Misleading error in keepersecurity provider: "missing: spec.provider.keepersecurity.auth"

[cyberm4g3]

Describe the bug
This bug is caused by this section in the keepersecurity provider:

	if err := utils.ValidateSecretSelector(store, config.Auth); err != nil {
		return nil, errors.New(errKeeperSecurityStoreMissingAuth)
	}

This section is simultaneously trying to check for the presence of spec.provider.keepersecurity.authRef AND validate its contents. The result is that if it's present but its contents invalid, you will get an error that leads you to think you have a yaml key missing. This is made even worse by the fact that the error references a yaml key that isn't even valid in the first place.

The root of the problem here is that any errors returned by utils.ValidateSecretSelector are lost/not kept. I.e. if you have one of these errors, you will not know about it because the provider overwrites it with a different error:

var (
	errNamespaceNotAllowed = errors.New("namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore")
	errRequireNamespace    = errors.New("cluster scope requires namespace")
)

To Reproduce

---
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: keeper-invalid-test
  namespace: default
spec:
  provider:
    keepersecurity:
      authRef: 
        name: keeper-auth
        key:  auth
        namespace: blah #this namespace is different from metadata.namespace & causes an error
      folderID: blah_123456

The above manifest is invalid because the spec.provider.keepersecurity.authRef.namespace MUST MATCH metadata.namespace or not be present, but the error produced is:

missing: spec.provider.keepersecurity.auth

Expected behavior
The error that should be returned is:

namespace should either be empty or match the namespace of the SecretStore for a namespaced SecretStore

Checking for the presence of spec.provider.keepersecurity.authRef and validating its contents should be 2 separate steps.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[gusfcarvalho]

hi @cyberm4g3 ! Can you provide a fix for it? Doing this should be straightforward - just change the errors.New call to fmt.Errorf and use the error provided during validation.

[cyberm4g3]

Unfortunately I'm not setup on github to be able to submit pull requests, and while I've gotten pretty good at reading Go code, I've never written any of it before.

If need be I can take a stab at it, but that might be a bit. I'll also have to stumble my way through as well.

[gusfcarvalho]

no worries 😄 . Since this is such a small, non-breaking bug, I'll leave it open for any first-time contributors. (after all, the fix is changing one line)

[prakash-218]

Can I give this a go?

pun intended

[Skarlso]

Sure! :) 🙇