+ delinea:
+ tenant:
+ tld:
+ clientId:
+ value:
+ clientSecret:
+ secretRef:
+ name:
+ key:
+```
+
+Both `clientId` and `clientSecret` can either be specified directly via the `value` field or can reference a kubernetes secret.
+
+The `tenant` field must correspond to the host name / site name of your DevOps vault. If you selected a region other than the US you must also specify the TLD, e.g. `tld: eu`.
+
+If required, the URL template (`urlTemplate`) can be customized as well.
+
+### Referencing Secrets
+
+Secrets can be referenced by path. Getting a specific version of a secret is not yet supported.
+
+```yaml
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: secret
+spec:
+ refreshInterval: 20s
+ secretStoreRef:
+ kind: SecretStore
+ name: secret-store
+ data:
+ - secretKey:
+ remoteRef:
+ key:
+```
diff --git a/e2e/go.mod b/e2e/go.mod
index fa2a35360..99f6bdef1 100644
--- a/e2e/go.mod
+++ b/e2e/go.mod
@@ -39,6 +39,7 @@ require (
cloud.google.com/go/secretmanager v1.11.1
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12
+ github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0
github.com/akeylesslabs/akeyless-go-cloud-id v0.3.4
github.com/akeylesslabs/akeyless-go/v3 v3.3.12
github.com/aliyun/alibaba-cloud-sdk-go v1.62.271
diff --git a/e2e/go.sum b/e2e/go.sum
index 995e0533f..2cda3bc37 100644
--- a/e2e/go.sum
+++ b/e2e/go.sum
@@ -77,6 +77,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0 h1:+XXJ43iH4js8LIBr4MUGq1J09ycivNkTNhtn4mFyhY8=
+github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0/go.mod h1:NTdQaRBIRZ/8gIzs010CS/u69aVSmqD1zbESW25y2cE=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/akeylesslabs/akeyless-go-cloud-id v0.3.4 h1:vTckjyBhHOBiOWSC/oaEU2Oo4OH5eAlQiwKu2RMxsFg=
github.com/akeylesslabs/akeyless-go-cloud-id v0.3.4/go.mod h1:As/RomC2w/fa3y+yHRlVHPmkbP+zrKBFRow41y5dk+E=
diff --git a/e2e/run.sh b/e2e/run.sh
index c1a029620..9977afe46 100755
--- a/e2e/run.sh
+++ b/e2e/run.sh
@@ -79,6 +79,11 @@ kubectl run --rm \
--env="SCALEWAY_PROJECT_ID=${SCALEWAY_PROJECT_ID:-}" \
--env="SCALEWAY_ACCESS_KEY=${SCALEWAY_ACCESS_KEY:-}" \
--env="SCALEWAY_SECRET_KEY=${SCALEWAY_SECRET_KEY:-}" \
+ --env="DELINEA_TLD=${DELINEA_TLD:-}" \
+ --env="DELINEA_URL_TEMPLATE=${DELINEA_URL_TEMPLATE:-}" \
+ --env="DELINEA_TENANT=${DELINEA_TENANT:-}" \
+ --env="DELINEA_CLIENT_ID=${DELINEA_CLIENT_ID:-}" \
+ --env="DELINEA_CLIENT_SECRET=${DELINEA_CLIENT_SECRET:-}" \
--env="VERSION=${VERSION}" \
--env="TEST_SUITES=${TEST_SUITES}" \
--overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "external-secrets-e2e"}}' \
diff --git a/e2e/suites/provider/cases/common/common.go b/e2e/suites/provider/cases/common/common.go
index cf2b9da5c..67d4c1fb3 100644
--- a/e2e/suites/provider/cases/common/common.go
+++ b/e2e/suites/provider/cases/common/common.go
@@ -512,7 +512,7 @@ func DockerJSONConfig(f *framework.Framework) (string, func(*framework.TestCase)
return "[common] should sync docker configurated json secrets with template simple", func(tc *framework.TestCase) {
cloudSecretName := fmt.Sprintf("%s-%s", f.Namespace.Name, dockerConfigExampleName)
cloudRemoteRefKey := f.MakeRemoteRefKey(cloudSecretName)
- dockerconfig := `{"auths":{"https://index.docker.io/v1/": {"auth": "c3R...zE2"}}}`
+ dockerconfig := `{"auths":{"https://index.docker.io/v1/":{"auth":"c3R...zE2"}}}`
cloudSecretValue := fmt.Sprintf(`{"dockerconfig": %s}`, dockerconfig)
tc.Secrets = map[string]framework.SecretEntry{
cloudRemoteRefKey: {Value: cloudSecretValue},
diff --git a/e2e/suites/provider/cases/delinea/config.go b/e2e/suites/provider/cases/delinea/config.go
new file mode 100644
index 000000000..96da8e9b7
--- /dev/null
+++ b/e2e/suites/provider/cases/delinea/config.go
@@ -0,0 +1,47 @@
