GitLab Provider: Validation of SecretStore failed with "remote error: tls: internal error"

[philmtd]

Describe the solution you'd like
I want to be able to use GitLab as my SecretStore.

What is the added value?
The GitLab Provider will work as intended.

Observations (Constraints, Context, etc):

Context: I have two similar k3s clusters running and both are using ESO with the GitLab Provider and with the exact same configuration. Both clusters are running the latest stable version of k3s, which currently is v1.25.5+k3s1. Both clusters are running on machines on Ubuntu 22.04. The following error occurred with ESO 0.7.0 but also occurs after an update to 0.7.1.

Yesterday I was updating the VM one of the clusters is running on (it's single node) from Ubuntu 20.04 to 22.04. I am not sure whether this caused the problem but later I saw that the GitLab ClusterSecretStore I was already successfully using for almost a year stopped working with the following error:

Type     Reason            Age                 From                  Message
----     ------            ----                ----                  -------
Warning  ValidationFailed  15m (x51 over 13h)  cluster-secret-store  could not verify whether the gilabClient is valid: Get "https://gitlab.com/api/v4/pro
jects/<my-project-id>/variables": remote error: tls: internal error

The external-secrets pod is giving me the following logs periodically:

{
    "level": "error",
    "ts": 1673091831.7901502,
    "logger": "controllers.ClusterSecretStore",
    "msg": "unable to validate store",
    "clustersecretstore": "/gitlab-secret-store",
    "error": "could not validate provider: could not verify whether the gilabClient is valid: Get \"https://gitlab.com/api/v4/projects/<my-project-id>/variables\":remote error: tls: internal error",
    "stacktrace": "github.com/external-secrets/external-secrets/pkg/controllers/secretstore.reconcile\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/secretstore/common.go: 67\ngithub.com/external-secrets/external-secrets/pkg/controllers/secretstore.(*ClusterStoreReconciler).Reconcile\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/secretstore/clustersecretstore_controller.go: 54\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 235"
},
{
    "level": "error",
    "ts": 1673091831.8024669,
    "msg": "Reconciler error",
    "controller": "clustersecretstore",
    "controllerGroup": "external-secrets.io",
    "controllerKind": "ClusterSecretStore",
    "ClusterSecretStore": {
        "name": "gitlab-secret-store"
    },
    "namespace": "",
    "name": "gitlab-secret-store",
    "reconcileID": "57ca9df3-68cb-4266-b51b-a851f074a44f",
    "error": "could not validate provider: could not verify whether the gilabClient is valid: Get \"https://gitlab.com/api/v4/projects/<my-project-id>/variables\": remote error: tls: internal error",
    "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.1/pkg/internal/controller/controller.go: 235"
}

The cert-controller and webhook pods don't log anything suspicious.

• When I curl https://gitlab.com/api/v4/projects/<my-project-id>/variables from the machines k3s is running on and from containers I spawn, I get the expected response with the variables.
• As I said: I have two clusters and the other cluster is running with exactly the same configuration and it's working there.
• I completely re-installed ESO with no success
• I completely re-installed the whole cluster - still the same problem

Now I've run out of ideas how to troubleshoot this and am searching for help here. If I can provide you more information I am happy to do so. And I am happy for every help I get.

[moolen]

Thanks for the well-written bug report!

Are these errors happen constantly, or intermittently (looks like constant)?
Can you reproduce the issue with an older version like 0.7.0?

If this error can't be reproduced with 0.7.0 i think its a bug. Otherwise tls related (CA/Cert issue) or network (e.g. intermittent RST from a loadbalancer due to misconfigured timeouts). That's what i would look for next.

[philmtd]

Thank you for your reply! And I'm sorry. Later today I saw that another container I spawned also had issues contacting anything in the internet with HTTPS, so this is not a ESO related problem and I'm closing this issue.

---

To not leave anyone finding this thead in the future unhappy I'll give a short summary what my problem was and how I solved it:

I can only guess because I don't know how my /etc/resolv.conf looked like before the Ubuntu 22.04 update but it appears I had a bad search domain setting there:

nameserver 127.0.0.53
options edns0 trust-ad
search DOMAINS

On the VM itself it was no problem but in the containers the resolv.conf contains the ndots:5 option, which results in looking gitlab.com.DOMAINS at some point and which unfortunately can be resolved to an IP (91.195.240.94) which is NOT GitLab (172.65.251.78). Therefore the actual gitlab.com is never being resolved. A curl against gitlab.com.domains outputs a large HTML block apparently owned by a domain parking company called Sedo.

No wonder ESO could not properly talk to it and had SSL issues...

Still now I have no idea how the "DOMAINS" search domain found its way into my resolv.conf, whether that's okay and there's another problem or why it works like it does, but after changing that search domain I got everything to work again. I'm still investigating that stuff and may edit this comment if I find something noteworthy.

Potentially related issues in the k3s repo:

• Strange DNS behavior in some containers including cert-manager k3s-io/k3s#5045
• Pinging inside container public domain results in wrong DNS queries k3s-io/k3s#5044