Skip to content

chore(previder): Update Previder Provider dependency and fix ReadOnly token#5327

Merged
Skarlso merged 9 commits intoexternal-secrets:mainfrom
previder:PROVIDER_PREVIDER_UPDATE
Oct 8, 2025
Merged

chore(previder): Update Previder Provider dependency and fix ReadOnly token#5327
Skarlso merged 9 commits intoexternal-secrets:mainfrom
previder:PROVIDER_PREVIDER_UPDATE

Conversation

@gkwmiddelkamp
Copy link
Copy Markdown
Contributor

@gkwmiddelkamp gkwmiddelkamp commented Sep 16, 2025
edited
Loading

Problem Statement

When using a ReadOnly type token, the pod crashes because of a log failure in de vault-cli.
Also when validating the store, the Provider always tried to get the list of secrets which is not allowed with a ReadOnly token. This will now get the token info endpoint and save the type of token for future reference when we're implementing writing and creating secrets also.

The Previder vault support 2 types of tokens to manage/read secrets.
ReadWrite has the following privileges:

  • List, read, update, remove secrets
  • Decrypt secret by id

ReadOnly token has the next privilege:

  • Decrypt secret by id

The ReadOnly token is meant for in-cluster use for enhanced security, but is not allowed to List secrets. The current code calls the GetSecrets method which always errors out with a 401 Unauthorized for a ReadOnly and should not be used for validating the store.
Instead we changed it to the GetTokenInfo method which returns information about the current used token. This is the only call that will work for both kind of tokens.

The version of the client has already been updated in another PR, in version 0.1.2 we logged using "log.Fatal" when a 401 was thrown, which killed the daemon when using a ReadOnly token. This has been fixed to a proper log line in 0.1.3.

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@gkwmiddelkamp
Updated vault-cli to 0.1.3 and fixed ReadOnly token logic when valida…
53970d6 
…ting the SecretStore in the Previder Provider

Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
@gkwmiddelkamp
Fixed unit test
73718fe 
Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
@github-actions github-actions bot added kind/chore Categorizes Pull Requests for chore activities (like bumping versions) area/previder size/s kind/dependency dependabot and upgrades labels Sep 16, 2025
@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Sep 16, 2025

Can you please provide the scenario and an error on what's happening and why this fix is needed?

webstradev
webstradev reviewed Sep 16, 2025
View reviewed changes
@gkwmiddelkamp
Copy link
Copy Markdown
Contributor Author

gkwmiddelkamp commented Sep 17, 2025

I added more information to the description of the PR. This should describe why this fix is needed.

gkwmiddelkamp and others added 3 commits September 17, 2025 09:22
@gkwmiddelkamp
Merge branch 'main' into PROVIDER_PREVIDER_UPDATE
b7667e8 
Signed-off-by: Gijs Middelkamp <17021438+gkwmiddelkamp@users.noreply.github.com>
@gkwmiddelkamp
Made Validate method stateless. Moved setting the TokenType to the Ne…
1f193d6 
…wClient method

Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
@gkwmiddelkamp
Merge remote-tracking branch 'origin/PROVIDER_PREVIDER_UPDATE' into P…
d7c3aac 
…ROVIDER_PREVIDER_UPDATE
Skarlso
Skarlso reviewed Sep 17, 2025
View reviewed changes
@Skarlso Skarlso moved this to Waiting for External in External Secrets Sep 21, 2025
@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Oct 3, 2025

@gkwmiddelkamp Please update your branch so we can merge it. :)

@Skarlso Skarlso enabled auto-merge (squash) October 8, 2025 15:15
@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Oct 8, 2025

@gkwmiddelkamp Please do it again. :)

@Skarlso Skarlso merged commit a09dd70 into external-secrets:main Oct 8, 2025
5 checks passed
@github-project-automation github-project-automation bot moved this from Waiting for External to Done in External Secrets Oct 8, 2025
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Oct 8, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

SamuelMolling pushed a commit to SamuelMolling/external-secrets that referenced this pull request Oct 24, 2025
@gkwmiddelkamp @SamuelMolling
chore(previder): Update Previder Provider dependency and fix ReadOnly…
c4826c7 
… token (external-secrets#5327)

* Updated vault-cli to 0.1.3 and fixed ReadOnly token logic when validating the SecretStore in the Previder Provider

Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>

* Fixed unit test

Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>

* Made Validate method stateless. Moved setting the TokenType to the NewClient method

Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>

---------

Signed-off-by: Gijs Middelkamp <g.middelkamp@previder.nl>
Signed-off-by: Gijs Middelkamp <17021438+gkwmiddelkamp@users.noreply.github.com>
Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

@jakobmoellerdev jakobmoellerdev jakobmoellerdev approved these changes

+1 more reviewer

@webstradev webstradev webstradev left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/previder kind/chore Categorizes Pull Requests for chore activities (like bumping versions) kind/dependency dependabot and upgrades size/s

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gkwmiddelkamp @Skarlso @jakobmoellerdev @webstradev