+package delinea
+
+import (
+ "fmt"
+ "os"
+)
+
+type config struct {
+ tld string
+ urlTemplate string
+ tenant string
+ clientID string
+ clientSecret string
+}
+
+func loadConfigFromEnv() (*config, error) {
+ var cfg config
+ var err error
+
+ // Optional settings
+ cfg.tld, _ = getEnv("DELINEA_TLD")
+ cfg.urlTemplate, _ = getEnv("DELINEA_URL_TEMPLATE")
+
+ // Required settings
+ cfg.tenant, err = getEnv("DELINEA_TENANT")
+ if err != nil {
+ return nil, err
+ }
+ cfg.clientID, err = getEnv("DELINEA_CLIENT_ID")
+ if err != nil {
+ return nil, err
+ }
+ cfg.clientSecret, err = getEnv("DELINEA_CLIENT_SECRET")
+ if err != nil {
+ return nil, err
+ }
+
+ return &cfg, nil
+}
+
+func getEnv(name string) (string, error) {
+ value, ok := os.LookupEnv(name)
+ if !ok {
+ return "", fmt.Errorf("environment variable %q is not set", name)
+ }
+ return value, nil
+}
diff --git a/e2e/suites/provider/cases/delinea/delinea.go b/e2e/suites/provider/cases/delinea/delinea.go
new file mode 100644
index 000000000..93d22c4a1
--- /dev/null
+++ b/e2e/suites/provider/cases/delinea/delinea.go
@@ -0,0 +1,115 @@
+package delinea
+
+import (
+ "context"
+
+ "github.com/external-secrets/external-secrets-e2e/framework"
+ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
+ esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+ esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+ "github.com/onsi/ginkgo/v2"
+ "github.com/onsi/gomega"
+ v1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var _ = ginkgo.Describe("[delinea]", ginkgo.Label("delinea"), func() {
+
+ f := framework.New("eso-delinea")
+
+ // Initialization is deferred so that assertions work.
+ provider := &secretStoreProvider{}
+
+ ginkgo.BeforeEach(func() {
+
+ cfg, err := loadConfigFromEnv()
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+ provider.init(cfg)
+
+ createResources(context.Background(), f, cfg)
+ })
+
+ ginkgo.DescribeTable("sync secrets", framework.TableFunc(f, provider),
+
+ ginkgo.Entry(common.JSONDataWithProperty(f)),
+ ginkgo.Entry(common.JSONDataWithoutTargetName(f)),
+ ginkgo.Entry(common.JSONDataWithTemplate(f)),
+ ginkgo.Entry(common.JSONDataWithTemplateFromLiteral(f)),
+ ginkgo.Entry(common.TemplateFromConfigmaps(f)),
+ ginkgo.Entry(common.JSONDataFromSync(f)),
+ ginkgo.Entry(common.JSONDataFromRewrite(f)),
+ ginkgo.Entry(common.NestedJSONWithGJSON(f)),
+ ginkgo.Entry(common.DockerJSONConfig(f)),
+ ginkgo.Entry(common.DataPropertyDockerconfigJSON(f)),
+ ginkgo.Entry(common.SSHKeySyncDataProperty(f)),
+ ginkgo.Entry(common.DecodingPolicySync(f)),
+
+ // V1Alpha1 is not supported.
+ // ginkgo.Entry(common.SyncV1Alpha1(f)),
+
+ // Non-JSON values are not supported by DSV.
+ // ginkgo.Entry(common.SimpleDataSync(f)),
+ // ginkgo.Entry(common.SyncWithoutTargetName(f)),
+ // ginkgo.Entry(common.SSHKeySync(f)),
+ // ginkgo.Entry(common.DeletionPolicyDelete(f)),
+
+ // FindByName is not supported.
+ // ginkgo.Entry(common.FindByName(f)),
+ // ginkgo.Entry(common.FindByNameAndRewrite(f)),
+ // ginkgo.Entry(common.FindByNameWithPath(f)),
+
+ // FindByTag is not supported.
+ // ginkgo.Entry(common.FindByTag(f)),
+ // ginkgo.Entry(common.FindByTagWithPath(f)),
+ )
+})
+
+func createResources(ctx context.Context, f *framework.Framework, cfg *config) {
+
+ secretName := "delinea-credential"
+ secretKey := "client-secret"
+
+ // Creating a secret to hold the Delinea client secret.
+ secretSpec := v1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: secretName,
+ Namespace: f.Namespace.Name,
+ },
+ StringData: map[string]string{
+ secretKey: cfg.clientSecret,
+ },
+ }
+
+ err := f.CRClient.Create(ctx, &secretSpec)
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+ // Creating SecretStore.
