extend the app role cred provider to use direct secredID

hashiblaum · hashiblaum · commit f7c833aec505 · 2025-12-09T15:32:58.000-05:00
diff --git a/api/v1beta1/vaultauth_types.go b/api/v1beta1/vaultauth_types.go
@@ -127,6 +127,10 @@ type VaultAuthConfigAppRole struct {
 	// RoleID of the AppRole Role to use for authenticating to Vault.
 	RoleID string `json:"roleId,omitempty"`
 
+	// SecretID of the AppRole Role to use for authenticating to Vault.
+	// If both SecretID and SecretRef are specified, SecretID takes precedence.
+	SecretID string `json:"secretID,omitempty"`
+
 	// SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
 	// provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the
 	// AppRole Role's secretID.
@@ -159,8 +163,8 @@ func (a *VaultAuthConfigAppRole) Validate() error {
 		errs = errors.Join(fmt.Errorf("empty roleID"))
 	}
 
-	if a.SecretRef == "" {
-		errs = errors.Join(fmt.Errorf("empty secretRef"))
+	if a.SecretRef == "" && a.SecretID == "" {
+		errs = errors.Join(fmt.Errorf("empty secretRef and seecretID"))
 	}
 
 	return errs
diff --git a/chart/crds/secrets.hashicorp.com_vaultauthglobals.yaml b/chart/crds/secrets.hashicorp.com_vaultauthglobals.yaml
@@ -79,6 +79,10 @@ spec:
                     description: RoleID of the AppRole Role to use for authenticating
                       to Vault.
                     type: string
+                  secretID:
+                    description: SecretID of the AppRole Role to use for authenticating
+                      to Vault.
+                    type: string
                   secretRef:
                     description: |-
                       SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
diff --git a/chart/crds/secrets.hashicorp.com_vaultauths.yaml b/chart/crds/secrets.hashicorp.com_vaultauths.yaml
@@ -67,6 +67,10 @@ spec:
                     description: RoleID of the AppRole Role to use for authenticating
                       to Vault.
                     type: string
+                  secretID:
+                    description: SecretID of the AppRole Role to use for authenticating
+                      to Vault.
+                    type: string
                   secretRef:
                     description: |-
                       SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
diff --git a/config/crd/bases/secrets.hashicorp.com_vaultauthglobals.yaml b/config/crd/bases/secrets.hashicorp.com_vaultauthglobals.yaml
@@ -79,6 +79,10 @@ spec:
                     description: RoleID of the AppRole Role to use for authenticating
                       to Vault.
                     type: string
+                  secretID:
+                    description: SecretID of the AppRole Role to use for authenticating
+                      to Vault.
+                    type: string
                   secretRef:
                     description: |-
                       SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
diff --git a/config/crd/bases/secrets.hashicorp.com_vaultauths.yaml b/config/crd/bases/secrets.hashicorp.com_vaultauths.yaml
@@ -67,6 +67,10 @@ spec:
                     description: RoleID of the AppRole Role to use for authenticating
                       to Vault.
                     type: string
+                  secretID:
+                    description: SecretID of the AppRole Role to use for authenticating
+                      to Vault.
+                    type: string
                   secretRef:
                     description: |-
                       SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
diff --git a/credentials/vault/approle.go b/credentials/vault/approle.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/uuid"
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
@@ -45,6 +46,12 @@ func (l *AppRoleCredentialProvider) Init(ctx context.Context, client ctrlclient.
 	l.authObj = authObj
 	l.providerNamespace = providerNamespace
 
+	// If SecretID is provided directly in the spec, use a new UUID for this provider instance
+	if authObj.Spec.AppRole.SecretID != "" {
+		l.uid = uuid.NewUUID()
+		return nil
+	}
+
 	// We use the UID of the secret which holds the AppRole Role's secret_id for the provider UID
 	key := ctrlclient.ObjectKey{
 		Namespace: l.providerNamespace,
@@ -61,6 +68,15 @@ func (l *AppRoleCredentialProvider) Init(ctx context.Context, client ctrlclient.
 
 func (l *AppRoleCredentialProvider) GetCreds(ctx context.Context, client ctrlclient.Client) (map[string]interface{}, error) {
 	logger := log.FromContext(ctx)
+
+	// If SecretID is provided directly in the spec, return the spec's role_id and secret_id
+	if l.authObj.Spec.AppRole.SecretID != "" {
+		return map[string]interface{}{
+			"role_id":   l.authObj.Spec.AppRole.RoleID,
+			"secret_id": l.authObj.Spec.AppRole.SecretID,
+		}, nil
+	}
+
 	// Fetch the AppRole Role's SecretID from the Kubernetes Secret each time there is a call to
 	// GetCreds in case the SecretID has changed since the last time the client token was
 	// generated. In the case of AppRole this is assumed to be common.
diff --git a/docs/api/api-reference.md b/docs/api/api-reference.md
@@ -703,6 +703,7 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `roleId` _string_ | RoleID of the AppRole Role to use for authenticating to Vault. |  |  |
+| `secretID` _string_ | SecretID of the AppRole Role to use for authenticating to Vault. |  |  |
 | `secretRef` _string_ | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which<br />provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the<br />AppRole Role's secretID. |  |  |
 
 
@@ -829,6 +830,7 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `roleId` _string_ | RoleID of the AppRole Role to use for authenticating to Vault. |  |  |
+| `secretID` _string_ | SecretID of the AppRole Role to use for authenticating to Vault. |  |  |
 | `secretRef` _string_ | SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which<br />provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the<br />AppRole Role's secretID. |  |  |
 | `namespace` _string_ | Namespace to auth to in Vault |  |  |
 | `mount` _string_ | Mount to use when authenticating to auth method. |  |  |
diff --git a/vault/config.go b/vault/config.go
@@ -52,12 +52,12 @@ func MakeVaultClient(ctx context.Context, cfg *ClientConfig, client ctrlclient.C
 		return nil, fmt.Errorf("ClientConfig was nil")
 	}
 
-	if client == nil {
-		return nil, fmt.Errorf("ctrl-runtime Client was nil")
-	}
-
 	var b []byte
 	if cfg.CACertSecretRef != "" {
+		if client == nil {
+			return nil, fmt.Errorf("ctrl-runtime Client was nil and CCACertSecretRef was provided")
+		}
+
 		objKey := ctrlclient.ObjectKey{
 			Namespace: cfg.K8sNamespace,
 			Name:      cfg.CACertSecretRef,
