VaultDyanamicSecret for unauthenticated paths (PKI CRL)

[ajithcnambiar]

I would like to use VaultDyanamicSecret for fetching CRL of a Vault PKI Issuer.
Specifically, this is the Vault API.

/pki/issuer/:issuer_ref/crl/pem

Reference

This API allows unauthenticated access like:

curl -s 'https://<vault-server>/v1/pki/issuer/<issuer-name>/crl' -H 'X-Vault-Namespace: myVaultNamespace' 

It looks like auth is a required field in VaultDynamicSecret. I could configure JWT auth with a Vault role that doesn't give access to any resource, but it doesn't seem good if the operator mandates sending a Vault token where it's not required.

apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
  name: crl
spec:
  method: GET
  path: /pki/issuer/<issuer-name>/crl
  provider:
    auth:
      jwt:
        kubernetesServiceAccountToken:
          serviceAccountRef:
            audiences:
              - o1
            name: sa
            namespace: ns
        path: a dummy path
        role: a dummy role
    namespace: myVaultNamespace
    server: myVaultServer
    version: v2
  resultType: Data

Ideally, I think VaultDynamicSecret should retrieve CRL without configuring auth in this case.

What's the recommended way to go for unauthenticated paths like this? Any alternatives? 🙏

[ajithcnambiar]

Possibly the same as #3975

[gusfcarvalho]

A PR contribution making auth optional should suffice 😄

[ajithcnambiar]

thanks a lot @Skarlso @gusfcarvalho