+ secretStoreSpec := esv1beta1.SecretStore{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: f.Namespace.Name,
+ Namespace: f.Namespace.Name,
+ },
+ Spec: esv1beta1.SecretStoreSpec{
+ Provider: &esv1beta1.SecretStoreProvider{
+ Delinea: &esv1beta1.DelineaProvider{
+ Tenant: cfg.tenant,
+ TLD: cfg.tld,
+ URLTemplate: cfg.urlTemplate,
+ ClientID: &esv1beta1.DelineaProviderSecretRef{
+ Value: cfg.clientID,
+ },
+ ClientSecret: &esv1beta1.DelineaProviderSecretRef{
+ SecretRef: &esmeta.SecretKeySelector{
+ Name: secretName,
+ Key: secretKey,
+ },
+ },
+ },
+ },
+ },
+ }
+
+ err = f.CRClient.Create(ctx, &secretStoreSpec)
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+}
diff --git a/e2e/suites/provider/cases/delinea/provider.go b/e2e/suites/provider/cases/delinea/provider.go
new file mode 100644
index 000000000..845143571
--- /dev/null
+++ b/e2e/suites/provider/cases/delinea/provider.go
@@ -0,0 +1,47 @@
+package delinea
+
+import (
+ "encoding/json"
+
+ "github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+ "github.com/external-secrets/external-secrets-e2e/framework"
+ "github.com/onsi/gomega"
+)
+
+type secretStoreProvider struct {
+ api *vault.Vault
+ cfg *config
+}
+
+func (p *secretStoreProvider) init(cfg *config) {
+
+ p.cfg = cfg
+
+ dsvClient, err := vault.New(vault.Configuration{
+ Credentials: vault.ClientCredential{
+ ClientID: cfg.clientID,
+ ClientSecret: cfg.clientSecret,
+ },
+ Tenant: cfg.tenant,
+ URLTemplate: cfg.urlTemplate,
+ TLD: cfg.tld,
+ })
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+ p.api = dsvClient
+}
+
+func (p *secretStoreProvider) CreateSecret(key string, val framework.SecretEntry) {
+ var data map[string]interface{}
+ err := json.Unmarshal([]byte(val.Value), &data)
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+ _, err = p.api.CreateSecret(key, &vault.SecretCreateRequest{
+ Data: data,
+ })
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+}
+
+func (p *secretStoreProvider) DeleteSecret(key string) {
+ err := p.api.DeleteSecret(key)
+ gomega.Expect(err).ToNot(gomega.HaveOccurred())
+}
diff --git a/e2e/suites/provider/cases/import.go b/e2e/suites/provider/cases/import.go
index c3b2fd2ec..8a88f7de3 100644
--- a/e2e/suites/provider/cases/import.go
+++ b/e2e/suites/provider/cases/import.go
@@ -19,6 +19,7 @@ import (
_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/aws/parameterstore"
_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/aws/secretsmanager"
_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/azure"
+ _ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/delinea"
_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/gcp"
_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/kubernetes"
_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/scaleway"
diff --git a/go.mod b/go.mod
index 535ca751c..3475f2a56 100644
--- a/go.mod
+++ b/go.mod
@@ -63,6 +63,7 @@ require github.com/1Password/connect-sdk-go v1.5.1
require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
+ github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0
github.com/akeylesslabs/akeyless-go/v3 v3.3.12
github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.4
github.com/alibabacloud-go/kms-20160120/v3 v3.0.2
diff --git a/go.sum b/go.sum
index 730e7dd2b..586350fd7 100644
--- a/go.sum
+++ b/go.sum
@@ -87,6 +87,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkM
github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0 h1:+XXJ43iH4js8LIBr4MUGq1J09ycivNkTNhtn4mFyhY8=
+github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0/go.mod h1:NTdQaRBIRZ/8gIzs010CS/u69aVSmqD1zbESW25y2cE=
github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
github.com/IBM/go-sdk-core/v5 v5.13.4 h1:kJvBNQOwhFRkXCPapjNvKVC7n7n2vd1Nr6uUtDZGcfo=
github.com/IBM/go-sdk-core/v5 v5.13.4/go.mod h1:gKRSB+YyKsGlRQW7v5frlLbue5afulSvrRa4O26o4MM=
diff --git a/hack/api-docs/mkdocs.yml b/hack/api-docs/mkdocs.yml
index 00eef1012..c6f22a739 100644
--- a/hack/api-docs/mkdocs.yml
+++ b/hack/api-docs/mkdocs.yml
@@ -106,6 +106,7 @@ nav:
- Doppler: provider/doppler.md
- Keeper Security: provider/keeper-security.md
- Scaleway: provider/scaleway.md
+ - Delinea: provider/delinea.md
- Examples:
- FluxCD: examples/gitops-using-fluxcd.md
- Anchore Engine: examples/anchore-engine-credentials.md
diff --git a/pkg/provider/delinea/client.go b/pkg/provider/delinea/client.go
new file mode 100644
index 000000000..72172d461
--- /dev/null
+++ b/pkg/provider/delinea/client.go
@@ -0,0 +1,148 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package delinea
+
+import (
+ "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "reflect"
+ "strconv"
+ "strings"
+
+ "github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+ "github.com/tidwall/gjson"
+
+ esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+const (
+ errSecretKeyFmt = "cannot find secret data for key: %q"
+ errUnexpectedKey = "unexpected key in data: %s"
+ errSecretFormat = "secret data for property %s not in expected format: %s"
+)
+
+type client struct {
+ api secretAPI
+}
+
+var _ esv1beta1.SecretsClient = &client{}
+
+// GetSecret supports two types:
+// 1. get the full secret as json-encoded value
+// by leaving the ref.Property empty.
+// 2. get a key from the secret.
