VaultDynamicSecret: Add auth method "None"

[ambis]

Is your feature request related to a problem? Please describe.
When using kind: VaultDynamicSecret, it requires you to spesify .spec.provider.auth. In our case, we talk to a Vault Agent that does the auth itself, and the API proxy it provides requires no auth (access strictly controlled by Network Policies, also this is a very dynamic CI kubernetes where test namespaces come and go).

Describe the solution you'd like
If I could either leave the VauldDynamicSecret.spec.provider.auth as {} or tell it to use "None" or which ever way would be most suitable to have it do no auth.

Describe alternatives you've considered
There really are none, because with every auth method it tries to make an auth which fails.

[Skarlso]

I think this falls on the same side as #3927 right?

[ambis]

Do you mean that it would be "unsafe" to allow ExtSec users to configure a VaultDynamicSecret to not use an auth method?

[Skarlso]

No, I mean that you have a case for allowing no auth at all. :)

[ambis]

I realized I could test this with an empty token. Looks like it works. This is hacky and ugly, but at least of now we can get this working with this:

---
apiVersion: v1
kind: Secret
metadata:
  name: test
stringData:
  token: "" # This must be empty!

---
apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
  name: test
spec:
  method: GET
  path: /path/to/our/secret/engine
  resultType: Data
  provider:
    server: http://my-vault-agent.my-vault-agent.svc.cluster.local
    auth:
      tokenSecretRef:
        # Use an empty token, until https://github.com/external-secrets/external-secrets/issues/3975 is implemented
        key: token
        name: test

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test
spec:
  target:
    name: test
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: VaultDynamicSecret
          name: test

[Skarlso]

Yah, we'll add the no auth thing we decided in the other ticket.

[ambis]

Hmm. Did you link the correct issue originally? You linked an issue about TLS verification, which does not quite seem to match this issue.

[Skarlso]

Right, that's true. It's slightly different, but they might also just want to not use any auth. I mean a TLS verification that is insecure is basically no auth anyways. ¯\_(ツ)_/¯

[Skarlso]

This might not be completed, please check if the optional auth is okay for you :)

[ambis]

This might not be completed, please check if the optional auth is okay for you :)

#4516 fixed the issue for us, thanks!