feat: allow to get auth data from vault response (#2325)

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
external-secrets · May 22, 2023 · 593eb13 · 593eb13
1 parent 00bc81c
commit 593eb13
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 2 deletions.
diff --git a/apis/generators/v1alpha1/generator_vault.go b/apis/generators/v1alpha1/generator_vault.go
@@ -33,13 +33,28 @@ type VaultDynamicSecretSpec struct {
 	// Parameters to pass to Vault write (for non-GET methods)
 	Parameters *apiextensions.JSON `json:"parameters,omitempty"`
 
+	// Result type defines which data is returned from the generator.
+	// By default it is the "data" section of the Vault API response.
+	// When using e.g. /auth/token/create the "data" section is empty but
+	// the "auth" section contains the generated token.
+	// Please refer to the vault docs regarding the result data structure.
+	// +kubebuilder:default=Data
+	ResultType VaultDynamicSecretResultType `json:"resultType,omitempty"`
+
 	// Vault provider common spec
 	Provider *esv1beta1.VaultProvider `json:"provider"`
 
 	// Vault path to obtain the dynamic secret from
 	Path string `json:"path"`
 }
 
+type VaultDynamicSecretResultType string
+
+const (
+	VaultDynamicSecretResultTypeData VaultDynamicSecretResultType = "Data"
+	VaultDynamicSecretResultTypeAuth VaultDynamicSecretResultType = "Auth"
+)
+
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status

diff --git a/config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml b/config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml
@@ -580,6 +580,14 @@ spec:
                 - auth
                 - server
                 type: object
+              resultType:
+                default: Data
+                description: Result type defines which data is returned from the generator.
+                  By default it is the "data" section of the Vault API response. When
+                  using e.g. /auth/token/create the "data" section is empty but the
+                  "auth" section contains the generated token. Please refer to the
+                  vault docs regarding the result data structure.
+                type: string
             required:
             - path
             - provider

diff --git a/deploy/crds/bundle.yaml b/deploy/crds/bundle.yaml
@@ -7666,6 +7666,10 @@ spec:
                     - auth
                     - server
                   type: object
+                resultType:
+                  default: Data
+                  description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
+                  type: string
               required:
                 - path
                 - provider

diff --git a/pkg/generator/vault/vault.go b/pkg/generator/vault/vault.go
@@ -98,9 +98,23 @@ func (g *Generator) generate(ctx context.Context, c *provider.Connector, jsonSpe
 		return nil, fmt.Errorf(errGetSecret, fmt.Errorf("empty response from Vault"))
 	}
 
+	data := make(map[string]interface{})
 	response := make(map[string][]byte)
-	for k := range result.Data {
-		response[k], err = provider.GetTypedKey(result.Data, k)
+	if res.Spec.ResultType == genv1alpha1.VaultDynamicSecretResultTypeAuth {
+		authJSON, err := json.Marshal(result.Auth)
+		if err != nil {
+			return nil, err
+		}
+		err = json.Unmarshal(authJSON, &data)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		data = result.Data
+	}
+
+	for k := range data {
+		response[k], err = provider.GetTypedKey(data, k)
 		if err != nil {
 			return nil, err
 		}