+// Nested values are supported by specifying a gjson expression
+func (c *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
+ secret, err := c.getSecret(ctx, ref)
+ if err != nil {
+ return nil, err
+ }
+ // Return nil if secret value is null
+ if secret.Data == nil {
+ return nil, nil
+ }
+ jsonStr, err := json.Marshal(secret.Data)
+ if err != nil {
+ return nil, err
+ }
+ // return raw json if no property is defined
+ if ref.Property == "" {
+ return jsonStr, nil
+ }
+ // extract key from secret using gjson
+ val := gjson.Get(string(jsonStr), ref.Property)
+ if !val.Exists() {
+ return nil, esv1beta1.NoSecretError{}
+ }
+ return []byte(val.String()), nil
+}
+
+func (c *client) PushSecret(_ context.Context, _ []byte, _ esv1beta1.PushRemoteRef) error {
+ return errors.New("pushing secrets is not supported by Delinea DevOps Secrets Vault")
+}
+
+func (c *client) DeleteSecret(_ context.Context, _ esv1beta1.PushRemoteRef) error {
+ return errors.New("deleting secrets is not supported by Delinea DevOps Secrets Vault")
+}
+
+func (c *client) Validate() (esv1beta1.ValidationResult, error) {
+ return esv1beta1.ValidationResultReady, nil
+}
+
+// GetSecret gets the full secret as json-encoded value.
+func (c *client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+ secret, err := c.getSecret(ctx, ref)
+ if err != nil {
+ return nil, err
+ }
+ byteMap := make(map[string][]byte, len(secret.Data))
+ for k := range secret.Data {
+ byteMap[k], err = getTypedKey(secret.Data, k)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ return byteMap, nil
+}
+
+// GetAllSecrets lists secrets matching the given criteria and return their latest versions.
+func (c *client) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+ return nil, errors.New("getting all secrets is not supported by Delinea DevOps Secrets Vault")
+}
+
+func (c *client) Close(context.Context) error {
+ return nil
+}
+
+// getSecret retrieves the secret referenced by ref from the Vault API.
+func (c *client) getSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (*vault.Secret, error) {
+ if ref.Version != "" {
+ return nil, errors.New("specifying a version is not yet supported")
+ }
+ return c.api.Secret(ref.Key)
+}
+
+// getTypedKey is copied from pkg/provider/vault/vault.go.
+func getTypedKey(data map[string]interface{}, key string) ([]byte, error) {
+ v, ok := data[key]
+ if !ok {
+ return nil, fmt.Errorf(errUnexpectedKey, key)
+ }
+ switch t := v.(type) {
+ case string:
+ return []byte(t), nil
+ case map[string]interface{}:
+ return json.Marshal(t)
+ case []string:
+ return []byte(strings.Join(t, "\n")), nil
+ case []byte:
+ return t, nil
+ // also covers int and float32 due to json.Marshal
+ case float64:
+ return []byte(strconv.FormatFloat(t, 'f', -1, 64)), nil
+ case json.Number:
+ return []byte(t.String()), nil
+ case []interface{}:
+ return json.Marshal(t)
+ case bool:
+ return []byte(strconv.FormatBool(t)), nil
+ case nil:
+ return []byte(nil), nil
+ default:
+ return nil, fmt.Errorf(errSecretFormat, key, reflect.TypeOf(t))
+ }
+}
diff --git a/pkg/provider/delinea/client_test.go b/pkg/provider/delinea/client_test.go
new file mode 100644
index 000000000..281e0e7d4
--- /dev/null
+++ b/pkg/provider/delinea/client_test.go
@@ -0,0 +1,117 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package delinea
+
+import (
+ "context"
+ "errors"
+ "testing"
+
+ "github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+ "github.com/stretchr/testify/assert"
+
+ esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+type fakeAPI struct {
+ secrets []*vault.Secret
+}
+
+// createVaultSecret assembles a vault.Secret.
+// vault.Secret has unexported nested types, and is therefore quite
+// tricky from outside the vault package. This function facilitates easy setup.
+func createVaultSecret(path string, data map[string]interface{}) *vault.Secret {
+ s := &vault.Secret{}
+ s.Path = path
+ s.Data = data
+ return s
+}
+
+// Secret returns secret matching path.
+func (f *fakeAPI) Secret(path string) (*vault.Secret, error) {
+ for _, s := range f.secrets {
+ if s.Path == path {
+ return s, nil
+ }
+ }
+ return nil, errors.New("not found")
+}
+
+func newTestClient() esv1beta1.SecretsClient {
+ return &client{
+ api: &fakeAPI{
+ secrets: []*vault.Secret{
+ createVaultSecret("a", map[string]interface{}{}),
+ createVaultSecret("b", map[string]interface{}{
+ "hello": "world",
+ }),
+ createVaultSecret("c", map[string]interface{}{
+ "foo": map[string]string{"bar": "baz"},
+ }),
+ },
+ },
+ }
+}
+
+func TestGetSecret(t *testing.T) {
+ ctx := context.Background()
+ c := newTestClient()
+
+ testCases := map[string]struct {
+ ref esv1beta1.ExternalSecretDataRemoteRef
+ want []byte
+ err error
+ }{
+ "querying for the key returns the map": {
+ ref: esv1beta1.ExternalSecretDataRemoteRef{
+ Key: "b",
+ },
+ want: []byte(`{"hello":"world"}`),
+ },
+ "querying for the key and property returns a single value": {
+ ref: esv1beta1.ExternalSecretDataRemoteRef{
+ Key: "b",
+ Property: "hello",
+ },
+ want: []byte(`world`),
+ },
+ "querying for the key and nested property returns a single value": {
+ ref: esv1beta1.ExternalSecretDataRemoteRef{
+ Key: "c",
+ Property: "foo.bar",
+ },
+ want: []byte(`baz`),
+ },
+ "querying for existent key and non-existing propery": {
+ ref: esv1beta1.ExternalSecretDataRemoteRef{
+ Key: "c",
+ Property: "foo.bar.x",
+ },
+ err: esv1beta1.NoSecretErr,
+ },
+ }
+ for name, tc := range testCases {
+ t.Run(name, func(t *testing.T) {
+ got, err := c.GetSecret(ctx, tc.ref)
+ if tc.err == nil {
+ assert.NoError(t, err)
+ assert.Equal(t, tc.want, got)
+ } else {
+ assert.Nil(t, got)
+ assert.ErrorIs(t, err, tc.err)
+ assert.Equal(t, tc.err, err)
+ }
+ })
+ }
+}
diff --git a/pkg/provider/delinea/provider.go b/pkg/provider/delinea/provider.go
new file mode 100644
index 000000000..68e809cb3
--- /dev/null
+++ b/pkg/provider/delinea/provider.go
@@ -0,0 +1,207 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package delinea
+
+import (
+ "context"
+ "errors"
+ "fmt"
+
+ "github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+ corev1 "k8s.io/api/core/v1"
+ kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+ "github.com/external-secrets/external-secrets/pkg/utils"
+)
+
+var (
+ errEmptyTenant = errors.New("tenant must not be empty")
+ errEmptyClientID = errors.New("clientID must be set")
+ errEmptyClientSecret = errors.New("clientSecret must be set")
+ errSecretRefAndValueConflict = errors.New("cannot specify both secret reference and value")
+ errSecretRefAndValueMissing = errors.New("must specify either secret reference or direct value")
+ errMissingStore = errors.New("missing store specification")
+ errInvalidSpec = errors.New("invalid specification for delinea provider")
+ errMissingSecretName = errors.New("must specify a secret name")
+ errMissingSecretKey = errors.New("must specify a secret key")
+ errClusterStoreRequiresNamespace = errors.New("when using a ClusterSecretStore, namespaces must be explicitly set")
+
+ errNoSuchKeyFmt = "no such key in secret: %q"
+)
+
+type Provider struct{}
+
+var _ esv1beta1.Provider = &Provider{}
+
+// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
+func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
+ return esv1beta1.SecretStoreReadOnly
+}
+
+func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kubeClient.Client, namespace string) (esv1beta1.SecretsClient, error) {
+ cfg, err := getConfig(store)
+ if err != nil {
+ return nil, err
+ }
+
+ if store.GetKind() == esv1beta1.ClusterSecretStoreKind && doesConfigDependOnNamespace(cfg) {
+ // we are not attached to a specific namespace, but some config values are dependent on it
+ return nil, errClusterStoreRequiresNamespace
+ }
+
+ clientID, err := loadConfigSecret(ctx, cfg.ClientID, kube, namespace)
+ if err != nil {
+ return nil, err
+ }
+
+ clientSecret, err := loadConfigSecret(ctx, cfg.ClientSecret, kube, namespace)
+ if err != nil {
+ return nil, err
+ }
+
+ dsvClient, err := vault.New(vault.Configuration{
+ Credentials: vault.ClientCredential{
+ ClientID: clientID,
+ ClientSecret: clientSecret,
+ },
+ Tenant: cfg.Tenant,
+ TLD: cfg.TLD,
+ URLTemplate: cfg.URLTemplate,
+ })
+ if err != nil {
+ return nil, err
+ }
+
+ return &client{
+ api: dsvClient,
+ }, nil
+}
+
+func loadConfigSecret(ctx context.Context, ref *esv1beta1.DelineaProviderSecretRef, kube kubeClient.Client, defaultNamespace string) (string, error) {
+ if ref.SecretRef == nil {
+ return ref.Value, nil
+ }
+
+ if err := validateSecretRef(ref); err != nil {
+ return "", err
+ }
+
+ namespace := defaultNamespace
+ if ref.SecretRef.Namespace != nil {
+ namespace = *ref.SecretRef.Namespace
+ }
+
+ objKey := kubeClient.ObjectKey{Namespace: namespace, Name: ref.SecretRef.Name}
+ secret := corev1.Secret{}
+ err := kube.Get(ctx, objKey, &secret)
+ if err != nil {
+ return "", err
+ }
+
+ value, ok := secret.Data[ref.SecretRef.Key]
+ if !ok {
+ return "", fmt.Errorf(errNoSuchKeyFmt, ref.SecretRef.Key)
+ }
+
+ return string(value), nil
+}
+
+func validateStoreSecretRef(store esv1beta1.GenericStore, ref *esv1beta1.DelineaProviderSecretRef) error {
+ if ref.SecretRef != nil {
+ if err := utils.ValidateReferentSecretSelector(store, *ref.SecretRef); err != nil {
+ return err
+ }
+ }
+
+ return validateSecretRef(ref)
+}
+
+func validateSecretRef(ref *esv1beta1.DelineaProviderSecretRef) error {
+ if ref.SecretRef != nil {
+ if ref.Value != "" {
+ return errSecretRefAndValueConflict
+ }
+ if ref.SecretRef.Name == "" {
+ return errMissingSecretName
+ }
+ if ref.SecretRef.Key == "" {
+ return errMissingSecretKey
+ }
+ } else if ref.Value == "" {
+ return errSecretRefAndValueMissing
+ }
+
+ return nil
+}
+
+func doesConfigDependOnNamespace(cfg *esv1beta1.DelineaProvider) bool {
+ if cfg.ClientID.SecretRef != nil && cfg.ClientID.SecretRef.Namespace == nil {
+ return true
+ }
+
+ if cfg.ClientSecret.SecretRef != nil && cfg.ClientSecret.SecretRef.Namespace == nil {
+ return true
+ }
+
+ return false
+}
+
+func getConfig(store esv1beta1.GenericStore) (*esv1beta1.DelineaProvider, error) {
+ if store == nil {
+ return nil, errMissingStore
+ }
+ storeSpec := store.GetSpec()
+
+ if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Delinea == nil {
+ return nil, errInvalidSpec
+ }
+ cfg := storeSpec.Provider.Delinea
+
+ if cfg.Tenant == "" {
+ return nil, errEmptyTenant
+ }
+
+ if cfg.ClientID == nil {
+ return nil, errEmptyClientID
+ }
+
+ if cfg.ClientSecret == nil {
+ return nil, errEmptyClientSecret
+ }
+
+ err := validateStoreSecretRef(store, cfg.ClientID)
+ if err != nil {
+ return nil, err
+ }
+
+ err = validateStoreSecretRef(store, cfg.ClientSecret)
+ if err != nil {
+ return nil, err
+ }
+
+ return cfg, nil
+}
+
+func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
+ _, err := getConfig(store)
+ return err
+}
+
+func init() {
+ esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
+ Delinea: &esv1beta1.DelineaProvider{},
+ })
+}
diff --git a/pkg/provider/delinea/provider_test.go b/pkg/provider/delinea/provider_test.go
new file mode 100644
index 000000000..cc779ba5d
--- /dev/null
+++ b/pkg/provider/delinea/provider_test.go
@@ -0,0 +1,369 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package delinea
+
+import (
+ "context"
+ "fmt"
+ "testing"
+
+ "github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+ "github.com/stretchr/testify/assert"
+ corev1 "k8s.io/api/core/v1"
+ kubeErrors "k8s.io/apimachinery/pkg/api/errors"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
+ clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+ esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+ v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+ "github.com/external-secrets/external-secrets/pkg/utils"
+)
+
+func TestDoesConfigDependOnNamespace(t *testing.T) {
+ tests := map[string]struct {
+ cfg esv1beta1.DelineaProvider
+ want bool
+ }{
+ "true when client ID references a secret without explicit namespace": {
+ cfg: esv1beta1.DelineaProvider{
+ ClientID: &esv1beta1.DelineaProviderSecretRef{
+ SecretRef: &v1.SecretKeySelector{Name: "foo"},
+ },
+ ClientSecret: &esv1beta1.DelineaProviderSecretRef{SecretRef: nil},
+ },
+ want: true,
+ },
+ "true when client secret references a secret without explicit namespace": {
+ cfg: esv1beta1.DelineaProvider{
+ ClientID: &esv1beta1.DelineaProviderSecretRef{SecretRef: nil},
+ ClientSecret: &esv1beta1.DelineaProviderSecretRef{
+ SecretRef: &v1.SecretKeySelector{Name: "foo"},
+ },
+ },
+ want: true,
+ },
+ "false when neither client ID nor secret reference a secret": {
+ cfg: esv1beta1.DelineaProvider{
+ ClientID: &esv1beta1.DelineaProviderSecretRef{SecretRef: nil},
+ ClientSecret: &esv1beta1.DelineaProviderSecretRef{SecretRef: nil},
+ },
+ want: false,
+ },
+ }
+ for name, tc := range tests {
+ t.Run(name, func(t *testing.T) {
+ got := doesConfigDependOnNamespace(&tc.cfg)
+ assert.Equal(t, tc.want, got)
+ })
+ }
+}
+
+func TestValidateStore(t *testing.T) {
+ validSecretRefUsingValue := makeSecretRefUsingValue("foo")
+ ambiguousSecretRef := &esv1beta1.DelineaProviderSecretRef{
+ SecretRef: &v1.SecretKeySelector{Name: "foo"}, Value: "foo",
+ }
+ tests := map[string]struct {
+ cfg esv1beta1.DelineaProvider
+ want error
+ }{
+ "invalid without tenant": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "",
+ ClientID: validSecretRefUsingValue,
+ ClientSecret: validSecretRefUsingValue,
+ },
+ want: errEmptyTenant,
+ },
+ "invalid without clientID": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ // ClientID omitted
+ ClientSecret: validSecretRefUsingValue,
+ },
+ want: errEmptyClientID,
+ },
+ "invalid without clientSecret": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ ClientID: validSecretRefUsingValue,
+ // ClientSecret omitted
+ },
+ want: errEmptyClientSecret,
+ },
+ "invalid with ambiguous clientID": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ ClientID: ambiguousSecretRef,
+ ClientSecret: validSecretRefUsingValue,
+ },
+ want: errSecretRefAndValueConflict,
+ },
+ "invalid with ambiguous clientSecret": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ ClientID: validSecretRefUsingValue,
+ ClientSecret: ambiguousSecretRef,
+ },
+ want: errSecretRefAndValueConflict,
+ },
+ "invalid with invalid clientID": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ ClientID: makeSecretRefUsingValue(""),
+ ClientSecret: validSecretRefUsingValue,
+ },
+ want: errSecretRefAndValueMissing,
+ },
+ "invalid with invalid clientSecret": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ ClientID: validSecretRefUsingValue,
+ ClientSecret: makeSecretRefUsingValue(""),
+ },
+ want: errSecretRefAndValueMissing,
+ },
+ "valid with tenant/clientID/clientSecret": {
+ cfg: esv1beta1.DelineaProvider{
+ Tenant: "foo",
+ ClientID: validSecretRefUsingValue,
+ ClientSecret: validSecretRefUsingValue,
+ },
+ want: nil,
+ },
+ }
+ for name, tc := range tests {
+ t.Run(name, func(t *testing.T) {
+ s := esv1beta1.SecretStore{
+ Spec: esv1beta1.SecretStoreSpec{
+ Provider: &esv1beta1.SecretStoreProvider{
+ Delinea: &tc.cfg,
+ },
+ },
+ }
+ p := &Provider{}
+ got := p.ValidateStore(&s)
+ assert.Equal(t, tc.want, got)
+ })
+ }
+}
+
+func TestValidateStoreBailsOnUnexpectedStore(t *testing.T) {
+ tests := map[string]struct {
+ store esv1beta1.GenericStore
+ want error
+ }{
+ "missing store": {nil, errMissingStore},
+ "missing spec": {&esv1beta1.SecretStore{}, errInvalidSpec},
+ "missing provider": {&esv1beta1.SecretStore{
+ Spec: esv1beta1.SecretStoreSpec{Provider: nil},
+ }, errInvalidSpec},
+ "missing delinea": {&esv1beta1.SecretStore{
+ Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{
+ Delinea: nil,
+ }},
+ }, errInvalidSpec},
+ }
+ for name, tc := range tests {
+ t.Run(name, func(t *testing.T) {
+ p := &Provider{}
+ got := p.ValidateStore(tc.store)
+ assert.Equal(t, tc.want, got)
+ })
+ }
+}
+
+func TestNewClient(t *testing.T) {
+ tenant := "foo"
+ clientIDKey := "username"
+ clientIDValue := "client id"
+ clientSecretKey := "password"
+ clientSecretValue := "client secret"
+
+ clientSecret := &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "default"},
+ Data: map[string][]byte{
+ clientIDKey: []byte(clientIDValue),
+ clientSecretKey: []byte(clientSecretValue),
+ },
+ }
+
+ validProvider := &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingRef(clientSecret.Name, clientIDKey),
+ ClientSecret: makeSecretRefUsingRef(clientSecret.Name, clientSecretKey),
+ }
+
+ tests := map[string]struct {
+ store esv1beta1.GenericStore // leave nil for namespaced store
+ provider *esv1beta1.DelineaProvider // discarded when store is set
+ kube kubeClient.Client
+ errCheck func(t *testing.T, err error)
+ }{
+ "missing provider config": {
+ provider: nil,
+ errCheck: func(t *testing.T, err error) {
+ assert.ErrorIs(t, err, errInvalidSpec)
+ },
+ },
+ "namespace-dependent cluster secret store": {
+ store: &esv1beta1.ClusterSecretStore{
+ TypeMeta: metav1.TypeMeta{Kind: esv1beta1.ClusterSecretStoreKind},
+ Spec: esv1beta1.SecretStoreSpec{
+ Provider: &esv1beta1.SecretStoreProvider{
+ Delinea: validProvider,
+ },
+ },
+ },
+ errCheck: func(t *testing.T, err error) {
+ assert.ErrorIs(t, err, errClusterStoreRequiresNamespace)
+ },
+ },
+ "dangling client ID ref": {
+ provider: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingRef("typo", clientIDKey),
+ ClientSecret: makeSecretRefUsingRef(clientSecret.Name, clientSecretKey),
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ errCheck: func(t *testing.T, err error) {
+ assert.True(t, kubeErrors.IsNotFound(err))
+ },
+ },
+ "dangling client secret ref": {
+ provider: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingRef(clientSecret.Name, clientIDKey),
+ ClientSecret: makeSecretRefUsingRef("typo", clientSecretKey),
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ errCheck: func(t *testing.T, err error) {
+ assert.True(t, kubeErrors.IsNotFound(err))
+ },
+ },
+ "secret ref without name": {
+ provider: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingRef("", clientIDKey),
+ ClientSecret: makeSecretRefUsingRef(clientSecret.Name, clientSecretKey),
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ errCheck: func(t *testing.T, err error) {
+ assert.ErrorIs(t, err, errMissingSecretName)
+ },
+ },
+ "secret ref without key": {
+ provider: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingRef(clientSecret.Name, ""),
+ ClientSecret: makeSecretRefUsingRef(clientSecret.Name, clientSecretKey),
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ errCheck: func(t *testing.T, err error) {
+ assert.ErrorIs(t, err, errMissingSecretKey)
+ },
+ },
+ "secret ref with non-existent keys": {
+ provider: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingRef(clientSecret.Name, "typo"),
+ ClientSecret: makeSecretRefUsingRef(clientSecret.Name, clientSecretKey),
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ errCheck: func(t *testing.T, err error) {
+ assert.EqualError(t, err, fmt.Sprintf(errNoSuchKeyFmt, "typo"))
+ },
+ },
+ "valid secret refs": {
+ provider: validProvider,
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ },
+ "secret values": {
+ provider: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingValue(clientIDValue),
+ ClientSecret: makeSecretRefUsingValue(clientSecretValue),
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ },
+ "cluster secret store": {
+ store: &esv1beta1.ClusterSecretStore{
+ TypeMeta: metav1.TypeMeta{Kind: esv1beta1.ClusterSecretStoreKind},
+ Spec: esv1beta1.SecretStoreSpec{
+ Provider: &esv1beta1.SecretStoreProvider{
+ Delinea: &esv1beta1.DelineaProvider{
+ Tenant: tenant,
+ ClientID: makeSecretRefUsingNamespacedRef(clientSecret.Namespace, clientSecret.Name, clientIDKey),
+ ClientSecret: makeSecretRefUsingNamespacedRef(clientSecret.Namespace, clientSecret.Name, clientSecretKey),
+ },
+ },
+ },
+ },
+ kube: clientfake.NewClientBuilder().WithObjects(clientSecret).Build(),
+ },
+ }
+ for name, tc := range tests {
+ t.Run(name, func(t *testing.T) {
+ p := &Provider{}
+ store := tc.store
+ if store == nil {
+ store = &esv1beta1.SecretStore{
+ TypeMeta: metav1.TypeMeta{Kind: esv1beta1.SecretStoreKind},
+ Spec: esv1beta1.SecretStoreSpec{
+ Provider: &esv1beta1.SecretStoreProvider{
+ Delinea: tc.provider,
+ },
+ },
+ }
+ }
+ sc, err := p.NewClient(context.Background(), store, tc.kube, clientSecret.Namespace)
+ if tc.errCheck == nil {
+ assert.NoError(t, err)
+ delineaClient, ok := sc.(*client)
+ assert.True(t, ok)
+ dsvClient, ok := delineaClient.api.(*vault.Vault)
+ assert.True(t, ok)
+ assert.Equal(t, vault.Configuration{
+ Credentials: vault.ClientCredential{
+ ClientID: clientIDValue,
+ ClientSecret: clientSecretValue,
+ },
+ Tenant: tenant,
+ TLD: "com", // Default from Delinea
+ URLTemplate: "https://%s.secretsvaultcloud.%s/v1/%s%s", // Default from Delinea
+ }, dsvClient.Configuration)
+ } else {
+ assert.Nil(t, sc)
+ tc.errCheck(t, err)
+ }
+ })
+ }
+}
+
+func makeSecretRefUsingRef(name, key string) *esv1beta1.DelineaProviderSecretRef {
+ return &esv1beta1.DelineaProviderSecretRef{
+ SecretRef: &v1.SecretKeySelector{Name: name, Key: key},
+ }
+}
+
+func makeSecretRefUsingNamespacedRef(namespace, name, key string) *esv1beta1.DelineaProviderSecretRef {
+ return &esv1beta1.DelineaProviderSecretRef{
+ SecretRef: &v1.SecretKeySelector{Namespace: utils.Ptr(namespace), Name: name, Key: key},
+ }
+}
+
+func makeSecretRefUsingValue(val string) *esv1beta1.DelineaProviderSecretRef {
+ return &esv1beta1.DelineaProviderSecretRef{Value: val}
+}
diff --git a/pkg/provider/delinea/secret_api.go b/pkg/provider/delinea/secret_api.go
new file mode 100644
index 000000000..52a0eba0d
--- /dev/null
+++ b/pkg/provider/delinea/secret_api.go
@@ -0,0 +1,25 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package delinea
+
+import (
+ "github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+)
+
+// secretAPI represents the subset of the Delinea DevOps Secrets Vault API
+// which is supported by dsv-sdk-go/v2.
+// See https://dsv.secretsvaultcloud.com/api for full API documentation.
+type secretAPI interface {
+ Secret(path string) (*vault.Secret, error)
+}
diff --git a/pkg/provider/register/register.go b/pkg/provider/register/register.go
index 1f5499405..68004c4a0 100644
--- a/pkg/provider/register/register.go
+++ b/pkg/provider/register/register.go
@@ -23,6 +23,7 @@ import (
_ "github.com/external-secrets/external-secrets/pkg/provider/aws"
_ "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault"
_ "github.com/external-secrets/external-secrets/pkg/provider/conjur"
+ _ "github.com/external-secrets/external-secrets/pkg/provider/delinea"
_ "github.com/external-secrets/external-secrets/pkg/provider/doppler"
_ "github.com/external-secrets/external-secrets/pkg/provider/fake"
_ "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager"